ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

deprecate "init" config file template for RHEL7 and newer?

Open DonEstefan opened this issue 3 years ago • 1 comments

Describe the bug If I understand correctly, the template file etc/sysconfig/rhel_sysconfig_init.j2 won't work on RHEL7 and newer, since it uses "systemd" instead of "init". I assume the "Daemon umask" (NSA 2.2.4.1) set in the template file won't have any effect and needs to be replaced by something else. I also suspect RHEL6 was the last release where setting os_security_init_single: true actually worked. This variable is referenced in the template. RHEL7 enforces a single user mode password by default, so os_security_init_single might not be needed any longer.

Role Version

7.14.2

DonEstefan avatar Jun 29 '22 14:06 DonEstefan

If I understand correctly, the template file etc/sysconfig/rhel_sysconfig_init.j2 won't work on RHEL7 and newer, since it uses "systemd" instead of "init".

You're right, I tested it. This only works for applications that are getting started with init-scripts, not with systemd. We should probably use pam and /etc/profile for this.

rndmh3ro avatar Aug 23 '22 08:08 rndmh3ro