From b20efdc9d8bcb198997b7cd44264c60621e497ba Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Mon, 27 Mar 2023 01:32:51 +0300 Subject: [PATCH 1/6] Use drop in file for sysctl variables for SLE platforms Instead of modifying the global /etc/sysctl.conf file for each one of them Modification recommended by system engineers with the motivation, this approach provides cleaner setup for support and upgrade the system --- shared/templates/sysctl/bash.template | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 8d77213236e..de525faf8f5 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -22,6 +22,16 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.con fi done +# +# Set sysctl config file which to save the desired value +# +{{% if product in [ "sle12", "sle15"] %}} +SYSCONFIG_VAR="{{{ SYSCTLVAR }}}" +SYSCONFIG_FILE=/etc/sysctl.d/"${SYSCONFIG_VAR//./_}".conf +{{% else %}} +SYSCONFIG_FILE="/etc/sysctl.conf" +{{% endif %}} + {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} {{{ bash_instantiate_variables("sysctl_" ~ SYSCTLID ~ "_value") }}} @@ -34,7 +44,11 @@ done # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value # else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf # -{{{ bash_replace_or_append('/etc/sysctl.conf', '^' ~ SYSCTLVAR , '$sysctl_' ~ SYSCTLID ~ '_value') }}} +{{% if product in [ "sle12", "sle15"] %}} +sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf +{{% endif %}} +{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , '$sysctl_' ~ SYSCTLID ~ '_value') }}} + {{%- else %}} # @@ -46,5 +60,8 @@ done # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" # else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf # -{{{ bash_replace_or_append('/etc/sysctl.conf', '^' ~ SYSCTLVAR , SYSCTLVAL ) }}} +{{% if product in [ "sle12", "sle15"] %}} +sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf +{{% endif %}} +{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , SYSCTLVAL ) }}} {{%- endif %}} From d14940ff2aa798ec0703e6a915a729138f2b6918 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sun, 2 Apr 2023 10:11:59 +0300 Subject: [PATCH 2/6] Use jinja2 filter replace instead of bash --- shared/templates/sysctl/bash.template | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index de525faf8f5..f96b45fb3cc 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -26,8 +26,7 @@ done # Set sysctl config file which to save the desired value # {{% if product in [ "sle12", "sle15"] %}} -SYSCONFIG_VAR="{{{ SYSCTLVAR }}}" -SYSCONFIG_FILE=/etc/sysctl.d/"${SYSCONFIG_VAR//./_}".conf +SYSCONFIG_FILE='/etc/sysctl.d/{{{ SYSCTLVAR | replace(".","_") }}}.conf' {{% else %}} SYSCONFIG_FILE="/etc/sysctl.conf" {{% endif %}} From ab54b42c6e531f9300657e92c701718234c506ce Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sun, 2 Apr 2023 10:57:20 +0300 Subject: [PATCH 3/6] Use sysctl_remediate_drop_in_file property Instead of using per product logn conditions in templates and rules/fixes, use property defined on per product basis. Thanks to @yuumasato for the hint --- products/sle12/product.yml | 2 ++ products/sle15/product.yml | 2 ++ shared/templates/sysctl/bash.template | 6 +++--- ssg/constants.py | 1 + ssg/products.py | 3 +++ 5 files changed, 11 insertions(+), 3 deletions(-) diff --git a/products/sle12/product.yml b/products/sle12/product.yml index b6ef9d15df7..8b5ed3b49fa 100644 --- a/products/sle12/product.yml +++ b/products/sle12/product.yml @@ -39,3 +39,5 @@ reference_uris: cis: 'https://www.cisecurity.org/benchmark/suse_linux/' dconf_gdm_dir: "gdm.d" + +sysctl_remediate_drop_in_file: "true" diff --git a/products/sle15/product.yml b/products/sle15/product.yml index 57fab5f05c7..be2e29bb9d0 100644 --- a/products/sle15/product.yml +++ b/products/sle15/product.yml @@ -44,3 +44,5 @@ reference_uris: cis: 'https://www.cisecurity.org/benchmark/suse_linux/' dconf_gdm_dir: "gdm.d" + +sysctl_remediate_drop_in_file: "true" diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index f96b45fb3cc..49e4d949be0 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -25,7 +25,7 @@ done # # Set sysctl config file which to save the desired value # -{{% if product in [ "sle12", "sle15"] %}} +{{% if sysctl_remediate_drop_in_file == "true" %}} SYSCONFIG_FILE='/etc/sysctl.d/{{{ SYSCTLVAR | replace(".","_") }}}.conf' {{% else %}} SYSCONFIG_FILE="/etc/sysctl.conf" @@ -43,7 +43,7 @@ SYSCONFIG_FILE="/etc/sysctl.conf" # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value # else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf # -{{% if product in [ "sle12", "sle15"] %}} +{{% if sysctl_remediate_drop_in_file == "true" %}} sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf {{% endif %}} {{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , '$sysctl_' ~ SYSCTLID ~ '_value') }}} @@ -59,7 +59,7 @@ sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" # else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf # -{{% if product in [ "sle12", "sle15"] %}} +{{% if sysctl_remediate_drop_in_file == "true" %}} sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf {{% endif %}} {{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , SYSCTLVAL ) }}} diff --git a/ssg/constants.py b/ssg/constants.py index c0ea5126211..e7909104c79 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -471,3 +471,4 @@ DEFAULT_PRODUCT = 'example' DEFAULT_CHRONY_CONF_PATH = '/etc/chrony.conf' DEFAULT_AUDISP_CONF_PATH = '/etc/audit' +DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false' diff --git a/ssg/products.py b/ssg/products.py index 678a1334952..2c31d5c229b 100644 --- a/ssg/products.py +++ b/ssg/products.py @@ -98,6 +98,9 @@ def _get_implied_properties(existing_properties): if "faillock_path" not in existing_properties: result["faillock_path"] = DEFAULT_FAILLOCK_PATH + if "sysctl_remediate_drop_in_file" not in existing_properties: + result["sysctl_remediate_drop_in_file"] = DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE + return result From f1c9685223e5401363b58298734786e6679215b6 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sun, 2 Apr 2023 13:58:57 +0300 Subject: [PATCH 4/6] Add sysctl_remediate_drop_in_file to ansible fix --- shared/templates/sysctl/ansible.template | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 2ab1ab9c40c..4c2eade72e6 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -32,6 +32,14 @@ replace: '#{{{ SYSCTLVAR }}}' loop: "{{ find_sysctl_d.files }}" +{{% if sysctl_remediate_drop_in_file == "true" %}} +- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf + replace: + path: "/etc/sysctl.conf" + regexp: '^[\s]*{{{ SYSCTLVAR }}}' + replace: '#{{{ SYSCTLVAR }}}' +{{% endif %}} + {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) @@ -45,6 +53,11 @@ name: "{{{ SYSCTLVAR }}}" value: "{{{ SYSCTLVAL }}}" {{%- endif %}} +{{% if sysctl_remediate_drop_in_file == "true" %}} + sysctl_file: "/etc/sysctl.d/{{{ SYSCTLVAR | replace('.','_') }}}.conf" +{{% else %}} + sysctl_file: "/etc/sysctl.conf" +{{% endif %}} state: present reload: yes From 88a6d65adb7762d1bf360d1fac49cc36d28c1085 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Sun, 2 Apr 2023 14:06:03 +0300 Subject: [PATCH 5/6] Update documentation on sysctl template Add note on sysctl_remediate_drop_in_file property --- docs/templates/template_reference.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index 4ea4e987ff3..58ebee33ae9 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -872,6 +872,10 @@ The selected value can be changed in the profile (consult the actual variable fo - **sysctlval_regex** - if **operation** is `pattern match`, this parameter is used instead of **sysctlval**. + In case the **sysctl_remediate_drop_in_file** property is set to true in the product file, + the remediation scripts will set the variable with correct value to a drop-in file in + `/etc/sysctl.d/var_name.conf` file. + - Languages: Ansible, Bash, OVAL #### timer_enabled From a3fbcd8f805aec0a2241af8e25e5f327845108fd Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Mon, 3 Apr 2023 22:31:13 +0300 Subject: [PATCH 6/6] Import default sysctl file from constants.py --- ssg/products.py | 1 + 1 file changed, 1 insertion(+) diff --git a/ssg/products.py b/ssg/products.py index 2c31d5c229b..a2aad31debc 100644 --- a/ssg/products.py +++ b/ssg/products.py @@ -20,6 +20,7 @@ DEFAULT_CHRONY_CONF_PATH, DEFAULT_AUDISP_CONF_PATH, DEFAULT_FAILLOCK_PATH, + DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE, PKG_MANAGER_TO_SYSTEM, PKG_MANAGER_TO_CONFIG_FILE, XCCDF_PLATFORM_TO_PACKAGE,