Here is a man page that seems to explain it for systems running systemd: http://www.freedesktop.org/software/systemd/man/sysctl.d.html
Gabe On Mon, Feb 2, 2015 at 7:05 AM, Trevor Vaughan <[email protected]> wrote: > That's a really good question. > > If it's implemented in the same way as modprobe.d, then later files will > be able to override earlier ones. > > So, if they were consistent (hahaha), then that might be the answer. > > Trevor > > On Wed, Jan 21, 2015 at 2:34 PM, Shawn Wells <[email protected]> wrote: > >> Our current sysctl checks simultaneously check the runtime of the system >> (via unix:sysctl_test) and the persistent configuration (regex on >> sysctl.conf). We know these need to be broken out, and that's being tracked >> in Issue #321 [1]. >> >> So then, to actually take action, it seems like we need to: >> (1) Breakout the *runtime* checks into unique XCCDF and OVAL elements. >> The OVAL will utilize unix:sysctl_test; >> (2) Breakout the *persistent* checks. >> >> On the persistent/static configuration side, from the sysctl manpage [2] >> there are now 6 locations to bury persistent sysctl settings: >> >> /etc/sysctl/*.conf >> /usr/local/lib/sysctl.d/*.conf >> /usr/lib/sysctl.d/*.conf >> /lib/sysctl.d/*.conf >> /etc/sysctl.conf >> >> I can't find documentation on the "order of operations" on how sysctl >> directories are scanned (aka, if a setting is placed in /usr/lib/sysctl.d/, >> will /etc/sysctl/*.conf overwrite it?). Has anyone seen any order of >> operations documentation on sysctl? My google-fu is failing today =/ >> >> From the upstream source, I get the idea that /etc/sysctl.conf overwrites >> everything [3], but unsure of the other paths. The closest indication I >> could find was where PreLoadSystem() defines their dir[] array [4], which >> shows: >> >> - /run/sysctl.d (ignored, will be checked by runtime OVAL check) >> - /etc/sysctl.d/ >> - /usr/local/lib/sysctl.d/ >> - /usr/lib/sysctl.d/ >> - /lib/sysctl.d/ >> >> As a side note, it looks like the code only checks *.conf files in those >> directories, so we can ignore everything else [5]. >> >> >> >> >> [1] https://github.com/OpenSCAP/scap-security-guide/issues/321 >> [2] http://man7.org/linux/man-pages/man5/sysctl.conf.5.html >> [3] https://gitorious.org/procps/procps/source/ >> fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L55 >> [4] https://gitorious.org/procps/procps/source/ >> fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L584-593 >> [5] https://gitorious.org/procps/procps/source/ >> fc7cb8dd4cd91da3d2df35b8863247674e4fd1ed:sysctl.c#L607-611 >> -- >> SCAP Security Guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ > > > > > -- > Trevor Vaughan > Vice President, Onyx Point, Inc > (410) 541-6699 > [email protected] > > -- This account not approved for unencrypted proprietary information -- > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ >
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
