From 8a6a1d81c160f0d8ced3569799605887aea891e8 Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Thu, 29 Aug 2024 00:23:18 +0200 Subject: [PATCH] Add storage override for journald Signed-off-by: Knut Ahlers --- Makefile | 2 ++ PKGBUILD | 2 +- .../base-setup/roles/security/files/sysctl.conf | 4 ++++ .../base-setup/roles/security/tasks/main.yaml | 15 +++++++++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 8a9b693..904497b 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ default: apply-playbook: ansible-playbook \ --diff \ + --extra-vars "pacman_action=test" \ --inventory base/usr/share/luzifer/base-setup/inventory \ base/usr/share/luzifer/base-setup/playbook.yaml @@ -10,5 +11,6 @@ test-playbook: ansible-playbook \ --check \ --diff \ + --extra-vars "pacman_action=test" \ --inventory base/usr/share/luzifer/base-setup/inventory \ base/usr/share/luzifer/base-setup/playbook.yaml diff --git a/PKGBUILD b/PKGBUILD index 3c091c1..3751855 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -7,7 +7,7 @@ pkgname=( luzifer-gui luzifer-lenovo-gui ) -pkgver=0.13.0 +pkgver=0.13.1 pkgrel=1 pkgdesc='System configuration for @luzifer systems' arch=(any) diff --git a/base/usr/share/luzifer/base-setup/roles/security/files/sysctl.conf b/base/usr/share/luzifer/base-setup/roles/security/files/sysctl.conf index 0c5830a..e700d63 100644 --- a/base/usr/share/luzifer/base-setup/roles/security/files/sysctl.conf +++ b/base/usr/share/luzifer/base-setup/roles/security/files/sysctl.conf @@ -18,3 +18,7 @@ net.ipv6.conf.default.accept_redirects = 0 # CNSPEC: Ensure secure ICMP redirects are not accepted net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 + +# CNSPEC: Ensure packet redirect sending is disabled +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 diff --git a/base/usr/share/luzifer/base-setup/roles/security/tasks/main.yaml b/base/usr/share/luzifer/base-setup/roles/security/tasks/main.yaml index ff0ac4a..7fe6d33 100644 --- a/base/usr/share/luzifer/base-setup/roles/security/tasks/main.yaml +++ b/base/usr/share/luzifer/base-setup/roles/security/tasks/main.yaml @@ -57,4 +57,19 @@ mode: '0640' owner: root +- name: Create journald override dir + file: + dest: /etc/systemd/journald.conf.d + state: directory + +- name: Configure journald to store persistent logs + copy: + content: | + [Journal] + # CSPEC: Ensure journald is configured to write logfiles to persistent disk + Storage=persistent + dest: /etc/systemd/journald.conf.d/10-luzifer-base-store-persistent.conf + mode: '0644' + owner: root + ...