IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 5 replies
  • Latest Post - ‏2014-01-30T20:42:59Z by Shivani_S
lynchmv
lynchmv
5 Posts

Pinned topic RHEL-06-000286 override check

‏2013-12-04T21:27:23Z |

According to the following RedHat article and Bugzilla, any update of the initscripts package will overrite the .config files in /etc/init/

https://access.redhat.com/site/solutions/70464

http://rhn.redhat.com/errata/RHBA-2012-0863.html

With this in mind, any checks that are based off of files in /etc/init/ (like RHEL-06-000286) should also check for a .override file in order to check for compliance.

  • Jeff Saxton
    Jeff Saxton
    21 Posts

    Re: RHEL-06-000286 override check

    ‏2014-01-22T21:17:45Z  

    I'm not sure I understand you on this one. Are you actually getting a false negative/positive?

    Can you provide me with instructions on how to setup a reproduction?

    if an update reverts a file in /etc/init/* then the system becomes non-compliant again (potentially)

     

    we don't specifically look for conf files, we do this:

     

    grep -l "start on control-alt-delete" /etc/init/*  | egrep -v "^[       ]#" 2>/dev/null | while read file
    do
            grep -v "^[     ]*#" $file | egrep -H "shutdown" >> $TMPFILE
    done

    if [ -s "$TMPFILE" ]
    then
            RESULT=FAIL

    fi

    so we should catch *.override as well

     

  • lynchmv
    lynchmv
    5 Posts

    Re: RHEL-06-000286 override check

    ‏2014-01-24T21:03:41Z  

    I'm not sure I understand you on this one. Are you actually getting a false negative/positive?

    Can you provide me with instructions on how to setup a reproduction?

    if an update reverts a file in /etc/init/* then the system becomes non-compliant again (potentially)

     

    we don't specifically look for conf files, we do this:

     

    grep -l "start on control-alt-delete" /etc/init/*  | egrep -v "^[       ]#" 2>/dev/null | while read file
    do
            grep -v "^[     ]*#" $file | egrep -H "shutdown" >> $TMPFILE
    done

    if [ -s "$TMPFILE" ]
    then
            RESULT=FAIL

    fi

    so we should catch *.override as well

     

    We are getting false positives, causing systems with the .override file being reported as non-compliant.

    Here is what I have done to test, fix and validate an updated fix:

     

    Linux:140124160012:root:dtutest:~:# cat /etc/init/control-alt-delete.conf
    # control-alt-delete - emergency keypress handling
    #
    # This task is run whenever the Control-Alt-Delete key combination is
    # pressed.  Usually used to shut down the machine.

    start on control-alt-delete

    exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

    Linux:140124160021:root:dtutest:~:# cat /etc/init/control-alt-delete.override
    # control-alt-delete - emergency keypress handling
    #
    # This task is run whenever the Control-Alt-Delete key combination is
    # pressed.  Usually used to shut down the machine.

    start on control-alt-delete

    exec /usr/bin/logger -p security.info "Good thing we've disabled the three finger salute, or else this box would have just bounced!"

    Linux:140124160025:root:dtutest:~:# cat RHEL-06-000286.orig
    #!/bin/bash
    TMPFILE=test.chk

    RESULT=PASS
    grep -l "start on control-alt-delete" /etc/init/*  | egrep -v "^[       ]#" 2>/dev/null | while read file
    do
            grep -v "^[     ]*#" $file | egrep -H "shutdown" >> $TMPFILE
    done

    if [ -s "$TMPFILE" ]
    then
            RESULT=FAIL

    fi

    echo $RESULT

    Linux:140124160036:root:dtutest:~:# cat RHEL-06-000286.fix
    #!/bin/bash

    RESULT=PASS

    for FILE in $(grep -l "start on control-alt-delete" /etc/init/*);do
      if [[ "$FILE" == *override ]]; then
        grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
        if [ $? -eq 0 ]; then
          # We found a line that contains shutdown and isn't commented out
          # More than likely will initiate a shutdown
          OVERRIDERESULT=FAIL
        else
          OVERRIDERESULT=PASS
        fi
      else
        grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
        if [ $? -eq 0 ]; then
          # We found a line that contains shutdown and isn't commented out
          # More than likely will initiate a shutdown
          RESULT=FAIL
        fi
      fi
    done

    if [ "$OVERRIDERESULT" = "PASS" ]; then
      RESULT=PASS
    fi

    echo $RESULT

    Linux:140124160041:root:dtutest:~:# ./RHEL-06-000286.orig
    FAIL

    Linux:140124160044:root:dtutest:~:# ./RHEL-06-000286.fix
    PASS

     

    Let me know if this needs further explanation, thanks for taking the time to look at this and my other posts.

    Updated on 2014-01-24T21:05:23Z at 2014-01-24T21:05:23Z by lynchmv
  • Jeff Saxton
    Jeff Saxton
    21 Posts

    Re: RHEL-06-000286 override check

    ‏2014-01-24T23:09:48Z  
    • lynchmv
    • ‏2014-01-24T21:03:41Z

    We are getting false positives, causing systems with the .override file being reported as non-compliant.

    Here is what I have done to test, fix and validate an updated fix:

     

    Linux:140124160012:root:dtutest:~:# cat /etc/init/control-alt-delete.conf
    # control-alt-delete - emergency keypress handling
    #
    # This task is run whenever the Control-Alt-Delete key combination is
    # pressed.  Usually used to shut down the machine.

    start on control-alt-delete

    exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

    Linux:140124160021:root:dtutest:~:# cat /etc/init/control-alt-delete.override
    # control-alt-delete - emergency keypress handling
    #
    # This task is run whenever the Control-Alt-Delete key combination is
    # pressed.  Usually used to shut down the machine.

    start on control-alt-delete

    exec /usr/bin/logger -p security.info "Good thing we've disabled the three finger salute, or else this box would have just bounced!"

    Linux:140124160025:root:dtutest:~:# cat RHEL-06-000286.orig
    #!/bin/bash
    TMPFILE=test.chk

    RESULT=PASS
    grep -l "start on control-alt-delete" /etc/init/*  | egrep -v "^[       ]#" 2>/dev/null | while read file
    do
            grep -v "^[     ]*#" $file | egrep -H "shutdown" >> $TMPFILE
    done

    if [ -s "$TMPFILE" ]
    then
            RESULT=FAIL

    fi

    echo $RESULT

    Linux:140124160036:root:dtutest:~:# cat RHEL-06-000286.fix
    #!/bin/bash

    RESULT=PASS

    for FILE in $(grep -l "start on control-alt-delete" /etc/init/*);do
      if [[ "$FILE" == *override ]]; then
        grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
        if [ $? -eq 0 ]; then
          # We found a line that contains shutdown and isn't commented out
          # More than likely will initiate a shutdown
          OVERRIDERESULT=FAIL
        else
          OVERRIDERESULT=PASS
        fi
      else
        grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
        if [ $? -eq 0 ]; then
          # We found a line that contains shutdown and isn't commented out
          # More than likely will initiate a shutdown
          RESULT=FAIL
        fi
      fi
    done

    if [ "$OVERRIDERESULT" = "PASS" ]; then
      RESULT=PASS
    fi

    echo $RESULT

    Linux:140124160041:root:dtutest:~:# ./RHEL-06-000286.orig
    FAIL

    Linux:140124160044:root:dtutest:~:# ./RHEL-06-000286.fix
    PASS

     

    Let me know if this needs further explanation, thanks for taking the time to look at this and my other posts.

    ok, so if a file with the same name, but with an override suffix exists then ignore the original file? Is that how it works?

    shoot me an email @ jsaxton@us.ibm.com and I'll give you my cell number. I don't always check the forums on a regular basis.

    Updated on 2014-01-24T23:12:12Z at 2014-01-24T23:12:12Z by Jeff Saxton
  • Jeff Saxton
    Jeff Saxton
    21 Posts

    Re: RHEL-06-000286 override check

    ‏2014-01-25T00:29:59Z  
    • lynchmv
    • ‏2014-01-24T21:03:41Z

    We are getting false positives, causing systems with the .override file being reported as non-compliant.

    Here is what I have done to test, fix and validate an updated fix:

     

    Linux:140124160012:root:dtutest:~:# cat /etc/init/control-alt-delete.conf
    # control-alt-delete - emergency keypress handling
    #
    # This task is run whenever the Control-Alt-Delete key combination is
    # pressed.  Usually used to shut down the machine.

    start on control-alt-delete

    exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

    Linux:140124160021:root:dtutest:~:# cat /etc/init/control-alt-delete.override
    # control-alt-delete - emergency keypress handling
    #
    # This task is run whenever the Control-Alt-Delete key combination is
    # pressed.  Usually used to shut down the machine.

    start on control-alt-delete

    exec /usr/bin/logger -p security.info "Good thing we've disabled the three finger salute, or else this box would have just bounced!"

    Linux:140124160025:root:dtutest:~:# cat RHEL-06-000286.orig
    #!/bin/bash
    TMPFILE=test.chk

    RESULT=PASS
    grep -l "start on control-alt-delete" /etc/init/*  | egrep -v "^[       ]#" 2>/dev/null | while read file
    do
            grep -v "^[     ]*#" $file | egrep -H "shutdown" >> $TMPFILE
    done

    if [ -s "$TMPFILE" ]
    then
            RESULT=FAIL

    fi

    echo $RESULT

    Linux:140124160036:root:dtutest:~:# cat RHEL-06-000286.fix
    #!/bin/bash

    RESULT=PASS

    for FILE in $(grep -l "start on control-alt-delete" /etc/init/*);do
      if [[ "$FILE" == *override ]]; then
        grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
        if [ $? -eq 0 ]; then
          # We found a line that contains shutdown and isn't commented out
          # More than likely will initiate a shutdown
          OVERRIDERESULT=FAIL
        else
          OVERRIDERESULT=PASS
        fi
      else
        grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
        if [ $? -eq 0 ]; then
          # We found a line that contains shutdown and isn't commented out
          # More than likely will initiate a shutdown
          RESULT=FAIL
        fi
      fi
    done

    if [ "$OVERRIDERESULT" = "PASS" ]; then
      RESULT=PASS
    fi

    echo $RESULT

    Linux:140124160041:root:dtutest:~:# ./RHEL-06-000286.orig
    FAIL

    Linux:140124160044:root:dtutest:~:# ./RHEL-06-000286.fix
    PASS

     

    Let me know if this needs further explanation, thanks for taking the time to look at this and my other posts.

    The fix for this one will go out next week as well.

  • Shivani_S
    Shivani_S
    26 Posts

    Re: RHEL-06-000286 override check

    ‏2014-01-30T20:42:59Z  

    The fix is now available in the latest versions of the sites. You can find the release announcements here:

    https://www.ibm.com/developerworks/community/blogs/a1a33778-88b7-452a-9133-c955812f8910/entry/scm_content_updates_for_cis_disa_rhel_sites?lang=en