Page 1 of 2
[CLOSED] - grub.conf and audit=1 security change
Posted: 2016/06/17 03:56:47
by warron.french
I have a requirement to set audit=1 on the end of each and every "kernel" line inside of the /boot/grub/grub.conf file; only on my system I don't actually have a /boot/grub/grub.conf file; but I do have a /etc/grub.conf file.
Any ideas, because the tool that checks for the audit=1 setting in the last position on the kernel line is also looking for it to be specifically in the path-to-file /boot/grub/grub.conf.
Thanks in advance,
Re: grub.conf and audit=1 security change
Posted: 2016/06/17 10:33:36
by TrevorH
what is /etc/grub.conf a symlink to if you do not have a /boot/grub/grub.conf file? It ought to look like
Code: Select all
lrwxrwxrwx. 1 root root 22 Feb 2 2014 /etc/grub.conf -> ../boot/grub/grub.conf
Re: grub.conf and audit=1 security change
Posted: 2016/06/17 13:00:45
by gerald_clark
Post the output of "uname -a".
Re: grub.conf and audit=1 security change
Posted: 2016/06/17 13:28:39
by warron.french
TrevorH wrote:what is /etc/grub.conf a symlink to if you do not have a /boot/grub/grub.conf file? It ought to look like
Code: Select all
lrwxrwxrwx. 1 root root 22 Feb 2 2014 /etc/grub.conf -> ../boot/grub/grub.conf
On my newly reimaged machine the file is only /etc/grub.conf, but as I said there is no /boot/grub/grub.conf at all. In fact it is not a symlink on this newly reimaged (with CentOS-6.7) machine.
I see Gerald asked a question that seems to target another detail that may help in this discussion.
Re: grub.conf and audit=1 security change
Posted: 2016/06/17 14:53:00
by TrevorH
The only way in which the symlink from /etc/grub.conf to its target will be broken is if you use e.g. sed in a kickstart postscript to change the contents of the file. Without the correct parameter, sed will remove the symlink and recreate it as a file.
Are you sure the /boot partition is mounted when you look for the file in the correct location? Is this a machine using UEFI?
Re: grub.conf and audit=1 security change
Posted: 2016/06/17 15:10:46
by gerald_clark
If this is a container, it may not have a "/boot".
Re: grub.conf and audit=1 security change
Posted: 2016/06/20 17:24:10
by warron.french
gerald_clark wrote:Post the output of "uname -a".
Gerald_clark, here is the result of uname -a from my machine that doesn't behave like the one I was using as a baseline system...
2.6.32-573.22.1.el6.x86_64
Thanks,
Re: grub.conf and audit=1 security change
Posted: 2016/06/20 17:25:11
by warron.french
gerald_clark wrote:If this is a container, it may not have a "/boot".
This is not a container, it is a real workstation running on the bare metal.
Thanks,
Re: grub.conf and audit=1 security change
Posted: 2016/06/20 17:26:49
by warron.french
TrevorH wrote:The only way in which the symlink from /etc/grub.conf to its target will be broken is if you use e.g. sed in a kickstart postscript to change the contents of the file. Without the correct parameter, sed will remove the symlink and recreate it as a file.
Are you sure the /boot partition is mounted when you look for the file in the correct location? Is this a machine using UEFI?
TrevorH, I did actually use a sed script to alter the lines actually; but what do you mean by "Without the correct parameter, sed will remove the symlink and recreate it as a file" ? What is the correct parameter I am looking for?
Thanks,
Re: grub.conf and audit=1 security change
Posted: 2016/06/20 23:40:40
by TrevorH
There's only one mention of "symlinks" in man sed