Almalinux 9.x with CIS 2.0 Network loss

We are currently applying the CIS 2.0 security profile to our servers.

The implementation process unfolds as follows:

• Downloading the AlmaLinux 9.3 ISO
• Adding a kickstart file to the ISO, including:
  • Partitioning necessary for the security profile
  • Setting the security profile to the maximum level
• Creating a new ISO with the kickstart
• Instantiating a VM

Everything is progressing smoothly up to this point. For testing this profile, we temporarily disabled account locking in pam.d. This is the only modified parameter.

Unfortunately, we are experiencing intermittent and random network outages on the server with no apparent reason. During these periods, SSH and HTTPD become unresponsive, although local access via the hypervisor remains possible. I would like to clarify that this issue occurs both before and after the installation of some packages.

I have examined the security profile without finding a plausible explanation for this problem. I have checked the logs in /var/log/messages, /var/log/secure, dmesg, etc., without success.

This problem does not occur without the application of the security profile.
Do you have any idea for resolving this issue?
Additionally, could you inform us whether this profile is suitable for a Web application platform that includes various components (Alfresco, web application, database, etc.)?

Thanks a lot !

what do you mean by CIS 2.0, the almalinux 9 benchmark is only at version 1.0.0, and strictly speaking is not tested on 9.3

You sure you’re not trying to apply the 8.x benchmark (which is at v3.0.0) which would be a terrible idea?

we’d need a lot more info to diagnose - it sounds like a sysctl setting but could be SELinux or firewalld. is it pingable?

What packages are being installed when it occurs? httpd is not allowed, so maybe its simply removing it? depends where you got the kickstart from.

Yes, I meant CIS 1.0, but I made a mistake when I wrote it. (I’m correcting my title now )

I quite agree about a possible sysctl origin, it also happens with the ANSSI-BP028 profile… do you want the sysctl configuration? .

The firewalld service doesn’t report any errors, and neither does selinux; connection losses also occur with selinux disabled…

What packages are being installed when it occurs? httpd is not allowed, so maybe its simply removing it? - no packages are deleted when the loss occurs … I got the kickstart directly from /usr/share/scap-security-guide/kickstart/

Hope it helps !

the ANSSI profile is crazy, it seems more of a risk than even a STIG, whenever i’ve tried it the box won’t even boot.

i’m assuming you’re not running ssh/httpd from containers as this will break those completely - and who ssh’s into containers?!

the SSG only sets these, so maybe look into unsetting some of them until it works, you can probably ignore ipv6 and kernel:

$ grep -hE 'name: .*sysctl' /usr/share/scap-security-guide/ansible/almalinux9-playbook-cis*  | sort -u
    - name: Ensure sysctl kernel.randomize_va_space is set to 2
    - name: Ensure sysctl net.ipv4.conf.all.accept_redirects is set
    - name: Ensure sysctl net.ipv4.conf.all.accept_source_route is set
    - name: Ensure sysctl net.ipv4.conf.all.log_martians is set
    - name: Ensure sysctl net.ipv4.conf.all.rp_filter is set
    - name: Ensure sysctl net.ipv4.conf.all.secure_redirects is set
    - name: Ensure sysctl net.ipv4.conf.all.send_redirects is set to 0
    - name: Ensure sysctl net.ipv4.conf.default.accept_redirects is set
    - name: Ensure sysctl net.ipv4.conf.default.accept_source_route is set
    - name: Ensure sysctl net.ipv4.conf.default.log_martians is set
    - name: Ensure sysctl net.ipv4.conf.default.rp_filter is set
    - name: Ensure sysctl net.ipv4.conf.default.secure_redirects is set
    - name: Ensure sysctl net.ipv4.conf.default.send_redirects is set to 0
    - name: Ensure sysctl net.ipv4.icmp_echo_ignore_broadcasts is set
    - name: Ensure sysctl net.ipv4.icmp_ignore_bogus_error_responses is set
    - name: Ensure sysctl net.ipv4.ip_forward is set to 0
    - name: Ensure sysctl net.ipv4.tcp_syncookies is set
    - name: Ensure sysctl net.ipv6.conf.all.accept_ra is set
    - name: Ensure sysctl net.ipv6.conf.all.accept_redirects is set
    - name: Ensure sysctl net.ipv6.conf.all.accept_source_route is set
    - name: Ensure sysctl net.ipv6.conf.all.forwarding is set
    - name: Ensure sysctl net.ipv6.conf.default.accept_ra is set
    - name: Ensure sysctl net.ipv6.conf.default.accept_redirects is set
    - name: Ensure sysctl net.ipv6.conf.default.accept_source_route is set

We are talking about CIS Level 2 v1.0.0 which is from what i recall more or less the same than ANSSI BP 28 Enhanced

just tried to remove all sysctl config but still have network loss.

maybe it s related to some firewall rule but i did not see any restriction

also tried to put all sysctl conf to a server without any sec profile and i have no issue.
Seems really because of CIS profile but don t understand what …

i’d carefully go through the benchmark’s firewall section here:

CIS WorkBench / Home

you should not blindly apply the security profile.

Thanks, could you give us the page number or chapter ?

that link goes directly to the firewall section, its page 325 of the pdf: “3.4 Configure Host Based Firewall”