[bugfix] [RHEL/7] Create services_disabled & services_enabled templates for RHEL-7 (based on unix:file_test & systemd-aware) #225
Conversation
…: abrt, at, iputils, oddjob & qpid-cpp-server [shared] openssh-server OVAL check - update test attestation for RHEL-6 & RHEL-7 [RHEL/7] Add (RHEL-7 specific) OVAL package removed check for ntpdate package [RHEL/6, RHEL/7] Create links from shared/ to input/checks for the product for above changed package removed checks [RHEL/6, RHEL/7] Test on both RHEL-6 & RHEL-7 & update test_attestations for both products
…ries for seven services (below)
[RHEL/7] Create RHEL-7 specific systemd-aware OVAL checks for services_disabled for the following services:
abrtd, sshd, atd, rdisc, ntpdate, oddjobd, and qpidd
…x services:
abrtd, atd, rdisc, ntpdate, oddjobd & qpidd
[RHEL/7] Update XCCDF services {base,cron,ssh}.xml files with updated RHEL-7 test stamps
(sshd service has been tested separately out of RHT-CCP profile on RHEL-7)
iankko
added
RHEL
|
traceback to ticket #227 |
(this is a prerequisite for RHEL/7 services_enabled check
for iptables & ip6tables service since in RHEL7 both of
these services has been moved to iptables-service package)
[RHEL/7] Create RHEL-7 services enabled OVAL checks for iptables & ip6tables services
…bled checks
[RHEL/7] Switch on service ip{,6}tables enabled checks in RHT-CCP profile
iankko
changed the title
|
Have updated the original pull request with another four commits dedicated to RHEL-7 services_enabled template. The patch purpose description is as follows: * commit 3f6f4cb Purpose: This is clear. Create new services_enabled RHEL-7 template & update RHEL/7/input/checks/templates/Makefile to be aware of it. * commit 567a9b2 Purpose: This change is required since the final OVAL check result depends on two sub-tests: In RHEL-7 iptables & ip6tables services has been moved to iptables-services RPM package, therefore we will need RHEL-7 OVAL check for iptables-services package. This commit is doing that. * commit e0a2bb3 Purpose: Since we have template & package installed OVAL check, we can create service enabled OVAL check. This is what the commit does - creates initial services_enabled.csv file containing two entries, so iptables & ip6tables service enabled OVAL checks could be created. Then create them by utilizing * commit 1254d89 Purpose: What's remaining yet, we need to enable the new rules in RHT-CCP profile, test them in various configurations & in case of proper work update corresponding XCCDF test stamps. This is what the commit does. Testing report : The change (all the four added patches) have been tested on RHEL-7 system under different circumstances:
and they return expected results for all of the aforementioned test scenarios. Please review. |
|
Found one issue with the templates, namely the case of I will update the templates once this patchset is approved (under assumption there aren't other issues) -- it's easier to modify 1 + 7 + 1 + 2 files (templates ones + generated ones) via subsequent patch, than to need to generate the changes in those 49 files again. Further testing appreciated. |
|
Will provide second version of service enabled & disabled template handling also cases of masked or runtime-enabled services. Closing this one. |
|
hey @iankko, do you think you'll still be providing a patch for this? wasn't sure if you were working on one. if not I will take this on tomorrow (fri) |
|
Re:
This has been handled as a second version via pull request: which got included / pushed yesterday. What remains is to apply these templates against more services (e.g. for those seven service disabled ones that were present in this request). I will do that for those seven cases service disabled ones I was working before. Then you can enhance on that if you wish. Thanks. |
|
On 9/26/14, 8:30 AM, iankko wrote:
got it - thanks! |
Actually got distracted today with updating the form of service_*_enabled.sh remediaton scripts (they to start using Since it's pretty late for me now, I am not going to touch this one already. So if you want, feel free to do what you originally intended / take this one. Sorry. |
Replace existing version V2R1 with newly released version V2R2.
This set of patches does the following:
Updates former RHEL-6 services_disabled template to be systemd-aware using unix:file_test probe,
Testing status: Tested on RHEL-7 & works as expected.
Unifies packages_removed RHEL-6 & RHEL-7 OVAL checks to be shared/ ones (since I needed it for subsequent changes) for the following services:
* abrtd, sshd, atd, rdisc, oddjobd, qpidd
* abrtd, atd, rdisc, ntpdate, oddjobd & qpidd
Updates appropriate XCCDF test stamp entries for these services on RHEL-7 & also RHEL-7 test stamp entry for the sshd service.
Please review (further testing appreciated, but generally AFAICT / as far as I tested this should be working correctly).
Thanks, Jan.