RFE: option to hold kernel version, boot priority and package
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Landscape Server |
New
|
Undecided
|
Unassigned | ||
Bug Description
A client is requesting a way in Landscape to not just hold a specific kernel version as an installed package, but also to hold a specific kernel version as the primary boot option.
The requirement the client is dealing with is that the kernel version (both installed and running) needs to not be changed or updated in a way that would allow the machine to boot into an unapproved kernel, until such time as a new version was approved by the client's security team.
Initially, the suggestion was to have the client use a package profile to ensure that the desired kernel was installed, and then to use a script within Landscape to modify the /etc/default/grub configuration file to specify the *approved* kernel version as the default boot option.
The package profile to ensure the kernel was installed is currently working as intended. However, the suggested script to modify the /etc/default/grub configuration file does not work, as the client is using the CIS hardening profile. The CIS profile adds the noexec mount option to /tmp and /var/tmp. This effectively prevents all script execution from Landscape, as the scripts are run by the landscape-client from /tmp.
The request here is two fold.
1. Have a mechanism in Landscape to lock both a kernel package version, and kernel boot priority, to ensure that a specified kernel is installed and set as the default boot option.
2. Alternatively, have a way to execute scripts from outside of /tmp to work around the case where /tmp does not allow script execution.
The suggested workaround to use an environment variable override for TMPDIR in the landscape-client systemd service configuration is being explored, but has not yet been approved by the client's security team at this time.
| information type: | Proprietary → Public |
