Hello Maura,
----- Original Message -----
From: "Maura Dailey" maura@eclipse.ncsc.mil Subject: [PATCH] Service cgred (service name for binary cgrulesengd) is gone in RHEL 7.
I noticed that cgred.service was not present in libcgroup-tools in the RHEL 7 beta. cgred.service is the service file that controls the daemon cgrulesengd.
# rpm -q --changelog libcgroup-tools
- Mon Nov 04 2013 Peter Schiffer pschiffe@redhat.com 0.40-0.rc1.3
- related: #819568 fixed some coverity findings
- Fri Nov 01 2013 Peter Schiffer pschiffe@redhat.com 0.40-0.rc1.2
- related: #1016810 returned creation of cgred group, which was removed in previous commit by mistage
- Fri Nov 01 2013 Peter Schiffer pschiffe@redhat.com 0.40-0.rc1.1
- resolves: #819568, #740113 rebased to 0.40.rc1
- resolves: #983264 rebuilt with full relro and PIE
- resolves: #1016810 removed cgrulesengd daemon
...
Please note that in the last line displayed here, cgrulesengd is listed as having been removed.
I would assume that removal of cgrulesengd daemon above would correspond to removal of particular SysV init script from the libcgroup-tools package, and replacing it with the systemd unit instead (as part of moving from SysV init scripts to systemd managed services scenario).
This can be verified as follows:
[root@localhost ~]# cat /etc/redhat-release Red Hat Enterprise Linux Workstation release 7.0 Beta (Maipo) [root@localhost ~]# rpm -q libcgroup-tools libcgroup-tools-0.41-6.el7.x86_64 [root@localhost ~]# rpm -ql libcgroup-tools | grep cgred /etc/sysconfig/cgred /usr/lib/systemd/system/cgred.service /usr/share/man/man5/cgred.conf.5.gz [root@localhost ~]# systemctl is-enabled cgred disabled [root@localhost ~]# chkconfig --level 0123456 cgred off Note: Forwarding request to 'systemctl disable cgred.service'.
That note suggest what the chkconfig command would be actually translated into on RHEL-7.
So I would say the cgred service XCCDF rule is still worthy to be kept, just the fix should be rewritten into systemd syntax / commands, rather to rely on chkconfig translation.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
RHEL Bugzilla reference here (I can't read the actual bug from the changelog, but there's a link to it on this page): https://bugzilla.redhat.com/show_bug.cgi?id=1034248
- Maura Dailey
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
RHEL/7/input/fixes/bash/service_cgred_disabled.sh | 9 --------- RHEL/7/input/services/base.xml | 15 --------------- 2 files changed, 0 insertions(+), 24 deletions(-) delete mode 100644 RHEL/7/input/fixes/bash/service_cgred_disabled.sh
diff --git a/RHEL/7/input/fixes/bash/service_cgred_disabled.sh b/RHEL/7/input/fixes/bash/service_cgred_disabled.sh deleted file mode 100644 index e4d7301..0000000 --- a/RHEL/7/input/fixes/bash/service_cgred_disabled.sh +++ /dev/null @@ -1,9 +0,0 @@ -# -# Disable cgred for all run levels -# -chkconfig --level 0123456 cgred off
-# -# Stop cgred if currently running -# -service cgred stop diff --git a/RHEL/7/input/services/base.xml b/RHEL/7/input/services/base.xml index 4f2c05a..5c0941c 100644 --- a/RHEL/7/input/services/base.xml +++ b/RHEL/7/input/services/base.xml @@ -75,21 +75,6 @@ service is not necessary.
<ref nist="CM-7" /> </Rule>
-<Rule id="service_cgred_disabled"> -<title>Disable Control Group Rules Engine (cgred)</title> -<description>The <tt>cgred</tt> service moves tasks into control groups according to -parameters set in the <tt>/etc/cgrules.conf</tt> configuration file. -<service-disable-macro service="cgred" /> -</description> -<ocil><service-disable-check-macro service="cgred" /></ocil> -<rationale>Unless control groups are used to manage system resources, running the cgred service -service is not necessary. -</rationale> -<ident cce="RHEL7-CCE-TBD" /> -<oval id="service_cgred_disabled" /> -<ref nist="CM-7" /> -</Rule>
<Rule id="service_cpuspeed_disabled"> <title>Disable CPU Speed (cpuspeed)</title> <description>The <tt>cpuspeed</tt> service can adjust the clock speed of supported CPUs based upon -- 1.7.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide