scap-security-guide/scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch

116 lines
4.8 KiB
Diff

From e1c1930d252dee6ba7ef21b856ed1651e82f57ab Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 May 2022 13:32:34 +0200
Subject: [PATCH] Don't scan dir with preconfigured sysctls in RHEL
With the introduction of checks for options defined in multiple
files
the pre-configured sysctls became prominent and started to cause
rules
to fail.
In /usr/lib/sysctl.d there are sysctl options defined by systemd and
other packages. The files in witch these options are defined are not
meant to be edited, these options should be overriden by options in
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
Remediating these files will cause problems with rule
rpm_verify_hashes,
as these files are not RPM config files.
As the sysctl remediations don't edit the pre-configured files the
rule will always result in error.
This commit removes the checks for the pre-configured directory,
i.e. /usr/lib/sysctl.d/.
The end result is that any sysctl option that is pre-configured in
/usr/lib/sysctl.d will be defined in two files, the pre-configured
one
ane /etc/sysctl.conf.
The sysctl option in effect should be the one configured in
/etc/sysctl.conf as this file has the highest priority for sysctl.
---
docs/templates/template_reference.md | 12 +++++++++++-
shared/templates/sysctl/oval.template | 8 ++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index fef4679..d49511a 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -717,10 +717,20 @@ The selected value can be changed in the profile (consult the actual variable fo
```
#### sysctl
-- Checks sysctl parameters. The OVAL definition checks both
+- Checks sysctl parameters. The OVAL definition checks both static
configuration and runtime settings and require both of them to be
set to the desired value to return true.
+ The following file and directories are checked for static
+ sysctl configurations:
+ - /etc/sysct.conf
+ - /etc/sysct.d/\*.conf
+ - /run/sysct.d/\*.conf
+ - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
+
+ A sysctl option defined in more then one file within the scanned directories
+ will result in `fail`.
+
- Parameters:
- **sysctlvar** - name of the sysctl value, eg.
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 2794638..b692ee3 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -98,8 +98,10 @@
test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+{{% if "rhel" not in product %}}
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+{{% endif %}}
</criteria>
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
</criteria>
@@ -117,9 +119,11 @@
{{{ state_static_sysctld("run_sysctld") }}}
</ind:textfilecontent54_test>
+{{% if "rhel" not in product %}}
<ind:textfilecontent54_test check="all" comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
{{{ state_static_sysctld("usr_lib_sysctld") }}}
</ind:textfilecontent54_test>
+{{% endif %}}
<ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
@@ -229,7 +233,9 @@
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
<set>
<object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% if "rhel" not in product %}}
<object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% endif %}}
</set>
</ind:textfilecontent54_object>
@@ -250,11 +256,13 @@
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
+{{% if "rhel" not in product %}}
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
<ind:path>/usr/lib/sysctl.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
+{{% endif %}}
{{% if SYSCTLVAL == "" %}}
<ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
--
2.34.1