Sysctl template remediations do not modify package files #10881
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
teacup-on-rockingchair
added
OVAL
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
@teacup-on-rockingchair Usually, problems like that should be solved in the RPM package that owns these files by marking them as config files in the spec file. Also, I don't like the change of the STIG file in this PR, it's unrelated to the topic of this PR. Please submit the change of STIG file in a separate PR. |
teacup-on-rockingchair
force-pushed
the
fix_rpm_verify_hashes_ignore_cfg_dir_sle
branch
from
2dbda51
to
5c300e0
Compare
openshift-ci
bot
added
the
do-not-merge/work-in-progress
teacup-on-rockingchair
force-pushed
the
fix_rpm_verify_hashes_ignore_cfg_dir_sle
branch
from
5c300e0
to
a11e01f
Compare
Those files belong to the packages and as such this is considered as modification of the system package. SYSCTL.D(5) manual page states that priority of sysctl configuration file is: /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf So if there is conflict between a setting in /usr/lib/sysctl.d/ and /etc/sysctl.d/, the latter will win In this context current remediation code that modifies only /etc/sysctl.d/ files is good enough since even, if we do not comment out setting in /usr/lib/sysctl.d/ it will be ignored by the system
teacup-on-rockingchair
changed the title
|
Code Climate has analyzed commit db2ff1d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.3% (0.0% change). View more on Code Climate. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
Thank you, @teacup-on-rockingchair. I think these changes rather make SLE and OL products behave the same with respect to the files you are mentioning.
| @@ -6,7 +6,7 @@ | |||
|
|
|||
| # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files | |||
| {{% if product in [ "sle12", "sle15"] %}} | |||
| for f in /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do | |||
| for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do | |||
There was a problem hiding this comment.
/lib directory is a symlink to /usr/lib at least for Fedora/RHEL-alike distributions if I'm not mistaken. So this probably needs to be removed as well.
There was a problem hiding this comment.
Surprisingly, Debian has issues with this as of 2022, but this is indeed the case for everybody else for some time (apparently including Ubuntu): https://lwn.net/Articles/890219/
There was a problem hiding this comment.
This can be potentially merged with the elif statement as they will become very similar in case /lib and /usr/lib are dropped from both cases.
Description:
/usr/lib/sysctl.d/Rationale:
Those files belong to the packages and as such this is considered as modification of the system package.
SYSCTL.D(5) manual page states that priority of sysctl configuration file is:
So if there is conflict between a setting in /usr/lib/sysctl.d/ and /etc/sysctl.d/, the latter will win
In this context current remediation code that modifies only /etc/sysctl.d/ files is good enough since even, if we do not comment out setting in /usr/lib/sysctl.d/ it will be ignored by the system
Review Hints:
@freddieRv you might want to consider if for your platform the changes are valid also