dashmage
commented
9 months ago (by bcarbone) Fix proposed in MR: https://code.launchpad.net/~bcarbone/charm-sysconfig/+git/charm-sysconfig/+merge/417994
Closed dashmage closed 9 months ago
dashmage
commented
9 months ago (by bcarbone) Fix proposed in MR: https://code.launchpad.net/~bcarbone/charm-sysconfig/+git/charm-sysconfig/+merge/417994
In the template file src/templates/grub.j2, GRUB_CMDLINE_LINUX is set to an empty string which may thus overwrite GRUB_CMDLINE_LINUX parameters defined in /etc/default/grub.
This causes issues for CIS hardening as rule 1.7.1.2 (Ensure AppArmor is enabled in the bootloader configuration) adds apparmor parameters to GRUB_CMDLINE_LINUX in /etc/default/grub.
Once update-grub is run after a sysconfig charm installation is complete, the CIS change is lost.
src/templates/grub.j2: 45 {% if grub_default is defined and grub_default -%} 46 GRUB_DEFAULT="{{ grub_default }}" 47 {% endif -%} 48 GRUB_CMDLINE_LINUX="" <--- overwrites GRUB_CMDLINE_LINUX set in /etc/default/grub 49 50 # Uncomment to disable graphical terminal (grub-pc only) 51 #GRUB_TERMINAL=console 52 GRUB_TERMINAL=serial
/etc/default/grub after CIS hardening: 31 # Uncomment to get a beep at grub start 32 #GRUB_INIT_TUNE="480 440 1" 33 GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor audit=1 audit_backlog_limit=8192"
Imported from Launchpad using lp2gh.
date created: 2022-03-30T21:25:57Z
owner: bcarbone
assignee: None
the launchpad url