Re: Freeze break: change ansible_fqdn to inventory_hostname in rkhunter template

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 19, 2016 at 02:54:12PM -0600, Kevin Fenzi wrote:
> Greetings. 
> 
> I'd like to apply the following and run the rhunter template over
> everything. This is targeted at host1plus however. At most this will
> impact rkhunter and nothing else. 
> 
> ansible_fqdn gets it's value by looking at the ip address of the
> machine and doing a reverse dns lookup. Mostly this is fine, but in
> some cases (like host1plus) the reverse dns is not controlled by us and
> is not as you might expect: 
> 
> $ host host1plus01.fedoraproject.org
> host1plus01.fedoraproject.org has address 5.175.150.48
> host 5.175.150.48
> 48.150.175.5.in-addr.arpa domain name pointer gdm4.unidis.com.br.
> 
> This results in the above template looking and seeing that
> "gdm4.unidis.com.br" is not in fact in the virthosts group and thus
> shouldn't have the line that allows /dev/shm/spice* files, so it sends
> a alert about it being there. 
> 
> (after freeze we should probibly go remove all uses of ansible_fqdn)
> 
> diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2
> index 7b76695..35e5576 100644
> --- a/roles/rkhunter/templates/rkhunter.conf.j2
> +++ b/roles/rkhunter/templates/rkhunter.conf.j2
> @@ -386,7 +386,7 @@ ALLOWDEVFILE=/dev/shm/fmn-cache.dbm
>  ALLOWDEVFILE=/dev/shm/squid-squid-page-pool.shm
>  ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm
>  {% endif %}
> -{% if ansible_fqdn in groups['virtservers'] or ansible_fqdn in groups['openqa-workers'] or ansible_fqdn in groups['openqa-stg-workers']  %}
> +{% if inventory_hostname in groups['virtservers'] or inventory_hostname in groups['openqa-workers'] or inventory_hostname in groups['openqa-stg-workers']  %}
>  # libvirt spice device makes a /dev/shm/spice file
>  ALLOWDEVFILE=/dev/shm/spice.*
>  {% endif %}
> 
> +1s?

+1 for me


Pierre

Attachment: signature.asc
Description: PGP signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux