-
Notifications
You must be signed in to change notification settings - Fork 676
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bugfix] [RHEL/7] Create services_disabled & services_enabled templates for RHEL-7 (based on unix:file_test & systemd-aware) #225
Conversation
…: abrt, at, iputils, oddjob & qpid-cpp-server [shared] openssh-server OVAL check - update test attestation for RHEL-6 & RHEL-7 [RHEL/7] Add (RHEL-7 specific) OVAL package removed check for ntpdate package [RHEL/6, RHEL/7] Create links from shared/ to input/checks for the product for above changed package removed checks [RHEL/6, RHEL/7] Test on both RHEL-6 & RHEL-7 & update test_attestations for both products
…ries for seven services (below) [RHEL/7] Create RHEL-7 specific systemd-aware OVAL checks for services_disabled for the following services: abrtd, sshd, atd, rdisc, ntpdate, oddjobd, and qpidd
…x services: abrtd, atd, rdisc, ntpdate, oddjobd & qpidd [RHEL/7] Update XCCDF services {base,cron,ssh}.xml files with updated RHEL-7 test stamps (sshd service has been tested separately out of RHT-CCP profile on RHEL-7)
traceback to ticket #227 |
(this is a prerequisite for RHEL/7 services_enabled check for iptables & ip6tables service since in RHEL7 both of these services has been moved to iptables-service package)
[RHEL/7] Create RHEL-7 services enabled OVAL checks for iptables & ip6tables services
…bled checks [RHEL/7] Switch on service ip{,6}tables enabled checks in RHT-CCP profile
Have updated the original pull request with another four commits dedicated to RHEL-7 services_enabled template. The patch purpose description is as follows: * commit 3f6f4cb Purpose: This is clear. Create new services_enabled RHEL-7 template & update RHEL/7/input/checks/templates/Makefile to be aware of it. * commit 567a9b2 Purpose: This change is required since the final OVAL check result depends on two sub-tests: In RHEL-7 iptables & ip6tables services has been moved to iptables-services RPM package, therefore we will need RHEL-7 OVAL check for iptables-services package. This commit is doing that. * commit e0a2bb3 Purpose: Since we have template & package installed OVAL check, we can create service enabled OVAL check. This is what the commit does - creates initial services_enabled.csv file containing two entries, so iptables & ip6tables service enabled OVAL checks could be created. Then create them by utilizing * commit 1254d89 Purpose: What's remaining yet, we need to enable the new rules in RHT-CCP profile, test them in various configurations & in case of proper work update corresponding XCCDF test stamps. This is what the commit does. Testing report : The change (all the four added patches) have been tested on RHEL-7 system under different circumstances:
and they return expected results for all of the aforementioned test scenarios. Please review. |
Found one issue with the templates, namely the case of I will update the templates once this patchset is approved (under assumption there aren't other issues) -- it's easier to modify 1 + 7 + 1 + 2 files (templates ones + generated ones) via subsequent patch, than to need to generate the changes in those 49 files again. Further testing appreciated. |
Will provide second version of service enabled & disabled template handling also cases of masked or runtime-enabled services. Closing this one. |
hey @iankko, do you think you'll still be providing a patch for this? wasn't sure if you were working on one. if not I will take this on tomorrow (fri) |
Re:
This has been handled as a second version via pull request: which got included / pushed yesterday. What remains is to apply these templates against more services (e.g. for those seven service disabled ones that were present in this request). I will do that for those seven cases service disabled ones I was working before. Then you can enhance on that if you wish. Thanks. |
On 9/26/14, 8:30 AM, iankko wrote:
got it - thanks! |
Actually got distracted today with updating the form of service_*_enabled.sh remediaton scripts (they to start using Since it's pretty late for me now, I am not going to touch this one already. So if you want, feel free to do what you originally intended / take this one. Sorry. |
Replace existing version V2R1 with newly released version V2R2.
This set of patches does the following:
Updates former RHEL-6 services_disabled template to be systemd-aware using unix:file_test probe,
Testing status: Tested on RHEL-7 & works as expected.
Unifies packages_removed RHEL-6 & RHEL-7 OVAL checks to be shared/ ones (since I needed it for subsequent changes) for the following services:
* abrtd, sshd, atd, rdisc, oddjobd, qpidd
* abrtd, atd, rdisc, ntpdate, oddjobd & qpidd
Updates appropriate XCCDF test stamp entries for these services on RHEL-7 & also RHEL-7 test stamp entry for the sshd service.
Please review (further testing appreciated, but generally AFAICT / as far as I tested this should be working correctly).
Thanks, Jan.