-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory #10637
Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory #10637
Conversation
There are configurations set by packages in /usr/lib, so it is possible to find there the expected configuration, but it is not recommended to modify those files in case of a non compliant configuration. So modified OVAL to check those files in a way that not touching them would fix any non compliant scenario. This means that the rule can pass if the expected conf is included in a file in /usr/lib. But also if there is a non compliant value there, and it is overwritten by a configuration in a different file. Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @Xeicker, sorry for the delay.
Nice work and thank you for the improvement.
Adding test wrong_usr_lib_wrong_etc.fail.sh, to complement wrong_usr_lib_correct_etc.pass.sh Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
- Fix comments in OVAL tests - Remove OVAL test whith jinja when the criterion is also removed Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
1d3cfdc
to
b39c007
Compare
Code Climate has analyzed commit b39c007 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.8% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Xeicker Thanks for the update!
On Ubuntu /lib is symlinked to /usr/lib, thus /lib/sysctl.d contains package-managed configs, which should not be modified and can be incorrect if overriden elsewhere (see ComplianceAsCode#10637).
On Ubuntu /lib is symlinked to /usr/lib, thus /lib/sysctl.d contains package-managed configs, which should not be modified and can be incorrect if overriden elsewhere (see ComplianceAsCode#10637).
On Ubuntu /lib is symlinked to /usr/lib, thus /lib/sysctl.d contains package-managed configs, which should not be modified and can be incorrect if overriden elsewhere (see ComplianceAsCode#10637).
Description:
/usr/lib/sysctl.d
directoryRationale:
/usr/lib/sysctl.d
for RHEL and OL. The rationale was that the files in there shouldn't be modified. So adding the check again, but taking into account precedence, that means that the rule will pass if the configuration is correctly set in/usr/lib/sysctl.d
and not overriden, but wont fail in case the configuration there is wrong but overriden correctly somewhere elseReview Hints:
____| _ LC _ | _ LW _ | _ LM _ |
NC _ | _ 1 __ | _ 1 __ | __ 1 __ |
NW _| _ 0 __ | _ 0 __ | __ 0 __ |
NM _| _ 1 __ | _ 0 __ | _ 0 (1) _ |
Correct: C
Wrong: W
Missing M
in
/usr/lib/sysctl.d
: Lnot in
/usr/lib/sysctl.d
: Nrule passes: 1
rule fails: 0
rule result when missing_parameter_pass is set to true, if different: (x)