Actions
Bug #25875
openCIS Debian11 section 6.2 enforce : Repair loop on 6.2.1.2.3 and 6.2.1.2.4
Status:
New
Priority:
N/A
Assignee:
-
Target version:
-
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
In enforce mode, we seem to have a “repair loop” between 6.2.1.2.3 and 6.2.1.2.4.
At every run of the agent, we get :
E| repaired cis_debian11_srv_1 Ensure systemd-journal-u| systemd-journal-u| Ensure that service systemd-journal-upload is running was repaired [...] E| repaired cis_debian11_srv_1 Ensure service systemd-j| systemd-journal-r| Ensure service systemd-journal-remote is disabled at boot was repaired
Files
Updated by Michel BOUISSOU about 1 month ago · Edited
Not a true repair loop : both issues are independent :
- 6.2.1.2.3 keeps being repaired because it dies if the remote URL has not been configured
- But this configuration depends on 6.2.1.2.2 which is a manual item
- So we practically cannot enforce 6.2.1.2.3 properly if 6.2.1.2.2 has not previously been manually done.
- 6.2.1.2.4 :
- The systemd-journal-remote is not a classical started/stopped enabled/disabled service, but an indirect service that relies upon a socket to be triggered.
- “systemctl disable” has no influence on this, and I guess the Rudder method “service_disabled” neither
root@lab_test_2_zgent2:~# systemctl status systemd-journal-remote ● systemd-journal-remote.service - Journal Remote Sink Service Loaded: loaded (/lib/systemd/system/systemd-journal-remote.service; indirect; vendor preset: disabled) Active: inactive (dead) TriggeredBy: ● systemd-journal-remote.socket Docs: man:systemd-journal-remote(8) man:journal-remote.conf(5) root@lab_test_2_zgent2:~# systemctl is-enabled systemd-journal-remote indirect root@lab_test_2_zgent2:~# systemctl disable systemd-journal-remote root@lab_test_2_zgent2:~# systemctl is-enabled systemd-journal-remote indirect
Actions