Bug: unable to use override to disable module

[ekelson-bcove]

Bug: node.override['os-hardening']['components'][package] does not work.

How to reproduce:
node.override['os-hardening']['components']['login_defs] = false should result in no alteration of /etc/login.defs. When attempted, login_defs.rb is still executed.

Suspected issue:
https://github.com/dev-sec/chef-os-hardening/blob/master/recipes/default.rb#L31-L33
The setting of the components state should occur in the attribute file so you can override them.

[ekelson-bcove]

opened #209 to fix

[artem-sidorenko]

This is strange, even before #209 it should work with overrides. I'll try to reproduce it

[artem-sidorenko]

@ekelson-bcove can you maybe elaborate a bit how you was setting the override value? Was it in some wrapper cookbook? In some recipe or in the attribute file?

[ekelson-bcove]

I was using a wrapper cookbook. Attributes should be defined in the attribute file anyway (proper pattern). I was unable to successfully override the vaule..even with node.override...

example:

node.override['os-hardening']['network']['ipv6']['enable'] = true

# ENV
node.override['os-hardening']['env']['umask'] = '027'

# AUTH

node.override['os-hardening']['auth']['pw_max_age'] = 90
node.override['os-hardening']['auth']['pw_min_age'] = 2
node.override['os-hardening']['auth']['retries'] = 10
node.override['os-hardening']['auth']['lockout_time'] = 600
node.override['os-hardening']['auth']['timeout'] = 60
node.override['os-hardening']['components']['pam'] = false
node.override['os-hardening']['auth']['maildir'] = '/var/spool/mail'

# Security
node.override['os-hardening']['security']['kernel']['enable_module_loading'] = true

include_recipe 'os-hardening'```

[artem-sidorenko]

@ekelson-bcove thanks!

Attributes should be defined in the attribute file anyway (proper pattern)

Usually yes, I totally agree. However, there are also some edge cases which force you to use recipes for this purpose.

I can't really reproduce this behaviour, please see this repository for my test environment. What I see, it basically works as expected:

$ kitchen converge centos
...      
       Transferring files to <default-centos-7>
       Starting Chef Client, version 14.1.1
       resolving cookbooks for run list: ["test1"]
       Synchronizing Cookbooks:
         - test1 (0.0.1)
         - test2 (0.0.1)
       Installing Cookbook Gems:
       Compiling Cookbooks...
       Processing attributes from test2 cookbook      <----------------------
       Processing attributes from test1 cookbook       <----------------------
       Processing recipes from test1 cookbook           <----------------------
       Processing recipes from test2 cookbook           <----------------------
       value at compile time - override value from attribute file of test1 cookbook      <----------------------
       Converging 1 resources
       Recipe: test2::default
         * ruby_block[display value at run time] action runvalue at runtime - override value from attribute file of test1 cookbook       <----------------------

           - execute the ruby block display value at run time

       Running handlers:
       Running handlers complete
       Chef Client finished, 1/1 resources updated in 01 seconds
       Downloading files from <default-centos-7>
       Finished converging <default-centos-7> (0m4.03s).
-----> Kitchen is finished. (0m6.08s)

• Evaluation order of attributes and recipes looks for me as expected
• In the end I see the override attribute I configured in the attributes of first cookbook. The same works for me when setting the override attribute directly in the recipe of test1 cookbook

I try now to add os-hardening 3.0.0 cookbook to this test setup and see how it behaves with your settings

[artem-sidorenko]

@ekelson-bcove I added os-hardening to this test setup and tried it with IPv6 (please see the branch os-hardening, overriding works for me fine for both attributes and recipes. Can you please have a look? I guess here is something different to your setup

[ekelson-bcove]

It’s very possible. I will try again.

…

On Fri, Jun 29, 2018 at 7:43 AM Artem Sidorenko ***@***.***> wrote: @ekelson-bcove <https://github.com/ekelson-bcove> I added os-hardening to this test setup and tried it with IPv6 (please see the branch os-hardening <https://github.com/artem-experiments/chef-override-test/tree/os-hardening>, overriding works for me fine for both attributes and recipes. Can you please have a look? I guess here is something different to your setup — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#208 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATxPay7QHknKpS0vsaA9AY4GrcSrQoCLks5uBhL2gaJpZM4TgWpz> .

[artem-sidorenko]

@ekelson-bcove I'm closing this: I could not reproduce it, Nevertheless the PR #209 is merged. Feel free to reopen if needed

[ekelson-bcove]

Thanks!

…

On Tue, Jul 17, 2018 at 5:22 AM Artem Sidorenko ***@***.***> wrote: Closed #208 <#208>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#208 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ATxPa6cPr2tW99SVpwI47SjAmgTnz9Fvks5uHazLgaJpZM4TgWpz> .

[f0rkz]

I confirm this... Overrides don't seem to work. This is super strange.