(imported topic written by lynchmv)
According to the following RedHat article and Bugzilla, any update of the initscripts package will overrite the .config files in /etc/init/
https://access.redhat.com/site/solutions/70464
http://rhn.redhat.com/errata/RHBA-2012-0863.html
With this in mind, any checks that are based off of files in /etc/init/ (like RHEL-06-000286) should also check for a .override file in order to check for compliance.
(imported comment written by Jeff Saxton)
I’m not sure I understand you on this one. Are you actually getting a false negative/positive?
Can you provide me with instructions on how to setup a reproduction?
if an update reverts a file in /etc/init/* then the system becomes non-compliant again (potentially)
we don’t specifically look for conf files, we do this:
grep -l “start on control-alt-delete” /etc/init/* | egrep -v “^[ ]#” 2>/dev/null | while read file
do
grep -v "^[ ]*#" $file | egrep -H "shutdown" >> $TMPFILE
done
if [ -s “$TMPFILE” ]
then
RESULT=FAIL
fi
so we should catch *.override as well
(imported comment written by lynchmv)
We are getting false positives, causing systems with the .override file being reported as non-compliant.
Here is what I have done to test, fix and validate an updated fix:
Linux:140124160012:root:dtutest:~:# cat /etc/init/control-alt-delete.conf
# control-alt-delete - emergency keypress handling
#
# This task is run whenever the Control-Alt-Delete key combination is
# pressed. Usually used to shut down the machine.
start on control-alt-delete
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
Linux:140124160021:root:dtutest:~:# cat /etc/init/control-alt-delete.override
# control-alt-delete - emergency keypress handling
#
# This task is run whenever the Control-Alt-Delete key combination is
# pressed. Usually used to shut down the machine.
start on control-alt-delete
exec /usr/bin/logger -p security.info "Good thing we've disabled the three finger salute, or else this box would have just bounced!"
Linux:140124160025:root:dtutest:~:# cat RHEL-06-000286.orig
#!/bin/bash
TMPFILE=test.chk
RESULT=PASS
grep -l “start on control-alt-delete” /etc/init/* | egrep -v “^[ ]#” 2>/dev/null | while read file
do
grep -v “^[ ]*#” $file | egrep -H “shutdown” >> $TMPFILE
done
if [ -s "$TMPFILE" ]
then
RESULT=FAIL
fi
echo $RESULT
Linux:140124160036:root:dtutest:~:# cat RHEL-06-000286.fix
#!/bin/bash
RESULT=PASS
for FILE in $(grep -l "start on control-alt-delete" /etc/init/*);do
if [[ "$FILE" == *override ]]; then
grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
if [ $? -eq 0 ]; then
# We found a line that contains shutdown and isn't commented out
# More than likely will initiate a shutdown
OVERRIDERESULT=FAIL
else
OVERRIDERESULT=PASS
fi
else
grep "bin/shutdown" $FILE |grep -v "^[ \t]*#" > /dev/null
if [ $? -eq 0 ]; then
# We found a line that contains shutdown and isn't commented out
# More than likely will initiate a shutdown
RESULT=FAIL
fi
fi
done
if [ "$OVERRIDERESULT" = "PASS" ]; then
RESULT=PASS
fi
echo $RESULT
Linux:140124160041:root:dtutest:~:# ./RHEL-06-000286.orig
FAIL
Linux:140124160044:root:dtutest:~:# ./RHEL-06-000286.fix
PASS
Let me know if this needs further explanation, thanks for taking the time to look at this and my other posts.
(imported comment written by Jeff Saxton)
ok, so if a file with the same name, but with an override suffix exists then ignore the original file? Is that how it works?
shoot me an email @ jsaxton@us.ibm.com and I’ll give you my cell number. I don’t always check the forums on a regular basis.
(imported comment written by Shivani_S)
The fix is now available in the latest versions of the sites. You can find the release announcements here: