On Tue, Apr 19, 2016 at 02:54:12PM -0600, Kevin Fenzi wrote: > Greetings. > > I'd like to apply the following and run the rhunter template over > everything. This is targeted at host1plus however. At most this will > impact rkhunter and nothing else. > > ansible_fqdn gets it's value by looking at the ip address of the > machine and doing a reverse dns lookup. Mostly this is fine, but in > some cases (like host1plus) the reverse dns is not controlled by us and > is not as you might expect: > > $ host host1plus01.fedoraproject.org > host1plus01.fedoraproject.org has address 5.175.150.48 > host 5.175.150.48 > 48.150.175.5.in-addr.arpa domain name pointer gdm4.unidis.com.br. > > This results in the above template looking and seeing that > "gdm4.unidis.com.br" is not in fact in the virthosts group and thus > shouldn't have the line that allows /dev/shm/spice* files, so it sends > a alert about it being there. > > (after freeze we should probibly go remove all uses of ansible_fqdn) > > diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2 > index 7b76695..35e5576 100644 > --- a/roles/rkhunter/templates/rkhunter.conf.j2 > +++ b/roles/rkhunter/templates/rkhunter.conf.j2 > @@ -386,7 +386,7 @@ ALLOWDEVFILE=/dev/shm/fmn-cache.dbm > ALLOWDEVFILE=/dev/shm/squid-squid-page-pool.shm > ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm > {% endif %} > -{% if ansible_fqdn in groups['virtservers'] or ansible_fqdn in groups['openqa-workers'] or ansible_fqdn in groups['openqa-stg-workers'] %} > +{% if inventory_hostname in groups['virtservers'] or inventory_hostname in groups['openqa-workers'] or inventory_hostname in groups['openqa-stg-workers'] %} > # libvirt spice device makes a /dev/shm/spice file > ALLOWDEVFILE=/dev/shm/spice.* > {% endif %} > > +1s? +1 for me Pierre
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx