[CLOSED] - grub.conf and audit=1 security change

warron.french · Post by **warron.french** » 2016/06/17 03:56:47

I have a requirement to set audit=1 on the end of each and every "kernel" line inside of the /boot/grub/grub.conf file; only on my system I don't actually have a /boot/grub/grub.conf file; but I do have a /etc/grub.conf file.

Any ideas, because the tool that checks for the audit=1 setting in the last position on the kernel line is also looking for it to be specifically in the path-to-file /boot/grub/grub.conf.

Thanks in advance,

Post by **TrevorH** » 2016/06/17 10:33:36

what is /etc/grub.conf a symlink to if you do not have a /boot/grub/grub.conf file? It ought to look like

Code: Select all

lrwxrwxrwx. 1 root root 22 Feb  2  2014 /etc/grub.conf -> ../boot/grub/grub.conf

gerald_clark · Post by **gerald_clark** » 2016/06/17 13:00:45

Post the output of "uname -a".

warron.french · Post by **warron.french** » 2016/06/17 13:28:39

TrevorH wrote:what is /etc/grub.conf a symlink to if you do not have a /boot/grub/grub.conf file? It ought to look like
Code: Select all
lrwxrwxrwx. 1 root root 22 Feb  2  2014 /etc/grub.conf -> ../boot/grub/grub.conf

On my newly reimaged machine the file is only /etc/grub.conf, but as I said there is no /boot/grub/grub.conf at all. In fact it is not a symlink on this newly reimaged (with CentOS-6.7) machine.

I see Gerald asked a question that seems to target another detail that may help in this discussion.

Post by **TrevorH** » 2016/06/17 14:53:00

The only way in which the symlink from /etc/grub.conf to its target will be broken is if you use e.g. sed in a kickstart postscript to change the contents of the file. Without the correct parameter, sed will remove the symlink and recreate it as a file.

Are you sure the /boot partition is mounted when you look for the file in the correct location? Is this a machine using UEFI?

gerald_clark · Post by **gerald_clark** » 2016/06/17 15:10:46

If this is a container, it may not have a "/boot".

warron.french · Post by **warron.french** » 2016/06/20 17:24:10

gerald_clark wrote:Post the output of "uname -a".

Gerald_clark, here is the result of uname -a from my machine that doesn't behave like the one I was using as a baseline system...

2.6.32-573.22.1.el6.x86_64

Thanks,

warron.french · Post by **warron.french** » 2016/06/20 17:25:11

gerald_clark wrote:If this is a container, it may not have a "/boot".

This is not a container, it is a real workstation running on the bare metal.

Thanks,

warron.french · Post by **warron.french** » 2016/06/20 17:26:49

TrevorH wrote:The only way in which the symlink from /etc/grub.conf to its target will be broken is if you use e.g. sed in a kickstart postscript to change the contents of the file. Without the correct parameter, sed will remove the symlink and recreate it as a file.

Are you sure the /boot partition is mounted when you look for the file in the correct location? Is this a machine using UEFI?

TrevorH, I did actually use a sed script to alter the lines actually; but what do you mean by "Without the correct parameter, sed will remove the symlink and recreate it as a file" ? What is the correct parameter I am looking for?

Thanks,

Post by **TrevorH** » 2016/06/20 23:40:40

There's only one mention of "symlinks" in man sed

CentOS

[CLOSED] - grub.conf and audit=1 security change

[CLOSED] - grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change

Re: grub.conf and audit=1 security change