|
 |
e1877a |
From e1c1930d252dee6ba7ef21b856ed1651e82f57ab Mon Sep 17 00:00:00 2001
|
|
|
e1877a |
From: Watson Sato <wsato@redhat.com>
|
|
|
e1877a |
Date: Fri, 6 May 2022 13:32:34 +0200
|
|
|
e1877a |
Subject: [PATCH] Don't scan dir with preconfigured sysctls in RHEL
|
|
|
e1877a |
|
|
|
e1877a |
With the introduction of checks for options defined in multiple
|
|
|
e1877a |
files
|
|
|
e1877a |
the pre-configured sysctls became prominent and started to cause
|
|
|
e1877a |
rules
|
|
|
e1877a |
to fail.
|
|
|
e1877a |
|
|
|
e1877a |
In /usr/lib/sysctl.d there are sysctl options defined by systemd and
|
|
|
e1877a |
other packages. The files in witch these options are defined are not
|
|
|
e1877a |
meant to be edited, these options should be overriden by options in
|
|
|
e1877a |
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
|
|
|
e1877a |
Remediating these files will cause problems with rule
|
|
|
e1877a |
rpm_verify_hashes,
|
|
|
e1877a |
as these files are not RPM config files.
|
|
|
e1877a |
|
|
|
e1877a |
As the sysctl remediations don't edit the pre-configured files the
|
|
|
e1877a |
rule will always result in error.
|
|
|
e1877a |
This commit removes the checks for the pre-configured directory,
|
|
|
e1877a |
i.e. /usr/lib/sysctl.d/.
|
|
|
e1877a |
|
|
|
e1877a |
The end result is that any sysctl option that is pre-configured in
|
|
|
e1877a |
/usr/lib/sysctl.d will be defined in two files, the pre-configured
|
|
|
e1877a |
one
|
|
|
e1877a |
ane /etc/sysctl.conf.
|
|
|
e1877a |
The sysctl option in effect should be the one configured in
|
|
|
e1877a |
/etc/sysctl.conf as this file has the highest priority for sysctl.
|
|
|
e1877a |
---
|
|
|
e1877a |
docs/templates/template_reference.md | 12 +++++++++++-
|
|
|
e1877a |
shared/templates/sysctl/oval.template | 8 ++++++++
|
|
|
e1877a |
2 files changed, 19 insertions(+), 1 deletion(-)
|
|
|
e1877a |
|
|
|
e1877a |
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
|
|
|
e1877a |
index fef4679..d49511a 100644
|
|
|
e1877a |
--- a/docs/templates/template_reference.md
|
|
|
e1877a |
+++ b/docs/templates/template_reference.md
|
|
|
e1877a |
@@ -717,10 +717,20 @@ The selected value can be changed in the profile (consult the actual variable fo
|
|
|
e1877a |
```
|
|
|
e1877a |
|
|
|
e1877a |
#### sysctl
|
|
|
e1877a |
-- Checks sysctl parameters. The OVAL definition checks both
|
|
|
e1877a |
+- Checks sysctl parameters. The OVAL definition checks both static
|
|
|
e1877a |
configuration and runtime settings and require both of them to be
|
|
|
e1877a |
set to the desired value to return true.
|
|
|
e1877a |
|
|
|
e1877a |
+ The following file and directories are checked for static
|
|
|
e1877a |
+ sysctl configurations:
|
|
|
e1877a |
+ - /etc/sysct.conf
|
|
|
e1877a |
+ - /etc/sysct.d/\*.conf
|
|
|
e1877a |
+ - /run/sysct.d/\*.conf
|
|
|
e1877a |
+ - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
|
|
|
e1877a |
+
|
|
|
e1877a |
+ A sysctl option defined in more then one file within the scanned directories
|
|
|
e1877a |
+ will result in `fail`.
|
|
|
e1877a |
+
|
|
|
e1877a |
- Parameters:
|
|
|
e1877a |
|
|
|
e1877a |
- **sysctlvar** - name of the sysctl value, eg.
|
|
|
e1877a |
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
|
|
e1877a |
index 2794638..b692ee3 100644
|
|
|
e1877a |
--- a/shared/templates/sysctl/oval.template
|
|
|
e1877a |
+++ b/shared/templates/sysctl/oval.template
|
|
|
e1877a |
@@ -98,8 +98,10 @@
|
|
|
e1877a |
test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
|
|
|
e1877a |
|
|
|
e1877a |
test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
|
|
|
e1877a |
+{{% if "rhel" not in product %}}
|
|
|
e1877a |
|
|
|
e1877a |
test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
|
|
|
e1877a |
+{{% endif %}}
|
|
|
e1877a |
</criteria>
|
|
|
e1877a |
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
|
|
|
e1877a |
</criteria>
|
|
|
e1877a |
@@ -117,9 +119,11 @@
|
|
|
e1877a |
{{{ state_static_sysctld("run_sysctld") }}}
|
|
|
e1877a |
</ind:textfilecontent54_test>
|
|
|
e1877a |
|
|
|
e1877a |
+{{% if "rhel" not in product %}}
|
|
|
e1877a |
<ind:textfilecontent54_test check="all" comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
|
|
|
e1877a |
{{{ state_static_sysctld("usr_lib_sysctld") }}}
|
|
|
e1877a |
</ind:textfilecontent54_test>
|
|
|
e1877a |
+{{% endif %}}
|
|
|
e1877a |
|
|
|
e1877a |
|
|
|
e1877a |
id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
|
|
|
e1877a |
@@ -229,7 +233,9 @@
|
|
|
e1877a |
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
|
|
|
e1877a |
<set>
|
|
|
e1877a |
<object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
|
|
|
e1877a |
+{{% if "rhel" not in product %}}
|
|
|
e1877a |
<object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
|
|
|
e1877a |
+{{% endif %}}
|
|
|
e1877a |
</set>
|
|
|
e1877a |
</ind:textfilecontent54_object>
|
|
|
e1877a |
|
|
|
e1877a |
@@ -250,11 +256,13 @@
|
|
|
e1877a |
{{{ sysctl_match() }}}
|
|
|
e1877a |
</ind:textfilecontent54_object>
|
|
|
e1877a |
|
|
|
e1877a |
+{{% if "rhel" not in product %}}
|
|
|
e1877a |
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
|
|
|
e1877a |
<ind:path>/usr/lib/sysctl.d</ind:path>
|
|
|
e1877a |
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
|
|
e1877a |
{{{ sysctl_match() }}}
|
|
|
e1877a |
</ind:textfilecontent54_object>
|
|
|
e1877a |
+{{% endif %}}
|
|
|
e1877a |
{{% if SYSCTLVAL == "" %}}
|
|
|
e1877a |
|
|
|
e1877a |
<ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
|
|
|
e1877a |
--
|
|
|
e1877a |
2.34.1
|
|
|
e1877a |
|