Persisting /etc/securetty Contents
STIG V-ID 38494 specifies that serial console devices should be ommitted from /etc/securetty. This is easily enough accomplished in any given CM framework by scanning the file an nuking any ttyS* entries. Unfortunately, when you reboot an EL6 system, upstart puts any GRUB-specified console entries back.
I've tried creating an /etc/login/serial.override file and ommitting the /sbin/securetty and fedora.serial-console-available entries. Similarly tried creating an /etc/init/ttyS0.conf line with those entry points ommitted. In either case, after reboot, ttyS0 is placed back into /etc/securetty.
Short of nuking the offending ttyS* entries and then doing a chattr -i /etc/securetty, is there any better way to prevent the entries from coming back? I'd really rather avoid the chattr work-around.
Responses
serial.override should be in /etc/init not /etc/loginwith permissions 644.
I would just add changes to override file.
My assumption is, without testing, the update will fail. The chattr would need to be removed, the file backed up then replace after the update. In practice, I have seen these types of issues, marked as "frozen" for at least the initscripts package along with system documentation on how to update the individual system. Maybe there is an yum or rpm force option, but would still provide some confusion to an unexpecting systems admin.
Yates,
I was curious and so i did a test of sorts... I did a reinstall of the rpm on a non-production system I cared little about using this... During the reinstall, with the "chattr +i /etc/init/serial.conf" it failed to restore a file [/etc/rc.local] I moved out of the way.
- Before proceeding, make sure your conf file is identifiable, contains the edits you wish and probably make a backup of the file.
- I wanted to see if after doing the "chattr" command against /etc/init/serial.conf file if it would still reinstall the rpm successfully. So I moved (mv command) the file at /etc/rc.local out of the way to see if it would reinstall the missing /etc/rc.local ...
However, it failed to restore the /etc/rc.local file and from what I found later, the chatter against the file "/etc/init/serial.conf" apparently (in my case) caused it to fail... I did not test this with a "yum update" (I would have had to do a "yum downgrade to do that first")
/bin/mv /etc/rc.local /etc/rc.local.bak
chattr +i /etc/init/serial.conf
yum -y reinstall initscripts -v
While this is not the same as an upgrade, here is what I got... -My output...
<output truncated>
Error unpacking rpm package initscripts-9.03.49.1.el6_7.2.x86_64
error: unpacking of archive failed on file /etc/init/serial.conf: cpio: rename
Warning: scriptlet or other non-fatal errors occurred during transaction.
Installed products updated.
Verifying : initscripts-9.03.49-1.el6_7.2.x86_64
What is this? initscripts-9.03.49-1.el6_7.2.x86_64
## it really said the above!!
VerifyTransaction time: 0.054
Transaction time: 5.341
Failed:
initscripts.x86_64 0:9.03.49-1.el6_7.2
[me@mysystem] # file /etc/rc.local
The "file command" failed because the "yum reinstall" command did not restore /etc/rc.local. However, when I did a chattr -i of the conf file,, and a "yum reinstall", it reinstalled initscripts rpm with no consternation
chattr -i /etc/init/serial.conf
yum -y reinstall initscripts
this worked and /etc/rc.local was restored, after doing the "chattr -i /etc/init/serial.conf" and another "yum reinstall".
Now maybe there is a difference with a yum update and yum reinstall.
Perhaps test again by going to a non-production system and do a "yum downgrade initscripts" then do the "chattr +i /etc/init/serial.conf" and watch the output of "yum -y -v update initscripts"
Or bypass that and put the configuration file into your satellite server under a configuration channel you create, and if there's a difference, redeploy it. if you have no satellite server, make a backup and redeploy if needed, or the method you and Tom spoke of with the ".overrride" file...
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
