sysctl template: add AlmaLinux to /lib/sysctl.d exclusion list to fix false positive sysctl failures#14724
Open
MitchDrage wants to merge 1 commit into
Open
sysctl template: add AlmaLinux to /lib/sysctl.d exclusion list to fix false positive sysctl failures#14724MitchDrage wants to merge 1 commit into
MitchDrage wants to merge 1 commit into
Conversation
… sysctl OVAL template ComplianceAsCode#14722
|
Hi @MitchDrage. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
… sysctl OVAL template
#14722
Description:
AlmaLinux is missing from the /lib/sysctl.d exclusion list in the sysctl OVAL template, causing false positive failures on sysctl rules where a package-owned file in /lib/sysctl.d/ contains a conflicting value that is correctly overridden by a user drop-in in /etc/sysctl.d/.
Two changes are made: AlmaLinux 8 and 9 are added to the exclusion list in object_static_etc_lib_sysctls so /lib/sysctl.d is not included in the user-managed object scan, and 'almalinux' in product is added to the condition that controls whether object_static_lib_sysctld is defined, keeping the two conditions consistent. Note that almalinux has been chosen instead of scoping to specific releases to align with how 'rhel' is used in this same condition.
Rationale:
AlmaLinux is a 1:1 binary-compatible RHEL clone and inherits the same systemd-managed /lib/sysctl.d/50-default.conf which sets net.ipv4.conf.default.rp_filter = 2.
RHEL 8, RHEL 9, OL8, and OL9 are already excluded from the /lib/sysctl.d user object inclusion for exactly this reason. AlmaLinux was simply omitted from the list.
The correct remediation on these systems is a drop-in in /etc/sysctl.d/, which is what systemd documents and recommends (see systemd/systemd#32563).
With a compliant drop-in in place, the rule still fails because /lib/sysctl.d/50-default.conf is included in the user object scan and evaluated with check="all".
Fixes #14722
Review Hints:
To reproduce the false positive before this fix: install AlmaLinux 9, set net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.d/, verify sysctl net.ipv4.conf.default.rp_filter returns 1, then run OpenSCAP against the CIS Level 1 Server profile- the rule fails because it finds a value of '2' in /lib/sysctl.d/50-default.conf. After this fix it should pass.
The change is deliberately consistent with the existing pattern for RHEL and OL products - version-specific entries in the first condition, substring match in the second. See also the related discussion in #10203 and prior AlmaLinux work in #13409 (which did not address this issue).