That's a really good question.
If it's implemented in the same way as modprobe.d, then later files will be
able to override earlier ones.
So, if they were consistent (hahaha), then that might be the answer.
Trevor
On Wed, Jan 21, 2015 at 2:34 PM, Shawn Wells <shawn(a)redhat.com> wrote:
Our current sysctl checks simultaneously check the runtime of the
system
(via unix:sysctl_test) and the persistent configuration (regex on
sysctl.conf). We know these need to be broken out, and that's being tracked
in Issue #321 [1].
So then, to actually take action, it seems like we need to:
(1) Breakout the *runtime* checks into unique XCCDF and OVAL elements. The
OVAL will utilize unix:sysctl_test;
(2) Breakout the *persistent* checks.
On the persistent/static configuration side, from the sysctl manpage [2]
there are now 6 locations to bury persistent sysctl settings:
/etc/sysctl/*.conf
/usr/local/lib/sysctl.d/*.conf
/usr/lib/sysctl.d/*.conf
/lib/sysctl.d/*.conf
/etc/sysctl.conf
I can't find documentation on the "order of operations" on how sysctl
directories are scanned (aka, if a setting is placed in /usr/lib/sysctl.d/,
will /etc/sysctl/*.conf overwrite it?). Has anyone seen any order of
operations documentation on sysctl? My google-fu is failing today =/
From the upstream source, I get the idea that /etc/sysctl.conf overwrites
everything [3], but unsure of the other paths. The closest indication I
could find was where PreLoadSystem() defines their dir[] array [4], which
shows:
- /run/sysctl.d (ignored, will be checked by runtime OVAL check)
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /usr/lib/sysctl.d/
- /lib/sysctl.d/
As a side note, it looks like the code only checks *.conf files in those
directories, so we can ignore everything else [5].
[1]
https://github.com/OpenSCAP/scap-security-guide/issues/321
[2]
http://man7.org/linux/man-pages/man5/sysctl.conf.5.html
[3]
https://gitorious.org/procps/procps/source/
fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L55
[4]
https://gitorious.org/procps/procps/source/
fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L584-593
[5]
https://gitorious.org/procps/procps/source/
fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L607-611
--
SCAP Security Guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --