Our current sysctl checks simultaneously check the runtime of the system (via unix:sysctl_test) and the persistent configuration (regex on sysctl.conf). We know these need to be broken out, and that's being tracked in Issue #321 [1].
So then, to actually take action, it seems like we need to:
(1) Breakout the *runtime* checks into unique XCCDF and OVAL elements. The OVAL will utilize unix:sysctl_test;
(2) Breakout the *persistent* checks.
On the persistent/static configuration side, from the sysctl manpage [2] there are now 6 locations to bury persistent sysctl settings:
/etc/sysctl/*.conf
/usr/local/lib/sysctl.d/*.conf
/usr/lib/sysctl.d/*.conf
/lib/sysctl.d/*.conf
/etc/sysctl.conf
I can't find documentation on the "order of operations" on how sysctl directories are scanned (aka, if a setting is placed in /usr/lib/sysctl.d/, will /etc/sysctl/*.conf overwrite it?). Has anyone seen any order of operations documentation on sysctl? My google-fu is failing today =/
>From the upstream source, I get the idea that /etc/sysctl.conf overwrites everything [3], but unsure of the other paths. The closest indication I could find was where PreLoadSystem() defines their dir[] array [4], which shows:
- /run/sysctl.d (ignored, will be checked by runtime OVAL check)
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /usr/lib/sysctl.d/
- /lib/sysctl.d/
As a side note, it looks like the code only checks *.conf files in those directories, so we can ignore everything else [5].
[1] https://github.com/OpenSCAP/scap-security-guide/issues/321
[2] http://man7.org/linux/man-pages/man5/sysctl.conf.5.html
[3] https://gitorious.org/procps/procps/source/fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L55
[4] https://gitorious.org/procps/procps/source/fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L584-593
[5] https://gitorious.org/procps/procps/source/fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L607-611
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/