On 11/30/13, 11:35 AM, Dave Smith wrote:
This looks great, please push!
On 11/27/2013 10:40 AM, Jan Lieskovsky wrote:
> Proposal for the "2.1.3.1.b. Disable Prelinking"
> rule remediation.
>
> Please review.
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>>
>> 0001-RHEL6-Add-remediation-for-Disable-Prelinking-rule.patch
>>
>>
>> From 102d335388c881e6f825b48c54e33f0e1e623767 Mon Sep 17 00:00:00 2001
>> From: Jan Lieskovsky<jlieskov(a)redhat.com>
>> Date: Wed, 27 Nov 2013 16:36:04 +0100
>> Subject: [PATCH] [RHEL6] Add remediation for Disable Prelinking rule
>>
>> Signed-off-by: Jan Lieskovsky<jlieskov(a)redhat.com>
>> ---
>> RHEL6/input/fixes/bash/disable_prelink.sh | 9 +++++++++
>> 1 file changed, 9 insertions(+)
>> create mode 100644 RHEL6/input/fixes/bash/disable_prelink.sh
>>
>> diff --git a/RHEL6/input/fixes/bash/disable_prelink.sh
b/RHEL6/input/fixes/bash/disable_prelink.sh
>> new file mode 100644
>> index 0000000..98dc85d
>> --- /dev/null
>> +++ b/RHEL6/input/fixes/bash/disable_prelink.sh
>> @@ -0,0 +1,9 @@
>> +#
>> +# Disable prelinking altogether
>> +#
>> +sed -i "s/PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink
>> +
>> +#
>> +# Undo previous prelink changes to binaries
>> +#
>> +/usr/sbin/prelink -ua
>> -- 1.8.3.1
What if PRELINK was commented out? e.g.
# grep PRELINKING /etc/sysconfig/prelink
#PRELINKING=commented
[root@SSG-RHEL6 shared]# sed -i "s/PRELINKING.*/PRELINKING=no/g"
/etc/sysconfig/prelink
[root@SSG-RHEL6 shared]# grep PRELINKING /etc/sysconfig/prelink
#PRELINKING=no
That's why the sysctl (+others) use something like:
if grep --silent ^PRELINKING /etc/sysconfig/prelink ; then
sed -i 's/^PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
echo "" >> /etc/sysconfig/prelink
echo "# Set PRELINKING=no per security requirements" >>
/etc/sysconfig/prelink
echo "PRELINKING=no" >> /etc/sysconfig/prelink