|
 |
f6303c |
From c0320e5b1fc9257ef87956afc845fcbc579a080c Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Watson Sato <wsato@redhat.com>
|
|
|
f6303c |
Date: Mon, 14 Nov 2022 15:16:32 +0100
|
|
|
f6303c |
Subject: [PATCH 1/4] Add tests for sysctls in /usr/local/lib/sysctl.d
|
|
|
f6303c |
|
|
|
f6303c |
Sysctl options can also be defined in /usr/local/lib/sysctl.d/
|
|
|
f6303c |
---
|
|
|
f6303c |
.../tests/correct_value_usr_local_lib.pass.sh | 14 ++++++++++++++
|
|
|
f6303c |
.../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 14 ++++++++++++++
|
|
|
f6303c |
2 files changed, 28 insertions(+)
|
|
|
f6303c |
create mode 100644 shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
|
|
|
f6303c |
create mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..3e366a9162f
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh
|
|
|
f6303c |
@@ -0,0 +1,14 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+{{% if SYSCTLVAL == "" %}}
|
|
|
f6303c |
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
|
|
|
f6303c |
+{{% endif %}}
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Clean sysctl config directories
|
|
|
f6303c |
+rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
|
|
f6303c |
+
|
|
|
f6303c |
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
|
|
|
f6303c |
+mkdir /usr/local/lib/sysctl.d/
|
|
|
f6303c |
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf
|
|
|
f6303c |
+
|
|
|
f6303c |
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
|
|
f6303c |
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
|
|
|
f6303c |
diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
|
|
|
f6303c |
new file mode 100644
|
|
|
f6303c |
index 00000000000..fee34ea272f
|
|
|
f6303c |
--- /dev/null
|
|
|
f6303c |
+++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh
|
|
|
f6303c |
@@ -0,0 +1,14 @@
|
|
|
f6303c |
+#!/bin/bash
|
|
|
f6303c |
+{{% if SYSCTLVAL == "" %}}
|
|
|
f6303c |
+# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}}
|
|
|
f6303c |
+{{% endif %}}
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Clean sysctl config directories
|
|
|
f6303c |
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
|
|
f6303c |
+
|
|
|
f6303c |
+sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf
|
|
|
f6303c |
+mkdir /usr/local/lib/sysctl.d/
|
|
|
f6303c |
+echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf
|
|
|
f6303c |
+
|
|
|
f6303c |
+# Setting correct runtime value
|
|
|
f6303c |
+sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}"
|
|
|
f6303c |
|
|
|
f6303c |
From 81d45583b4ebd42302d9734447082afc97587ed8 Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Watson Sato <wsato@redhat.com>
|
|
|
f6303c |
Date: Mon, 14 Nov 2022 15:19:15 +0100
|
|
|
f6303c |
Subject: [PATCH 2/4] sysctl: Check /usr/local/lib/sysctl.d for configs
|
|
|
f6303c |
|
|
|
f6303c |
Update the template so that /usr/local/lib/sysctl.d is also checked for
|
|
|
f6303c |
sysctl onfigurations.
|
|
|
f6303c |
---
|
|
|
f6303c |
shared/templates/sysctl/oval.template | 24 +++++++++++++++++++++++-
|
|
|
f6303c |
1 file changed, 23 insertions(+), 1 deletion(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
|
|
f6303c |
index bbe646274f6..3fe6de1c185 100644
|
|
|
f6303c |
--- a/shared/templates/sysctl/oval.template
|
|
|
f6303c |
+++ b/shared/templates/sysctl/oval.template
|
|
|
f6303c |
@@ -138,6 +138,8 @@
|
|
|
f6303c |
|
|
|
f6303c |
test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
|
|
|
f6303c |
{{% endif %}}
|
|
|
f6303c |
+
|
|
|
f6303c |
+ test_ref="test_{{{ rule_id }}}_static_usr_local_lib_sysctld"/>
|
|
|
f6303c |
</criteria>
|
|
|
f6303c |
{{% if target_oval_version >= [5, 11] %}}
|
|
|
f6303c |
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
|
|
|
f6303c |
@@ -181,6 +183,13 @@
|
|
|
f6303c |
</unix:symlink_state>
|
|
|
f6303c |
{{% endif %}}
|
|
|
f6303c |
|
|
|
f6303c |
+
|
|
|
f6303c |
+ check_existence="any_exist"
|
|
|
f6303c |
+ check="all"
|
|
|
f6303c |
+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/local/lib/sysctl.d/*.conf" state_operator="OR">
|
|
|
f6303c |
+ {{{ state_static_sysctld("usr_local_lib_sysctld") }}}
|
|
|
f6303c |
+ </ind:textfilecontent54_test>
|
|
|
f6303c |
+
|
|
|
f6303c |
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
|
|
|
f6303c |
<object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
|
|
|
f6303c |
</local_variable>
|
|
|
f6303c |
@@ -190,7 +199,7 @@
|
|
|
f6303c |
<ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
|
|
|
f6303c |
<set>
|
|
|
f6303c |
<object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
|
|
|
f6303c |
- <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
|
|
|
f6303c |
+ <object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference>
|
|
|
f6303c |
</set>
|
|
|
f6303c |
</ind:textfilecontent54_object>
|
|
|
f6303c |
|
|
|
f6303c |
@@ -201,6 +210,13 @@
|
|
|
f6303c |
</set>
|
|
|
f6303c |
</ind:textfilecontent54_object>
|
|
|
f6303c |
|
|
|
f6303c |
+ <ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1">
|
|
|
f6303c |
+ <set>
|
|
|
f6303c |
+ <object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference>
|
|
|
f6303c |
+ <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
|
|
|
f6303c |
+ </set>
|
|
|
f6303c |
+ </ind:textfilecontent54_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
|
|
|
f6303c |
<set>
|
|
|
f6303c |
<object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
|
|
|
f6303c |
@@ -227,6 +243,12 @@
|
|
|
f6303c |
{{{ sysctl_match() }}}
|
|
|
f6303c |
</ind:textfilecontent54_object>
|
|
|
f6303c |
|
|
|
f6303c |
+ <ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1">
|
|
|
f6303c |
+ <ind:path>/usr/local/lib/sysctl.d</ind:path>
|
|
|
f6303c |
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
|
|
f6303c |
+ {{{ sysctl_match() }}}
|
|
|
f6303c |
+ </ind:textfilecontent54_object>
|
|
|
f6303c |
+
|
|
|
f6303c |
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
|
|
f6303c |
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
|
|
|
f6303c |
<ind:path>/usr/lib/sysctl.d</ind:path>
|
|
|
f6303c |
|
|
|
f6303c |
From e863b901b4cca177a67dd11d40a5b4d9ce6deaba Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Watson Sato <wsato@redhat.com>
|
|
|
f6303c |
Date: Mon, 14 Nov 2022 15:35:17 +0100
|
|
|
f6303c |
Subject: [PATCH 3/4] sysctl: Align Ansible and Bash remediations
|
|
|
f6303c |
|
|
|
f6303c |
The Ansible remediation for some products were not aligned with the Bash
|
|
|
f6303c |
one.
|
|
|
f6303c |
---
|
|
|
f6303c |
shared/templates/sysctl/ansible.template | 5 ++++-
|
|
|
f6303c |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
|
|
|
f6303c |
index edc4d3fb667..d67cdd2068c 100644
|
|
|
f6303c |
--- a/shared/templates/sysctl/ansible.template
|
|
|
f6303c |
+++ b/shared/templates/sysctl/ansible.template
|
|
|
f6303c |
@@ -9,12 +9,15 @@
|
|
|
f6303c |
paths:
|
|
|
f6303c |
- "/etc/sysctl.d/"
|
|
|
f6303c |
- "/run/sysctl.d/"
|
|
|
f6303c |
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
|
|
f6303c |
+ - "/usr/lib/sysctl.d/"
|
|
|
f6303c |
+{{% endif %}}
|
|
|
f6303c |
contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
|
|
|
f6303c |
patterns: "*.conf"
|
|
|
f6303c |
file_type: any
|
|
|
f6303c |
register: find_sysctl_d
|
|
|
f6303c |
|
|
|
f6303c |
-- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
|
|
f6303c |
+- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files
|
|
|
f6303c |
replace:
|
|
|
f6303c |
path: "{{ item.path }}"
|
|
|
f6303c |
regexp: '^[\s]*{{{ SYSCTLVAR }}}'
|
|
|
f6303c |
|
|
|
f6303c |
From 528715c89910afdfb0287b7f405d6849b5701ecb Mon Sep 17 00:00:00 2001
|
|
|
f6303c |
From: Watson Sato <wsato@redhat.com>
|
|
|
f6303c |
Date: Mon, 14 Nov 2022 15:36:59 +0100
|
|
|
f6303c |
Subject: [PATCH 4/4] sysctl: remove settings in /usr/local/lib/sysctl.d
|
|
|
f6303c |
|
|
|
f6303c |
Also check for sysctl configs /usr/local/lib/sysctl.d for sysctl options
|
|
|
f6303c |
and comment them out.
|
|
|
f6303c |
---
|
|
|
f6303c |
shared/templates/sysctl/ansible.template | 1 +
|
|
|
f6303c |
shared/templates/sysctl/bash.template | 4 ++--
|
|
|
f6303c |
2 files changed, 3 insertions(+), 2 deletions(-)
|
|
|
f6303c |
|
|
|
f6303c |
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
|
|
|
f6303c |
index d67cdd2068c..3ac5d072fcf 100644
|
|
|
f6303c |
--- a/shared/templates/sysctl/ansible.template
|
|
|
f6303c |
+++ b/shared/templates/sysctl/ansible.template
|
|
|
f6303c |
@@ -9,6 +9,7 @@
|
|
|
f6303c |
paths:
|
|
|
f6303c |
- "/etc/sysctl.d/"
|
|
|
f6303c |
- "/run/sysctl.d/"
|
|
|
f6303c |
+ - "/usr/local/lib/sysctl.d/"
|
|
|
f6303c |
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
|
|
f6303c |
- "/usr/lib/sysctl.d/"
|
|
|
f6303c |
{{% endif %}}
|
|
|
f6303c |
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
|
|
|
f6303c |
index 27935c33612..83f50a74a06 100644
|
|
|
f6303c |
--- a/shared/templates/sysctl/bash.template
|
|
|
f6303c |
+++ b/shared/templates/sysctl/bash.template
|
|
|
f6303c |
@@ -6,9 +6,9 @@
|
|
|
f6303c |
|
|
|
f6303c |
# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
|
|
f6303c |
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
|
|
|
f6303c |
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
|
|
|
f6303c |
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do
|
|
|
f6303c |
{{% else %}}
|
|
|
f6303c |
-for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
|
|
|
f6303c |
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
|
|
|
f6303c |
{{% endif %}}
|
|
|
f6303c |
matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
|
|
|
f6303c |
if ! test -z "$matching_list"; then
|