From 00023fbeb3877dae8931f34e9465124d00a24188 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 15 Mar 2024 17:37:29 +0100 Subject: [PATCH] Re-enable runtime check on network related sysctls When the CO's "scanner" pod has "HostNetwork" option set to true, these sysctls are visible with values matching Host syctls. --- .../configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml | 1 - .../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 1 - .../sysctl_net_ipv6_conf_default_accept_ra/rule.yml | 1 - .../sysctl_net_ipv6_conf_default_accept_redirects/rule.yml | 1 - .../restrictions/sysctl_net_core_bpf_jit_harden/rule.yml | 1 - 5 files changed, 5 deletions(-) diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml index 9dd57911340..80ea39da212 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -49,4 +49,3 @@ template: vars: sysctlvar: net.ipv6.conf.all.accept_ra datatype: int - check_runtime@rhcos4: "false" diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index c8c5e48bab1..66860d66a0e 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -51,4 +51,3 @@ template: vars: sysctlvar: net.ipv6.conf.all.accept_redirects datatype: int - check_runtime@rhcos4: "false" diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml index 9742aa264fb..a43a25adf08 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml @@ -49,4 +49,3 @@ template: vars: sysctlvar: net.ipv6.conf.default.accept_ra datatype: int - check_runtime@rhcos4: "false" diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index abb4664f633..b43cfb37a8b 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -53,4 +53,3 @@ template: vars: sysctlvar: net.ipv6.conf.default.accept_redirects datatype: int - check_runtime@rhcos4: "false" diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml index 8b23c9a3ea5..c8cdc78036c 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_net_core_bpf_jit_harden/rule.yml @@ -41,4 +41,3 @@ template: sysctlvar: net.core.bpf_jit_harden sysctlval: '2' datatype: int - check_runtime@rhcos4: "false"