That's a really good question. If it's implemented in the same way as modprobe.d, then later files will be able to override earlier ones.
So, if they were consistent (hahaha), then that might be the answer. Trevor On Wed, Jan 21, 2015 at 2:34 PM, Shawn Wells <[email protected]> wrote: > Our current sysctl checks simultaneously check the runtime of the system > (via unix:sysctl_test) and the persistent configuration (regex on > sysctl.conf). We know these need to be broken out, and that's being tracked > in Issue #321 [1]. > > So then, to actually take action, it seems like we need to: > (1) Breakout the *runtime* checks into unique XCCDF and OVAL elements. The > OVAL will utilize unix:sysctl_test; > (2) Breakout the *persistent* checks. > > On the persistent/static configuration side, from the sysctl manpage [2] > there are now 6 locations to bury persistent sysctl settings: > > /etc/sysctl/*.conf > /usr/local/lib/sysctl.d/*.conf > /usr/lib/sysctl.d/*.conf > /lib/sysctl.d/*.conf > /etc/sysctl.conf > > I can't find documentation on the "order of operations" on how sysctl > directories are scanned (aka, if a setting is placed in /usr/lib/sysctl.d/, > will /etc/sysctl/*.conf overwrite it?). Has anyone seen any order of > operations documentation on sysctl? My google-fu is failing today =/ > > From the upstream source, I get the idea that /etc/sysctl.conf overwrites > everything [3], but unsure of the other paths. The closest indication I > could find was where PreLoadSystem() defines their dir[] array [4], which > shows: > > - /run/sysctl.d (ignored, will be checked by runtime OVAL check) > - /etc/sysctl.d/ > - /usr/local/lib/sysctl.d/ > - /usr/lib/sysctl.d/ > - /lib/sysctl.d/ > > As a side note, it looks like the code only checks *.conf files in those > directories, so we can ignore everything else [5]. > > > > > [1] https://github.com/OpenSCAP/scap-security-guide/issues/321 > [2] http://man7.org/linux/man-pages/man5/sysctl.conf.5.html > [3] https://gitorious.org/procps/procps/source/ > fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L55 > [4] https://gitorious.org/procps/procps/source/ > fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L584-593 > [5] https://gitorious.org/procps/procps/source/ > fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L607-611 > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
