Hello Maura, ----- Original Message ----- > From: "Maura Dailey" <[email protected]> > Subject: [PATCH] Service cgred (service name for binary cgrulesengd) is gone > in RHEL 7. > > I noticed that cgred.service was not present in libcgroup-tools in the RHEL 7 > beta. cgred.service is the service file that controls the daemon > cgrulesengd. > > # rpm -q --changelog libcgroup-tools > * Mon Nov 04 2013 Peter Schiffer <[email protected]> 0.40-0.rc1.3 > - related: #819568 > fixed some coverity findings > > * Fri Nov 01 2013 Peter Schiffer <[email protected]> 0.40-0.rc1.2 > - related: #1016810 > returned creation of cgred group, which was removed in previous commit by > mistage > > * Fri Nov 01 2013 Peter Schiffer <[email protected]> 0.40-0.rc1.1 > - resolves: #819568, #740113 > rebased to 0.40.rc1 > - resolves: #983264 > rebuilt with full relro and PIE > - resolves: #1016810 > removed cgrulesengd daemon > ... > > Please note that in the last line displayed here, cgrulesengd is listed as > having been removed.
I would assume that removal of cgrulesengd daemon above would correspond to removal of particular SysV init script from the libcgroup-tools package, and replacing it with the systemd unit instead (as part of moving from SysV init scripts to systemd managed services scenario). This can be verified as follows: [root@localhost ~]# cat /etc/redhat-release Red Hat Enterprise Linux Workstation release 7.0 Beta (Maipo) [root@localhost ~]# rpm -q libcgroup-tools libcgroup-tools-0.41-6.el7.x86_64 [root@localhost ~]# rpm -ql libcgroup-tools | grep cgred /etc/sysconfig/cgred /usr/lib/systemd/system/cgred.service /usr/share/man/man5/cgred.conf.5.gz [root@localhost ~]# systemctl is-enabled cgred disabled [root@localhost ~]# chkconfig --level 0123456 cgred off Note: Forwarding request to 'systemctl disable cgred.service'. That note suggest what the chkconfig command would be actually translated into on RHEL-7. So I would say the cgred service XCCDF rule is still worthy to be kept, just the fix should be rewritten into systemd syntax / commands, rather to rely on chkconfig translation. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > RHEL Bugzilla reference here (I can't read the actual bug from the changelog, > but there's a link to it on this page): > https://bugzilla.redhat.com/show_bug.cgi?id=1034248 > > - Maura Dailey > > > Signed-off-by: Maura Dailey <[email protected]> > --- > RHEL/7/input/fixes/bash/service_cgred_disabled.sh | 9 --------- > RHEL/7/input/services/base.xml | 15 --------------- > 2 files changed, 0 insertions(+), 24 deletions(-) > delete mode 100644 RHEL/7/input/fixes/bash/service_cgred_disabled.sh > > diff --git a/RHEL/7/input/fixes/bash/service_cgred_disabled.sh > b/RHEL/7/input/fixes/bash/service_cgred_disabled.sh > deleted file mode 100644 > index e4d7301..0000000 > --- a/RHEL/7/input/fixes/bash/service_cgred_disabled.sh > +++ /dev/null > @@ -1,9 +0,0 @@ > -# > -# Disable cgred for all run levels > -# > -chkconfig --level 0123456 cgred off > - > -# > -# Stop cgred if currently running > -# > -service cgred stop > diff --git a/RHEL/7/input/services/base.xml b/RHEL/7/input/services/base.xml > index 4f2c05a..5c0941c 100644 > --- a/RHEL/7/input/services/base.xml > +++ b/RHEL/7/input/services/base.xml > @@ -75,21 +75,6 @@ service is not necessary. > <ref nist="CM-7" /> > </Rule> > > -<Rule id="service_cgred_disabled"> > -<title>Disable Control Group Rules Engine (cgred)</title> > -<description>The <tt>cgred</tt> service moves tasks into control groups > according to > -parameters set in the <tt>/etc/cgrules.conf</tt> configuration file. > -<service-disable-macro service="cgred" /> > -</description> > -<ocil><service-disable-check-macro service="cgred" /></ocil> > -<rationale>Unless control groups are used to manage system resources, > running the cgred service > -service is not necessary. > -</rationale> > -<ident cce="RHEL7-CCE-TBD" /> > -<oval id="service_cgred_disabled" /> > -<ref nist="CM-7" /> > -</Rule> > - > <Rule id="service_cpuspeed_disabled"> > <title>Disable CPU Speed (cpuspeed)</title> > <description>The <tt>cpuspeed</tt> service can adjust the clock speed of > supported CPUs based upon > -- > 1.7.1 > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
