rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   ff1465361ce508f93601c5dcefe092ef09bc26bb
  2.   SOURCES
  3.   scap-security-guide-0.1.60-sysctl_d_directories-PR_7999.patch
Blob Blame History Raw 
commit c68d33e672264e1b4f2c664004d258ddfc198856
Author: Gabriel Becker <ggasparb@redhat.com>
Date:   Thu Feb 24 18:15:07 2022 +0100

    Manual edited patch scap-security-guide-0.1.60-sysctl_d_directories-PR_7999.patch.

diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
new file mode 100644
index 0000000..48a2665
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. $SHARED/sysctl.sh
+
+setting_name="kernel.randomize_va_space"
+setting_value="2"
+# sysctl -w "$setting_name=$setting_value"
+if grep -q "^$setting_name" /usr/lib/sysctl.d/50-sysctl.conf; then
+    sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /usr/lib/sysctl.d/50-sysctl.conf
+else
+    echo "$setting_name = $setting_value" >> /usr/lib/sysctl.d/50-sysctl.conf
+fi
+
+setting_name="kernel.randomize_va_space"
+setting_value="0"
+# sysctl -w "$setting_name=$setting_value"
+if grep -q "^$setting_name" /etc/sysctl.d/99-sysctl.conf; then
+    sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/99-sysctl.conf
+else
+    echo "$setting_name = $setting_value" >> /etc/sysctl.d/99-sysctl.conf
+fi
+
+sysctl --system
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index e4ccd84..3837b31 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -3,6 +3,21 @@
 # strategy = disable
 # complexity = low
 # disruption = medium
+
+- name: List /etc/sysctl.d/*.conf files
+  find:
+    paths: "/etc/sysctl.d/"
+    contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
+    patterns: "*.conf"
+  register: find_sysctl_d
+
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+  replace:
+    path: "{{ item }}"
+    regexp: '^[\s]*{{{ SYSCTLVAR }}}'
+    replace: '#{{{ SYSCTLVAR }}}'
+  loop: "{{ find_sysctl_d.files }}"
+
 {{%- if SYSCTLVAL == "" %}}
 - (xccdf-var sysctl_{{{ SYSCTLID }}}_value)
 
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index a762794..5ec56fd 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -4,6 +4,18 @@
 # complexity = low
 # disruption = medium
 . /usr/share/scap-security-guide/remediation_functions
+
+# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
+for f in /etc/sysctl.d/*.conf ; do
+  matching_list=$(grep -P '^(?!#).*[\s]+{{{ SYSCTLVAR }}}.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+  fi
+done
+
 {{%- if SYSCTLVAL == "" %}}
 {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation