prevent overwrite of GRUB_CMDLINE_LINUX
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-sysconfig |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
In the template file src/templates/
This causes issues for CIS hardening as rule 1.7.1.2 (Ensure AppArmor is enabled in the bootloader configuration) adds apparmor parameters to GRUB_CMDLINE_LINUX in /etc/default/grub.
Once update-grub is run after a sysconfig charm installation is complete, the CIS change is lost.
src/templates/
45 {% if grub_default is defined and grub_default -%}
46 GRUB_DEFAULT="{{ grub_default }}"
47 {% endif -%}
48 GRUB_CMDLINE_
49
50 # Uncomment to disable graphical terminal (grub-pc only)
51 #GRUB_TERMINAL=
52 GRUB_TERMINAL=
/etc/default/grub after CIS hardening:
31 # Uncomment to get a beep at grub start
32 #GRUB_INIT_
33 GRUB_CMDLINE_
Related branches
- Xav Paice (community): Approve
- 🤖 prod-jenkaas-bootstack (community): Approve (continuous-integration)
- BootStack Reviewers: Pending requested
-
Diff: 12 lines (+0/-1)1 file modifiedsrc/templates/grub.j2 (+0/-1)
Changed in charm-sysconfig: | |
status: | New → Fix Released |
Changed in charm-sysconfig: | |
milestone: | none → 22.04 |
Fix proposed in MR: https:/ /code.launchpad .net/~bcarbone/ charm-sysconfig /+git/charm- sysconfig/ +merge/ 417994