Re: PATCH] [RHEL6] Add remediation for Disable Prelinking rule

Jan Lieskovsky Mon, 02 Dec 2013 04:32:33 -0800

----- Original Message -----
> From: "Shawn Wells" <[email protected]>
> To: [email protected]
> Sent: Sunday, December 1, 2013 7:28:24 AM
> Subject: Re: PATCH] [RHEL6] Add remediation for Disable Prelinking rule
> 
> On 11/30/13, 11:35 AM, Dave Smith wrote:
> 
> 
> 
> This looks great, please push!
> 
> On 11/27/2013 10:40 AM, Jan Lieskovsky wrote:
> 
> 
> 
> Proposal for the "2.1.3.1.b. Disable Prelinking"
> rule remediation.
> 
> Please review.
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
> 
> 
> 
> 0001-RHEL6-Add-remediation-for-Disable-Prelinking-rule.patch
> From 102d335388c881e6f825b48c54e33f0e1e623767 Mon Sep 17 00:00:00 2001
> From: Jan Lieskovsky <[email protected]> Date: Wed, 27 Nov 2013 16:36:04
> +0100
> Subject: [PATCH] [RHEL6] Add remediation for Disable Prelinking rule
> 
> Signed-off-by: Jan Lieskovsky <[email protected]> ---
>  RHEL6/input/fixes/bash/disable_prelink.sh | 9 +++++++++
>  1 file changed, 9 insertions(+)
>  create mode 100644 RHEL6/input/fixes/bash/disable_prelink.sh
> 
> diff --git a/RHEL6/input/fixes/bash/disable_prelink.sh
> b/RHEL6/input/fixes/bash/disable_prelink.sh
> new file mode 100644
> index 0000000..98dc85d
> --- /dev/null
> +++ b/RHEL6/input/fixes/bash/disable_prelink.sh
> @@ -0,0 +1,9 @@
> +#
> +# Disable prelinking altogether
> +#
> +sed -i "s/PRELINKING.*/PRELINKING=no/g" /etc/sysconfig/prelink
> +
> +#
> +# Undo previous prelink changes to binaries
> +#
> +/usr/sbin/prelink -ua
> --
> 1.8.3.1
> 
> 
> What if PRELINK was commented out? e.g.
> 
> # grep PRELINKING /etc/sysconfig/prelink
> #PRELINKING=commented
> [root@SSG-RHEL6 shared]# sed -i "s/PRELINKING.*/PRELINKING=no/g"
> /etc/sysconfig/prelink
> [root@SSG-RHEL6 shared]# grep PRELINKING /etc/sysconfig/prelink
> #PRELINKING=no
> 
> 
> That's why the sysctl (+others) use something like:
> 
> if grep --silent ^PRELINKING /etc/sysconfig/prelink ; then
> sed -i 's/^PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
> else
> echo "" >> /etc/sysconfig/prelink
> echo "# Set PRELINKING=no per security requirements" >>
> /etc/sysconfig/prelink
> echo "PRELINKING=no" >> /etc/sysconfig/prelink


Thanks, Shawn. Right, good catch.

Proposal updated and pushed:
  
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=4f79051cf150817a0a89f3c02550c7b7e4c9e868

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

> 
> _______________________________________________
> scap-security-guide mailing list
> [email protected]
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> 
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Re: PATCH] [RHEL6] Add remediation for Disable Prelinking rule

Reply via email to