Xeicker
commented
1 year ago I don't think this would be implemented. As this represent to handle any kind of precedence in how files are processed. The oval content does takes into account runtime settings, but also applies an and operation with configurations found in files.
Instead of deleting files, commenting the specific configurations which is causing the issue could be an option.
Btw, you should never take tests as a way of configuring your system, those are intended only to validate the behavior of OVAL/remediation, and aren't made thinking on an usable system.
Share the context
I want to check if sysctl is configured properly:
I have a default config provided by the vendor (
/usr/lib/sysctl.d/...conf). The values get overwritten by parameters saved in/etc/sysctl.d/*.confCurrently I get failed test even though the variables that are actually loaded are correct.
Description of problem:
The problem begins if e.g. the parameter
fs.suid_dumpableis configured in/usr/lib/sysctl.d/and then overwritten by/etc/sysctl.d/custom.conf.Since both files are evaluated this causes (in my opinion) a false positive in the result, because in the end the value, that was loaded last is actually used.
There is no verification what is actually active in memory.
Proposed change:
I would propose, that in addition to the file checks, the values that are in memory (
sysctl -a) also get checked because this finally decides what is active on the system and what not. And if the parameter in memory are correct, the check should pass.And I already talked to my customer: Simply deleting the files under
/usr/lib/sysctl.dis not an option. Deleting is how I interpreted the tests of the current template.