Proposal for the "2.1.3.1.b. Disable Prelinking" rule remediation.
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
This looks great, please push!
On 11/27/2013 10:40 AM, Jan Lieskovsky wrote:
Proposal for the "2.1.3.1.b. Disable Prelinking" rule remediation.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 11/30/13, 11:35 AM, Dave Smith wrote:
This looks great, please push!
On 11/27/2013 10:40 AM, Jan Lieskovsky wrote:
Proposal for the "2.1.3.1.b. Disable Prelinking" rule remediation.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL6-Add-remediation-for-Disable-Prelinking-rule.patch
From 102d335388c881e6f825b48c54e33f0e1e623767 Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Wed, 27 Nov 2013 16:36:04 +0100 Subject: [PATCH] [RHEL6] Add remediation for Disable Prelinking rule
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
RHEL6/input/fixes/bash/disable_prelink.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 RHEL6/input/fixes/bash/disable_prelink.sh
diff --git a/RHEL6/input/fixes/bash/disable_prelink.sh b/RHEL6/input/fixes/bash/disable_prelink.sh new file mode 100644 index 0000000..98dc85d --- /dev/null +++ b/RHEL6/input/fixes/bash/disable_prelink.sh @@ -0,0 +1,9 @@ +# +# Disable prelinking altogether +# +sed -i "s/PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink
+# +# Undo previous prelink changes to binaries +# +/usr/sbin/prelink -ua -- 1.8.3.1
What if PRELINK was commented out? e.g.
# grep PRELINKING /etc/sysconfig/prelink #PRELINKING=commented [root@SSG-RHEL6 shared]# sed -i "s/PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink [root@SSG-RHEL6 shared]# grep PRELINKING /etc/sysconfig/prelink #PRELINKING=no
That's why the sysctl (+others) use something like:
if grep --silent ^PRELINKING /etc/sysconfig/prelink ; then sed -i 's/^PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink else echo "" >> /etc/sysconfig/prelink echo "# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink echo "PRELINKING=no" >> /etc/sysconfig/prelink
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Sunday, December 1, 2013 7:28:24 AM Subject: Re: PATCH] [RHEL6] Add remediation for Disable Prelinking rule
On 11/30/13, 11:35 AM, Dave Smith wrote:
This looks great, please push!
On 11/27/2013 10:40 AM, Jan Lieskovsky wrote:
Proposal for the "2.1.3.1.b. Disable Prelinking" rule remediation.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL6-Add-remediation-for-Disable-Prelinking-rule.patch From 102d335388c881e6f825b48c54e33f0e1e623767 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Wed, 27 Nov 2013 16:36:04 +0100 Subject: [PATCH] [RHEL6] Add remediation for Disable Prelinking rule
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com --- RHEL6/input/fixes/bash/disable_prelink.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 RHEL6/input/fixes/bash/disable_prelink.sh
diff --git a/RHEL6/input/fixes/bash/disable_prelink.sh b/RHEL6/input/fixes/bash/disable_prelink.sh new file mode 100644 index 0000000..98dc85d --- /dev/null +++ b/RHEL6/input/fixes/bash/disable_prelink.sh @@ -0,0 +1,9 @@ +# +# Disable prelinking altogether +# +sed -i "s/PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink
+# +# Undo previous prelink changes to binaries +#
+/usr/sbin/prelink -ua
1.8.3.1
What if PRELINK was commented out? e.g.
# grep PRELINKING /etc/sysconfig/prelink #PRELINKING=commented [root@SSG-RHEL6 shared]# sed -i "s/PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink [root@SSG-RHEL6 shared]# grep PRELINKING /etc/sysconfig/prelink #PRELINKING=no
That's why the sysctl (+others) use something like:
if grep --silent ^PRELINKING /etc/sysconfig/prelink ; then sed -i 's/^PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink else echo "" >> /etc/sysconfig/prelink echo "# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink echo "PRELINKING=no" >> /etc/sysconfig/prelink
Thanks, Shawn. Right, good catch.
Proposal updated and pushed: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=4f79051...
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Dave Smith -
Jan Lieskovsky -
Shawn Wells