Fix bash remediation for sysctl template

The remediation breaks systemd-sysctl when executed multiple times. On first run, settings are correctly added to /etc/sysctl.conf and loaded by systemd-sysctl via the symlink /etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf. On second run, the same settings are commented out in /etc/systcl.d/99-sysctl.conf, replacing the symlink with a copy of the file. Although the settings are again added to /etc/sysctl.conf, these are not loaded by systemd-sysctl due to the broken link. Fixes https://bugs.launchpad.net/usg/+bug/2056150
ComplianceAsCode · Mar 11, 2024 · c3dabe6 · c3dabe6
1 parent 6b2df2c
commit c3dabe6
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
@@ -12,12 +12,16 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.con
 {{% else %}}
 for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
 {{% endif %}}
+
+  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
+  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
+
   matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
       escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
       # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data
-      sed -i "s/^${escaped_entry}$/# &/g" $f
+      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
     done <<< "$matching_list"
   fi
 done