On Tuesday, April 19, 2016 2:54:12 PM CDT Kevin Fenzi wrote:
> Greetings.
>
> I'd like to apply the following and run the rhunter template over
> everything. This is targeted at host1plus however. At most this will
> impact rkhunter and nothing else.
>
> ansible_fqdn gets it's value by looking at the ip address of the
> machine and doing a reverse dns lookup. Mostly this is fine, but in
> some cases (like host1plus) the reverse dns is not controlled by us and
> is not as you might expect:
>
> $ host host1plus01.fedoraproject.org
> host1plus01.fedoraproject.org has address 5.175.150.48
> host 5.175.150.48
> 48.150.175.5.in-addr.arpa domain name pointer gdm4.unidis.com.br.
>
> This results in the above template looking and seeing that
> "gdm4.unidis.com.br" is not in fact in the virthosts group and thus
> shouldn't have the line that allows /dev/shm/spice* files, so it sends
> a alert about it being there.
>
> (after freeze we should probibly go remove all uses of ansible_fqdn)
>
> diff --git a/roles/rkhunter/templates/rkhunter.conf.j2
> b/roles/rkhunter/templates/rkhunter.conf.j2 index 7b76695..35e5576 100644
> --- a/roles/rkhunter/templates/rkhunter.conf.j2
> +++ b/roles/rkhunter/templates/rkhunter.conf.j2
> @@ -386,7 +386,7 @@ ALLOWDEVFILE=/dev/shm/fmn-cache.dbm
> ALLOWDEVFILE=/dev/shm/squid-squid-page-pool.shm
> ALLOWDEVFILE=/dev/shm/squid-cache_mem.shm
> {% endif %}
> -{% if ansible_fqdn in groups['virtservers'] or ansible_fqdn in
> groups['openqa-workers'] or ansible_fqdn in groups['openqa-stg-workers']
> %} +{% if inventory_hostname in groups['virtservers'] or inventory_hostname
> in groups['openqa-workers'] or inventory_hostname in
> groups['openqa-stg-workers'] %} # libvirt spice device makes a
> /dev/shm/spice file
> ALLOWDEVFILE=/dev/shm/spice.*
> {% endif %}
>
> +1s?
>
> kevin
+1
Dennis
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
