116 lines
4.8 KiB
Diff
116 lines
4.8 KiB
Diff
From e1c1930d252dee6ba7ef21b856ed1651e82f57ab Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 6 May 2022 13:32:34 +0200
|
|
Subject: [PATCH] Don't scan dir with preconfigured sysctls in RHEL
|
|
|
|
With the introduction of checks for options defined in multiple
|
|
files
|
|
the pre-configured sysctls became prominent and started to cause
|
|
rules
|
|
to fail.
|
|
|
|
In /usr/lib/sysctl.d there are sysctl options defined by systemd and
|
|
other packages. The files in witch these options are defined are not
|
|
meant to be edited, these options should be overriden by options in
|
|
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
|
|
Remediating these files will cause problems with rule
|
|
rpm_verify_hashes,
|
|
as these files are not RPM config files.
|
|
|
|
As the sysctl remediations don't edit the pre-configured files the
|
|
rule will always result in error.
|
|
This commit removes the checks for the pre-configured directory,
|
|
i.e. /usr/lib/sysctl.d/.
|
|
|
|
The end result is that any sysctl option that is pre-configured in
|
|
/usr/lib/sysctl.d will be defined in two files, the pre-configured
|
|
one
|
|
ane /etc/sysctl.conf.
|
|
The sysctl option in effect should be the one configured in
|
|
/etc/sysctl.conf as this file has the highest priority for sysctl.
|
|
---
|
|
docs/templates/template_reference.md | 12 +++++++++++-
|
|
shared/templates/sysctl/oval.template | 8 ++++++++
|
|
2 files changed, 19 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
|
|
index fef4679..d49511a 100644
|
|
--- a/docs/templates/template_reference.md
|
|
+++ b/docs/templates/template_reference.md
|
|
@@ -717,10 +717,20 @@ The selected value can be changed in the profile (consult the actual variable fo
|
|
```
|
|
|
|
#### sysctl
|
|
-- Checks sysctl parameters. The OVAL definition checks both
|
|
+- Checks sysctl parameters. The OVAL definition checks both static
|
|
configuration and runtime settings and require both of them to be
|
|
set to the desired value to return true.
|
|
|
|
+ The following file and directories are checked for static
|
|
+ sysctl configurations:
|
|
+ - /etc/sysct.conf
|
|
+ - /etc/sysct.d/\*.conf
|
|
+ - /run/sysct.d/\*.conf
|
|
+ - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
|
|
+
|
|
+ A sysctl option defined in more then one file within the scanned directories
|
|
+ will result in `fail`.
|
|
+
|
|
- Parameters:
|
|
|
|
- **sysctlvar** - name of the sysctl value, eg.
|
|
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
|
index 2794638..b692ee3 100644
|
|
--- a/shared/templates/sysctl/oval.template
|
|
+++ b/shared/templates/sysctl/oval.template
|
|
@@ -98,8 +98,10 @@
|
|
test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
|
|
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
|
|
test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
|
|
+{{% if "rhel" not in product %}}
|
|
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
|
|
test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
|
|
+{{% endif %}}
|
|
</criteria>
|
|
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
|
|
</criteria>
|
|
@@ -117,9 +119,11 @@
|
|
{{{ state_static_sysctld("run_sysctld") }}}
|
|
</ind:textfilecontent54_test>
|
|
|
|
+{{% if "rhel" not in product %}}
|
|
<ind:textfilecontent54_test check="all" comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
|
|
{{{ state_static_sysctld("usr_lib_sysctld") }}}
|
|
</ind:textfilecontent54_test>
|
|
+{{% endif %}}
|
|
|
|
<ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
|
|
id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
|
|
@@ -229,7 +233,9 @@
|
|
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
|
|
<set>
|
|
<object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
|
|
+{{% if "rhel" not in product %}}
|
|
<object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
|
|
+{{% endif %}}
|
|
</set>
|
|
</ind:textfilecontent54_object>
|
|
|
|
@@ -250,11 +256,13 @@
|
|
{{{ sysctl_match() }}}
|
|
</ind:textfilecontent54_object>
|
|
|
|
+{{% if "rhel" not in product %}}
|
|
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
|
|
<ind:path>/usr/lib/sysctl.d</ind:path>
|
|
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
|
{{{ sysctl_match() }}}
|
|
</ind:textfilecontent54_object>
|
|
+{{% endif %}}
|
|
{{% if SYSCTLVAL == "" %}}
|
|
|
|
<ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
|
|
--
|
|
2.34.1
|
|
|