diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index fc4738dd91b..0c770c62713 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -834,8 +834,10 @@ The selected value can be changed in the profile (consult the actual variable fo sysctl configurations: - /etc/sysctl.conf - /etc/sysctl.d/\*.conf + - /lib/sysctl.d/\*.conf (does not apply to Fedora, RHEL and OL) - /run/sysctl.d/\*.conf - - /usr/lib/sysctl.d/\*.conf (does not apply to RHEL and OL) + - /usr/local/lib/sysctl.d/\*.conf (only if SLE) + - /usr/lib/sysctl.d/\*.conf (does not apply to Fedora, RHEL and OL) A sysctl option is allowed to be defined in more than one file within the scanned directories as long as those values are compliant. @@ -862,8 +864,13 @@ The selected value can be changed in the profile (consult the actual variable fo in the OVAL check, but won't be used in the remediations. All remediations will use an XCCDF value instead. - - **wrong_sysctlval_for_testing** - the value that is always wrong. This - will be used in templated test scenarios when **sysctlval** is a list. + - **correct_sysctlval_for_testing** - the value that is always correct. + This will be used in templated test scenarios when **sysctlval** is a + list or comes from variable. + + - **wrong_sysctlval_for_testing** - the value that is always wrong. + This will be used in templated test scenarios when **sysctlval** is a + list or comes from variable. - **missing_parameter_pass** - if set to `true` the check will pass if the setting for the given **sysctlvar** is not present in sysctl @@ -1114,6 +1121,18 @@ escape_regex some regular expression, behaves similar to the Python 3’s [**re.escape**](https://docs.python.org/3/library/re.html#re.escape). +escape_regex_all +- Escapes characters in the string for it to be usable as a part of + some regular expression. + Escape all but unprintable and **\w**. + [**re.escape**](https://docs.python.org/3/library/re.html#re.escape). + +escape_regex_sq +- Escapes characters in the string for it to be usable as a part of + some regular expression. + Use `.` -> `[.]` style escape method. And `^` is replaced with `\^'. + Escape all but unprintable and **\w**. + escape_yaml_key - Escape uppercase letters and `^` with additional `^` and convert letters to lovercase. This is because of OVAL's name argument limitations. diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml index 45825e0e9f6..b268295e6c2 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml @@ -6,8 +6,9 @@ {{{ ansible_instantiate_variables("rsyslog_remote_loghost_address") }}} - name: "Set rsyslog remote loghost" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rsyslog.conf - regexp: "^\\*\\.\\*" + regexp: >- + ^\*\.\*[ \\t]+(?:@|\:omrelp\:) line: "*.* @@{{ rsyslog_remote_loghost_address }}" create: yes diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh index b80e47d30b3..f703c5a9e0b 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh @@ -2,4 +2,11 @@ {{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}} -{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "@@$rsyslog_remote_loghost_address", '%s %s') }}} +{{{ bash_replace_or_append( + '/etc/rsyslog.conf', + '*.*', + "@@${rsyslog_remote_loghost_address}", + '%s %s', + key_regex='^\*\.\*[ \t]\+(@|\:omrelp\:)', + word_boundary='', +) }}} diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml index 0fdd24e18c2..c881574bcb8 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set remote_rx = "^\*\.\*[ \t]+(?:@|\:omrelp\:)" -%}} {{{ oval_metadata("Syslog logs should be sent to a remote loghost") }}} @@ -33,14 +34,14 @@ /etc/rsyslog.conf - ^\*\.\*[\s]+(?:@|\:omrelp\:) + {{{ remote_rx }}} 1 /etc/rsyslog.d ^.+\.conf$ - ^\*\.\*[\s]+(?:@|\:omrelp\:) + {{{ remote_rx }}} 1 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml index 94815148334..a425bfdf867 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Configure Accepting Router Advertisements on All IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml index 67ba7b2236a..d8003f1ec09 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15 +prodtype: fedora,sle12,sle15 title: 'Disable Kernel Parameter for IPv6 Forwarding by default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml index a75bcc616d7..261af9aea5e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9 +prodtype: fedora,rhel7,rhel8,rhel9 title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml index e3b2b18f03e..2e6e722ebb5 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml @@ -87,7 +87,7 @@ template: name: sysctl vars: sysctlvar: net.ipv4.conf.all.rp_filter - {{% if 'ol' in product or 'rhel' in product %}} + {{% if product in ['fedora'] or 'ol' in product or 'rhel' in product %}} sysctlval: - '1' - '2' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh index 583b70a3b97..ee9e6a74d3a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh index ef545976dc6..d0c43416c74 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh index d02cf11f072..7b33847679a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf echo "net.ipv4.conf.default.accept_source_route = 1" >> /run/sysctl.d/run.conf diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml index e5bb4813841..2d9134927aa 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml @@ -4,7 +4,7 @@ prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 title: 'Set Kernel Parameter to Increase Local Port Range' -description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}}' +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value=xccdf_value("sysctl_net_ipv4_ip_local_port_range_value")) }}}' rationale: |- This setting defines the local port range that is used by TCP and UDP to @@ -23,13 +23,12 @@ identifiers: references: anssi: BP28(R22) -{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}} +{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value=xccdf_value("sysctl_net_ipv4_ip_local_port_range_value")) }}} template: name: sysctl vars: sysctlvar: net.ipv4.ip_local_port_range datatype: string - sysctlval: 32768 65535 - operation: pattern match - sysctlval_regex: '32768\s*65535' + correct_sysctlval_for_testing: 32768 65535 + wrong_sysctlval_for_testing: 48000 60000 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range_value.var new file mode 100644 index 00000000000..349b8879d3d --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range_value.var @@ -0,0 +1,17 @@ +documentation_complete: true + +title: net.ipv4.ip_local_port_range + +description: |- + Configure the local port range that is used by TCP and UDP to choose the + local port. First number is start of range and last number is last of range. + +type: string + +operator: equals + +interactive: true + +options: + default: 32768 65535 + fedora: 32768 60999 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml index 59462471b30..86aaf669d5f 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle15 +prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle15 title: 'Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml index f62f1616f2c..25ecaf57f45 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 title: 'Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces' diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 367934b5672..2af92dd3407 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -69,7 +69,7 @@ template: name: sysctl vars: sysctlvar: kernel.kptr_restrict - {{% if 'ol' in product or 'rhel' in product %}} + {{% if product in ['fedora'] or 'ol' in product or 'rhel' in product %}} sysctlval: - '1' - '2' diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh index 70189666c16..ba7cb328bcb 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh index 209395fa9a1..3478c09fffb 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml index e369854060b..66023baffe8 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml @@ -13,7 +13,7 @@ rationale: |- severity: medium -{{% if product in ["rhel9"] %}} +{{% if product in ["fedora", "rhel9"] %}} conflicts: - sysctl_kernel_core_pattern_empty_string {{% endif %}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml deleted file mode 100644 index f4dc5110fee..00000000000 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +++ /dev/null @@ -1,35 +0,0 @@ -# platform = multi_platform_all -# reboot = true -# strategy = disable -# complexity = low -# disruption = medium -- name: List /etc/sysctl.d/*.conf files - find: - paths: - - /etc/sysctl.d/ - - /run/sysctl.d/ - contains: ^[\s]*kernel.core_pattern.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d - -- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf - files - replace: - path: '{{ item.path }}' - regexp: ^[\s]*kernel.core_pattern - replace: '#kernel.core_pattern' - loop: '{{ find_sysctl_d.files }}' - -- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files - replace: - path: /etc/sysctl.conf - regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)' - replace: '#kernel.core_pattern\1' - -- name: Ensure sysctl kernel.core_pattern is set to empty - sysctl: - name: kernel.core_pattern - value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces - state: present - reload: true diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh deleted file mode 100644 index 2b2f1cd70b6..00000000000 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +++ /dev/null @@ -1,53 +0,0 @@ -# platform = multi_platform_all -# reboot = true -# strategy = disable -# complexity = low -# disruption = medium - -# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.core_pattern" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set runtime for kernel.core_pattern -# -/sbin/sysctl -q -n -w kernel.core_pattern="" - -# -# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty -# else, add "kernel.core_pattern =" to /etc/sysctl.conf -# -# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. -# Otherwise, regular sed command will do. -sed_command=('sed' '-i') -if test -L "/etc/sysctl.conf"; then - sed_command+=('--follow-symlinks') -fi - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s=" "$stripped_key" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf" -else - # \n is precaution for case where file ends without trailing newline - - printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf" -fi diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml deleted file mode 100644 index e06965cab38..00000000000 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +++ /dev/null @@ -1,212 +0,0 @@ - - - - - {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - - - - - - - - - {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}} - - - - - - - - - - - - kernel.core_pattern - - - - - - - - - - {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}} - - - - - - - - - - - - - - - - - - - - - - - - - - - -{{% if target_oval_version >= [5, 11] %}} - - - - - - - local_var_sysctl_kernel_core_pattern_empty_string_counter - - - - 1 - - - - - - - - - - - - - object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered - state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink - - - - - - - - - - - - - - - - - - var_obj_symlink_sysctl_kernel_core_pattern_empty_string - var_obj_blank_sysctl_kernel_core_pattern_empty_string - - - - - local_var_blank_path_sysctl_kernel_core_pattern_empty_string - - - - - - - - local_var_symlinks_sysctl_kernel_core_pattern_empty_string - - - - - - - - - - - - - state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string - - - - - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - -{{% endif %}} - - - - - - - - object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string - object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string - - - - - - object_static_sysctl_sysctl_kernel_core_pattern_empty_string - object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string - - - - - - object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string - - - - - /etc/sysctl.conf - ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ - 1 - - - - /etc/sysctl.d - ^.*\.conf$ - ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ - 1 - - - - /run/sysctl.d - ^.*\.conf$ - ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ - 1 - - - - - - diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml index 2babb28e361..a5384bc1e55 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel9 +prodtype: fedora,rhel9 title: 'Disable storing core dumps' @@ -43,3 +43,10 @@ ocil: | kernel.core_pattern = $ platform: machine + +template: + name: sysctl + vars: + sysctlvar: kernel.core_pattern + sysctlval: "" + datatype: string diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh index 71f0f5db142..cfdda40559e 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh index b6688e6ca91..bcc639a5f32 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern= " >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh index 1c5fabcc136..89825157bb3 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh index 6c574b92762..a70d26885b1 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* + +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh index 8c729677b86..20d1f8984c8 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh index e56e927ec56..ded9a4d527a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh index 6c065b1e038..086876f7971 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml index 05535b7b54f..21283c87c27 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml @@ -32,7 +32,9 @@ references: fixtext: |- Configure {{{ full_name }}} to only allow root to do kernel profiling. - {{{ fixtext_sysctl(sysctl="kernel.perf_event_paranoid", value="2") | indent(4) }}} + {{{ fixtext_sysctl(sysctl="kernel.perf_event_paranoid", value=xccdf_value("sysctl_kernel_perf_event_paranoid_value")) | indent(4) }}} + If value is "3" and supported by kernel version, then disallowed all + unprivileged perf event use. srg_requirement: '{{{ full_name }}} must prevent kernel profiling by unprivileged users.' @@ -42,5 +44,8 @@ template: name: sysctl vars: sysctlvar: kernel.perf_event_paranoid - sysctlval: '2' + sysctlval: + - '2' + - '3' datatype: int + wrong_sysctlval_for_testing: '0' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid_value.var new file mode 100644 index 00000000000..272f1254cbd --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid_value.var @@ -0,0 +1,45 @@ +documentation_complete: true + +title: kernel.perf_event_paranoid + +description: |- + Controls use of the performance events system by unprivileged users + (without CAP_PERFMON). The default value is 2. + + For backward compatibility reasons access to system performance monitoring + and observability remains open for CAP_SYS_ADMIN privileged processes but + CAP_SYS_ADMIN usage for secure system performance monitoring and + observability operations is discouraged with respect to CAP_PERFMON use + cases. + + -1 + Allow use of (almost) all events by all users. + Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK. + + >=0 + Disallow ftrace function tracepoint by users without CAP_PERFMON. + Disallow raw tracepoint access by users without CAP_PERFMON. + + >=1 + Disallow CPU event access by users without CAP_PERFMON. + + >=2 + Disallow kernel profiling by users without CAP_PERFMON. + + >=3 + Disallow all unprivileged perf event use. + This requires patch not yet upstreamed. + +type: number + +operator: equals + +interactive: false + +options: + -1: "-1" + 0: "0" + 1: "1" + 2: "2" + 3: "3" + default: "2" diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml index 259d1f901c6..c9f14d3fbbb 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel9 +prodtype: fedora,rhel9 title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh index b9776227bdb..17dd179a946 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh @@ -1,5 +1,4 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh index 9f19e0140b4..68ae457fbef 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh @@ -1,8 +1,7 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh index e976db594c8..754c6fc0cc9 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh index b1537175eb4..d4e93f95399 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml index 5905ea8d0e6..7d5d28b5785 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml @@ -15,14 +15,14 @@ - name: Set audit_tools fact set_fact: audit_tools: - {{% if 'rhel' not in product and product != 'ol8' %}}- /usr/sbin/audispd{{% endif %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}}- /usr/sbin/audispd{{% endif %}} - /usr/sbin/auditctl - /usr/sbin/auditd - /usr/sbin/augenrules - /usr/sbin/aureport - /usr/sbin/ausearch - /usr/sbin/autrace - {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}} + {{% if product in ['fedora', 'ol8'] or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}} - name: Ensure existing AIDE configuration for audit tools are correct lineinfile: diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh index a81e25c3950..e43219dcb4b 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh @@ -14,11 +14,11 @@ "/usr/sbin/autrace", "/usr/sbin/augenrules" ] %}} -{{% if 'rhel' not in product and product != 'ol8' %}} +{{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}} {{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}} {{% endif %}} -{{% if product == 'ol8' or 'rhel' in product %}} +{{% if product in ['fedora', 'ol8'] or 'rhel' in product %}} {{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}} {{% endif %}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml index 63f3177a27b..b68ea3ee836 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml @@ -8,10 +8,10 @@ - {{% if 'rhel' not in product and product != 'ol8' %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}} {{% endif %}} - {{% if product == 'ol8' or 'rhel' in product %}} + {{% if product in ['fedora', 'ol8'] or 'rhel' in product %}} {{% endif %}} @@ -19,10 +19,10 @@ - {{% if 'rhel' not in product and 'ubuntu' not in product and product != 'ol8' %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product and 'ubuntu' not in product %}} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 {{% else %}} - p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512 + ^p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512$ {{% endif %}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh index 1a1ab8aedd1..5f751bee542 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# packages = aide - -yum -y install aide aide --init diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh index 769deaa4fbe..f80f6fd52d3 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh @@ -1,12 +1,11 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel - -yum -y install aide +# packages = aide declare -a bins bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') for theFile in "${bins[@]}" do - echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha5122" >> /etc/aide.conf + echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf done diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh new file mode 100644 index 00000000000..692a60d0e10 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# packages = aide + +declare -a bins +bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') + +for theFile in "${bins[@]}" +do + echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha5122" >> /etc/aide.conf +done diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh index 868a3d2b37a..65bf851237c 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# packages = aide - -yum -y install aide aide --init declare -a bins diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index 42a17b419a2..e409b7c860a 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -44,6 +44,7 @@ selections: - sysctl_user_max_user_namespaces - sysctl_kernel_dmesg_restrict - sysctl_kernel_perf_event_paranoid + - sysctl_kernel_perf_event_paranoid_value=2 - sysctl_kernel_unprivileged_bpf_disabled - sysctl_net_core_bpf_jit_harden - sysctl_kernel_core_pattern diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index e6abd0a2fae..92f08808293 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -272,7 +272,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo To configure the system to prevent the {{{ module }}} kernel module from being loaded, add the following line to the file /etc/modprobe.d/{{{ module }}}.conf:
install {{{ module }}} /bin/true
- {{% if product in ["ol7", "ol8", "rhel7", "rhel8"] %}} + {{% if product in ["fedora", "ol7", "ol8", "rhel7", "rhel8"] %}} To configure the system to prevent the {{{ module }}} from being used, add the following line to file /etc/modprobe.d/{{{ module }}}.conf:
blacklist {{{ module }}}
@@ -977,7 +977,7 @@ Operator see #}} {{% macro rule_notapplicable_when_ovirt_installed() %}} -{{%- if product == "rhel8" %}} +{{%- if product in ["fedora", "rhel8"] %}} - no_ovirt {{%- endif %}} {{% endmacro %}} @@ -989,7 +989,7 @@ Operator see #}} {{%- macro describe_grub2_argument(arg_name_value) -%}} -{{%- if product in ["ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or "ubuntu" in product -%}} To ensure that {{{ arg_name_value }}} is added as a kernel command line argument to newly installed kernels, add {{{ arg_name_value }}} to the default Grub2 command line for Linux operating systems. Modify the line within @@ -1067,7 +1067,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} #}} {{%- macro aide_string() -%}} -{{%- if 'rhel' not in product and 'ubuntu' not in product and product != 'ol8' -%}} +{{%- if product not in ['fedora', 'ol8'] and 'rhel' not in product and 'ubuntu' not in product -%}} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 {{%- else -%}} p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -1084,9 +1084,9 @@ p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch {{{ aide_string() }}} /usr/sbin/aureport {{{ aide_string() }}} /usr/sbin/autrace {{{ aide_string() }}} - {{% if 'rhel' not in product and product != 'ol8' %}}/usr/sbin/audispd {{{ aide_string() }}}{{% endif %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}}/usr/sbin/audispd {{{ aide_string() }}}{{% endif %}} {{% if product == 'ol8' %}}/usr/sbin/rsyslogd {{{ aide_string() }}}{{% endif %}} - {{% if product == 'rhel9' %}}/usr/sbin/autrace {{{ aide_string() }}}{{% endif %}} + {{% if product in ['fedora', 'rhel9'] %}}/usr/sbin/autrace {{{ aide_string() }}}{{% endif %}} /usr/sbin/augenrules {{{ aide_string() }}} {{% endmacro %}} @@ -1120,7 +1120,7 @@ Part of the grub2_bootloader_argument(_absent) templates. {{%- else -%}} {{{ raise("Unknown action" + action) }}} {{%- endif -%}} - {{%- if product in ["rhel8", "ol8"] -%}} + {{%- if product in ["fedora", "ol8", "rhel8"] -%}} {{# Suppress the None output of append -#}} {{{ grub_helper_args.append("--env=/boot/grub2/grubenv") or "" }}} {{%- endif -%}} diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 103a1150b1b..5fcedba822d 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1581,6 +1581,29 @@ Part of the grub2_bootloader_argument_absent template. {{%- endmacro -%}} +{{# +Ansible value containing sysctl.d directories to handle, as ansible array + +This is not about directories sysctl supports in product, but what directories +are considered managed. + +:param all_possible: boolean, default false, limit per product + +See: sysctl.conf(5) +#}} +{{%- macro ansible_sysctl_set_config_directories(all_possible=false) -%}} +{{%- set lst = ['/etc/sysctl.d', '/run/sysctl.d'] -%}} +{{% if product in [ "sle12", "sle15"] or all_possible -%}} +{{%- set lst = lst + ['/usr/local/lib/sysctl.d'] -%}} +{{%- endif -%}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] or all_possible -%}} +{{%- set lst = lst + ['/usr/lib/sysctl.d'] -%}} +{{%- set lst = lst + ['/lib/sysctl.d'] -%}} +{{%- endif -%}} +{{{- lst -}}} +{{%- endmacro -%}} + + {{%- macro ansible_mount_conditional(path) -%}} '"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list' {{%- endmacro -%}} diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 44642ab1ea8..8c94f264ace 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -15,6 +15,50 @@ Then, assume that variables of that names are defined and contain the correct va {{%- endmacro -%}} +{{# +Escape value to be used in sed s command as regexp, all but \w is quoted:: + +Any control characters are replaced with space except \0 (null character) and +\t (horizontal tab). \0 does not work right in shell anyways (only as input +separator and there as 0 length). As hex \x01-\x08 \x0a-1f \x7f. + +There is bash_sed_escape_replacement for replacement escape. + + variable=$'q"$(foo^bar)/`rm -rf`' + {{{ bash_sed_escape_regexp("variable", "result_variable") }}} + sed -Ei "s/${result_variable}/replacement/" file + +:param variable: string, shell variable name with content to be escaped +:param result_variable: string, shell variable name where escaped content is placed + +#}} +{{%- macro bash_sed_escape_regexp(variable, result_variable) -%}} +{{#- + First weed out control characters. See: ascii(7) + Then escape other than \w and ^ with [ ]. And then ^ with \^. + And use bash replacement to remove \n. +-#}} +{{{ result_variable }}}="$(LC_ALL=C sed 's/[\x01-\x08\x0a-\x1f\x7f]/ /g;s/[^^a-zA-Z0-9_]/[&]/g;s/\^/\\^/g' <<< "{{{ "${" ~ variable ~ "}" }}}" | tr '\n' ' ')" +{{%- endmacro -%}} + + +{{# + Escape value to be used in sed s as replacement, against / and \ (like \1) + +Any control characters are replaced with space except \0 (null character) and +\t (horizontal tab). \0 does not work right in shell anyways. As hex \x01-\x08 +\x0a-1f \x7f + +:param variable shell: variable name with content to be escaped +:param result_variable: shell variable name where escaped content is placed +:param delim: optional delim in s expression, default '/' + +#}} +{{%- macro bash_sed_escape_replacement(variable, result_variable, delim="/") -%}} +{{{ result_variable }}}="$(LC_ALL=C sed 's/[\x01-\x08\x0a-\x1f\x7f]/ /g;s/\\/\\\\/g' <<< "{{{ "${" ~ variable }}}//\{{{ delim }}}/\\\{{{ delim ~ "}" }}}")" +{{%- endmacro -%}} + + {{# Make sure that we have a line like this in pamFile (additional options are left as-is): type control module option=valueRegexArg @@ -1488,10 +1532,15 @@ cce="{{{ cce_identifiers['cce'] }}}" :param key: Configuration option to change :param value: Value of the configuration option to change :param format: Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =) +:param key_regex: Optional argument, If not empty string, used as regex to match key. +:param ignore_case: boolean, Default true. +:param word_boundary: regex, Default "\>". #}} -{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s') -%}} - +{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s', key_regex='', ignore_case=true, word_boundary="\\>") -%}} +{{%- if key_regex == '' -%}} +{{%- set key_regex = key -%}} +{{%- endif -%}} # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') @@ -1499,26 +1548,31 @@ if test -L "{{{ config_file }}}"; then sed_command+=('--follow-symlinks') fi +grep_command=(grep) +{{%- if ignore_case %}} +grep_command+=(-i) +{{%- endif %}} + # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "{{{ key }}}") +stripped_key="$(LC_ALL=C sed 's/[\^=$,;+]//g' <<< "{{{ key }}}")" # shellcheck disable=SC2059 -printf -v formatted_output "{{{ format }}}" "$stripped_key" "{{{ value }}}" +printf -v formatted_output "{{{ format }}}" "${stripped_key}" "{{{ value }}}" # If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), +# We search for the key string followed by a word boundary (matched by {{{ word_boundary }}}), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "{{{ key }}}\\>" "{{{ config_file }}}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - "${sed_command[@]}" "s/{{{ key }}}\\>.*/$escaped_formatted_output/gi" "{{{ config_file }}}" +if LC_ALL=C "${grep_command[@]}" -q -m 1 -e "{{{ key_regex ~ word_boundary }}}" "{{{ config_file }}}"; then + {{{ bash_sed_escape_replacement("formatted_output", "escaped_formatted_output") }}} + LC_ALL=C "${sed_command[@]}" "s/{{{ key_regex ~ word_boundary }}}.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" else # \n is precaution for case where file ends without trailing newline - {{% if cce_identifiers and 'cce' in cce_identifiers -%}} + {{%- if cce_identifiers and 'cce' in cce_identifiers %}} {{{ set_cce_value() }}} - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "{{{ config_file }}}" >> "{{{ config_file }}}" + printf '\n# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "{{{ config_file }}}" >> "{{{ config_file }}}" {{%- endif %}} - printf '%s\n' "$formatted_output" >> "{{{ config_file }}}" + printf '%s\n' "${formatted_output}" >> "{{{ config_file }}}" fi {{%- endmacro -%}} @@ -2386,6 +2440,67 @@ fi {{%- endmacro %}} +{{# +Set shell variable containing sysctl.d directories to handle + +This is not about directories sysctl supports in product, but what directories +are considered managed. + +:param variable: string, shell array variable name to be set +:param all_possible: boolean, default false, limit per product + +See: sysctl.conf(5) +#}} +{{%- macro bash_sysctl_set_config_directories(variable, all_possible=false) -%}} +{{{ variable }}}=( + /etc/sysctl.d + /run/sysctl.d +{{%- if product in [ "sle12", "sle15"] or all_possible %}} + /usr/local/lib/sysctl.d +{{%- endif -%}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] or all_possible %}} + /usr/lib/sysctl.d + /lib/sysctl.d +{{%- endif %}} +) +{{%- endmacro -%}} + + +{{# +Set shell variable to sysctl filename used in remediate + +:param variable: string, shell variable name to be set +:param SYSCTLVAR: sysctl variable name in question +#}} +{{%- macro bash_sysctl_set_remediate_file_name(variable, SYSCTLVAR) -%}} +{{{ variable }}}= +{{%- if sysctl_remediate_drop_in_file == "true" -%}} +"/etc/sysctl.d/{{{ SYSCTLVAR | replace(".", "_") | replace('/', '_') }}}.conf" +{{%- else -%}} +"/etc/sysctl.conf" +{{%- endif %}} +{{%- endmacro -%}} + + +{{# +Generate code to clean sysctl environment + +:param all_possible: boolean, default true, not limit per product + +Ensure test environment is controlled, meaning empty, but existing directories +and /etc/sysctl.conf as pre-existing stage. Meant to be used at start of sysctl +test cases. +#}} +{{%- macro bash_sysctl_test_clean(all_possible=true) -%}} +{{{ bash_sysctl_set_config_directories('sysctl_directories', all_possible=all_possible) }}} +mkdir -p -- "${sysctl_directories[@]}" +for d in "${sysctl_directories[@]}"; do + rm -rf -- "${d}"/* +done +[ -f /etc/sysctl.conf ] || touch /etc/sysctl.conf +{{%- endmacro -%}} + + {{# This macro creates a Bash conditional which is used to determine if a remediation is applicable. The condition compares the actual version of the diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index f021abc92ae..be0e2eaff2c 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -702,7 +702,7 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' If the system is configured to prevent the loading of the {{{ module }}} kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - {{% if product in ["ol7", "ol8", "rhel7", "rhel8"] %}} + {{% if product in ["fedora", "ol7", "ol8", "rhel7", "rhel8"] %}} These lines can also instruct the module loading system to ignore the {{{ module }}} kernel module via blacklist keyword. {{% endif %}} Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: @@ -1011,7 +1011,7 @@ ocil_clause: "the correct value is not returned" The parameter should have form `parameter=value`. #}} {{%- macro ocil_grub2_argument(arg_name_value) -%}} -{{%- if product in ["ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or "ubuntu" in product -%}} Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If it includes {{{ arg_name_value }}}, then the parameter will be configured for newly installed kernels. diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 307df197d98..f0fcb862b19 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1004,6 +1004,89 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} +{{# +Convert list to set, complicated as one set can contain 1 or 2 items, but list +can contain more thant that. Set needs to be build from sub sets of items or +previous level sets. Do it recursiverly. + +:param list_to_handle: list of elements +:param _result_list: internal, do not set +#}} +{{%- macro oval_list_to_set(list_to_handle, _result_list=[]) -%}} +{{%- if (list_to_handle | length) == 0 -%}} +{{%- if (_result_list | length) <= 1 -%}} +{{%- for item in _result_list %}} +{{{ item }}} +{{%- endfor -%}} +{{%- else -%}} +{{{ oval_list_to_set(_result_list, []) }}} +{{%- endif -%}} +{{%- else -%}} +{{%- set result_list_item = _oval_list_to_set_block(list_to_handle) -%}} +{{%- set next_list = [] -%}} +{{%- for item in list_to_handle -%}} +{{%- if loop.index0 >= 2 -%}} +{{%- set _ = next_list.append(item) -%}} +{{%- endif -%}} +{{%- endfor -%}} +{{{ oval_list_to_set(next_list, _result_list + [result_list_item]) }}} +{{%- endif -%}} +{{%- endmacro -%}} + + +{{#- This exists only because 2.8 has set block assignment, but CentOS has Jinja 2.7 -#}} +{{%- macro _oval_list_to_set_block(list_to_handle) -%}} + +{{%- for item in list_to_handle -%}} +{{%- if loop.index0 < 2 %}} + {{{ item | indent }}} +{{%- endif -%}} +{{%- endfor %}} + +{{%- endmacro -%}} + + +{{# +Convert variable to trimmed variable where whitespace is removed before and after. + +Creates new variable from old by adding "_trim" + possible suffix. + +:param variable: variable to trim +:param suffix: extra suffix +:param DATATYPE: int / string +#}} +{{%- macro oval_var_trim(variable, suffix="", DATATYPE="string") -%}} + +{{%- if DATATYPE == "int" %}} + + + + + + + + +{{%- else %}} +{{#- +Capture either + - empty + - one char of non space + - starting and ending with non space + => this should implement "trim" like feature to strip any whitespace before + and after +#}} + + + + +{{%- endif %}} +{{%- endmacro -%}} + + {{%- macro mount_active_criterion(path) %}} diff --git a/shared/macros/10-warning.jinja b/shared/macros/10-warning.jinja index 8ab6dd7c2a9..79627bce27d 100644 --- a/shared/macros/10-warning.jinja +++ b/shared/macros/10-warning.jinja @@ -5,7 +5,7 @@ :param rationale: Explanation why RHV needs the rule disabled. #}} {{% macro warning_ovirt_rule_notapplicable(rationale) %}} -{{%- if product == "rhel8" %}} +{{%- if product in ["fedora", "rhel8"] %}} - general: |- This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. {{{ rationale }}}. diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template index d6755d56924..3c3b937c3cb 100644 --- a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template @@ -56,8 +56,15 @@ do # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then - NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") - LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") + NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[[:space:]]*\(#\|$\)/d" "${LOG_FILE}") + rc=0 + LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") || rc=$? + # No paths + if (( rc == 1 )); then + continue + fi + # under set -e fail here + (( rc == 0 || rc == 1 )) FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 4c2eade72e6..f7f2b4f1f83 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -4,60 +4,63 @@ # complexity = low # disruption = medium +{{#- sysctl quirks -#}} +{{%- set setsysctlvar_rx = '^[ \\t]*-?[ \\t]*' ~ SYSCTLVAR | escape_regex_sq | replace('[.]', '[./]') | replace('[/]', '[./]') ~ '[ \\t]*=' %}} - name: List /etc/sysctl.d/*.conf files -{{% if product in ["sle12","sle15"] %}} - find: - paths: - - "/etc/sysctl.d/" - - "/run/sysctl.d/" -{{% else %}} - find: - paths: - - "/etc/sysctl.d/" - - "/run/sysctl.d/" - - "/usr/local/lib/sysctl.d/" -{{% endif %}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - "/usr/lib/sysctl.d/" -{{% endif %}} - contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' + ansible.builtin.find: + paths: {{{ ansible_sysctl_set_config_directories() }}} + contains: >- + {{{ setsysctlvar_rx }}}.*$ patterns: "*.conf" file_type: any register: find_sysctl_d - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files - replace: + ansible.builtin.replace: path: "{{ item.path }}" - regexp: '^[\s]*{{{ SYSCTLVAR }}}' - replace: '#{{{ SYSCTLVAR }}}' + regexp: >- + ({{{ setsysctlvar_rx }}}) + replace: '# \g<1>' loop: "{{ find_sysctl_d.files }}" -{{% if sysctl_remediate_drop_in_file == "true" %}} - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf - replace: + ansible.builtin.replace: path: "/etc/sysctl.conf" - regexp: '^[\s]*{{{ SYSCTLVAR }}}' - replace: '#{{{ SYSCTLVAR }}}' -{{% endif %}} + regexp: >- + ({{{ setsysctlvar_rx }}}) + replace: '# \g<1>' +{{%- if sysctl_remediate_drop_in_file != "true" %}} +{{#- sysctl module manages only last entry #}} + before: >- + .*\n{{{ setsysctlvar_rx.lstrip('^') }}} +{{%- endif %}} +{{%- if SYSCTLVAL is none or SYSCTLVAL is not string %}} -{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - name: Ensure sysctl {{{ SYSCTLVAR }}} is set sysctl: name: "{{{ SYSCTLVAR }}}" - value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + # Ansible sysctl module doesn't allow empty string. A space string is + # allowed and has the same semantics as sysctl will ignore spaces. + # center(1) adds one space to empty string. + value: >- + {{ sysctl_{{{ SYSCTLID }}}_value | center(1) }} {{%- else %}} + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} sysctl: name: "{{{ SYSCTLVAR }}}" - value: "{{{ SYSCTLVAL }}}" + # Ansible sysctl module doesn't allow empty string. A space string is + # allowed and has the same semantics as sysctl will ignore spaces. + value: {{% if SYSCTLVAL == "" %}}" "{{% else %}}"{{{ SYSCTLVAL }}}"{{% endif %}} +{{%- endif %}} + sysctl_file: >- +{{%- if sysctl_remediate_drop_in_file == "true" %}} + /etc/sysctl.d/{{{ SYSCTLVAR | replace('.','_') | replace('/', '_') }}}.conf +{{%- else %}} + /etc/sysctl.conf {{%- endif %}} -{{% if sysctl_remediate_drop_in_file == "true" %}} - sysctl_file: "/etc/sysctl.d/{{{ SYSCTLVAR | replace('.','_') }}}.conf" -{{% else %}} - sysctl_file: "/etc/sysctl.conf" -{{% endif %}} state: present reload: yes - + sysctl_set: true diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 49e4d949be0..e997e57c74e 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -4,63 +4,117 @@ # complexity = low # disruption = medium -# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files -{{% if product in [ "sle12", "sle15"] %}} -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do -{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do -{{% else %}} -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do -{{% endif %}} - matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done +# +# sysctl.d directories managed here. This might not be all sysctl.d supported +# directories. +# +{{{ bash_sysctl_set_config_directories('sysctl_directories') }}} # # Set sysctl config file which to save the desired value # -{{% if sysctl_remediate_drop_in_file == "true" %}} -SYSCONFIG_FILE='/etc/sysctl.d/{{{ SYSCTLVAR | replace(".","_") }}}.conf' -{{% else %}} -SYSCONFIG_FILE="/etc/sysctl.conf" -{{% endif %}} +{{{ bash_sysctl_set_remediate_file_name('SYSCONFIG_FILE', SYSCTLVAR) }}} -{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} +# +# key and value at hand +# +sysctlvar={{{ SYSCTLVAR | quote }}} +{{%- if SYSCTLVAL is none or SYSCTLVAL is not string %}} {{{ bash_instantiate_variables("sysctl_" ~ SYSCTLID ~ "_value") }}} +{{#- + TODO: Seems some values contain \n, they mess up sed below this should be + fixed in OVAL. +#}} # -# Set runtime for {{{ SYSCTLVAR }}} +# Replace any control characters with space. Mainly to get rid of '\n'. +# Sysctl does have '\t', so it is allowed. # -/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="$sysctl_{{{ SYSCTLID }}}_value" +sysctl_{{{ SYSCTLID }}}_value="${sysctl_{{{ SYSCTLID }}}_value//[$'\x01-\x08\x0a-\x1f\x7f']/ }" +{{%- else %}} +sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTLVAL | quote }}} +{{%- endif %}} # -# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value -# else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf +# Escape SYSCTLVAR to be used as a key for replacements. +# +# man sysctl(8) +# The '/' separator is also accepted in place of a '.'. +# +# man sysctl.conf(5) +# whitespace before and after a token ... is ignored +# ... +# Lines which begin with a # or ; are considered comments and ignored. +# ... +# If a line begins with a single -, any attempts to set the value that fail +# will be ignored. +# +# man sysctl.d(5) +# Note that either "/" or "." may be used as separators within sysctl +# variable names. If the first separator is a slash, remaining slashes +# and dots are left intact. If the first separator is a dot, dots and +# slashes are interchanged. # -{{% if sysctl_remediate_drop_in_file == "true" %}} -sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf -{{% endif %}} -{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , '$sysctl_' ~ SYSCTLID ~ '_value') }}} +# Note following features might not implemented properly: +# - sysctl.d features about globs or ignoring globs. +# +{{#- +Word boundary must be "=" because defafult "\>" does not work with for example +"=1". And we want to end used match with "=" as we do not want to mixup with +glob stuff. +-#}} +{{%- set word_boundary = "=" %}} -{{%- else %}} +# +# {{{ SYSCTLVAR }}} regexp +# +{{{ bash_sed_escape_regexp("sysctlvar", "sysctlvar_rx") }}} +{{#- +The pattern substitution relies bash_sed_escape_regexp to do escape as + . -> [.] + / -> [/] +both are replaced as [./], this ensures their interchangeability. +#}} +sysctlvar_rx="^[[:blank:]]*[-]\?[[:blank:]]*${sysctlvar_rx//\[[.\/]\]/[./]}[[:blank:]]*" + +# +# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files +# +for d in "${sysctl_directories[@]}"; do + [[ -d "${d}" ]] || continue + for f in "${d}"/*.conf; do + [[ -f "${f}" ]] || continue + readarray -t matching_list < <(LC_ALL=C grep -e "${sysctlvar_rx}{{{ word_boundary }}}" "${f}" | sort -u || :) + for entry in "${matching_list[@]}"; do + {{{ bash_sed_escape_regexp("entry", "escaped_entry") | indent(12) }}} + # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data + LC_ALL=C sed --follow-symlinks -i "s/^${escaped_entry}$/# &/" "${f}" + done + done +done # # Set runtime for {{{ SYSCTLVAR }}} # -/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" +/sbin/sysctl -q -n -w "${sysctlvar}"="${sysctl_{{{ SYSCTLID }}}_value}" # +{{%- if SYSCTLVAL is none or SYSCTLVAL is not string %}} +# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value +# else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf +{{%- else %}} # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" -# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf +# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf +{{%- endif %}} # -{{% if sysctl_remediate_drop_in_file == "true" %}} -sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf -{{% endif %}} -{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , SYSCTLVAL ) }}} +{{%- if sysctl_remediate_drop_in_file == "true" %}} +LC_ALL=C sed --follow-symlinks -i "/${sysctlvar_rx}{{{ word_boundary }}}/d" /etc/sysctl.conf {{%- endif %}} +{{{ bash_replace_or_append( + "${SYSCONFIG_FILE}", + SYSCTLVAR, + "${sysctl_" ~ SYSCTLID ~ "_value}", + key_regex="${sysctlvar_rx}", + word_boundary=word_boundary, + ignore_case=false, +) }}} diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index 3fe6de1c185..9a750fe3424 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -1,286 +1,287 @@ -{{%- if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAL is none %}} {{%- set COMMENT_VALUE="the appropriate value" %}} {{%- elif SYSCTLVAL is string %}} {{%- set COMMENT_VALUE=SYSCTLVAL %}} -{{%- else %}} +{{%- else -%}} {{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} {{%- endif %}} -{{% macro state_static_sysctld(prefix) -%}} - -{{% if SYSCTLVAL is string %}} - -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} - -{{% endfor %}} -{{% endif %}} +{{%- macro state_static_sysctld(suffix) -%}} + +{{%- if SYSCTLVAL is none or SYSCTLVAL is string -%}} + +{{%- else -%}} +{{%- for x in SYSCTLVAL %}} + +{{%- endfor -%}} +{{%- endif -%}} +{{%- endmacro -%}} + +{{%- set sysctl_dirs = ['/etc/sysctl.d', '/run/sysctl.d'] -%}} +{{%- if product in [ "sle12", "sle15"] or all_possible -%}} +{{%- set sysctl_dirs = sysctl_dirs + ['/usr/local/lib/sysctl.d'] -%}} +{{%- endif -%}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] or all_possible -%}} +{{%- set sysctl_dirs = sysctl_dirs + ['/usr/lib/sysctl.d'] -%}} +{{%- set sysctl_dirs = sysctl_dirs + ['/lib/sysctl.d'] -%}} +{{%- endif -%}} + +{{%- macro sysctl_d_id(sysctl_dir) -%}} +{{{- sysctl_dir.lstrip('/') | replace('/', '_') | replace ('.', '') -}}} +{{%- endmacro -%}} + +{{%- macro obj_static_sysctld_id(suffix) -%}} +obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} - ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ + ^[ \t]*-?[ \t]*{{{ + SYSCTLVAR | escape_regex_sq | replace('[.]', '[./]') | replace('[/]', '[./]') + }}}[ \t]*=[ \t]*(|\S|\S[^\n]*\S)[ \t]*$ 1 {{%- endmacro -%}} -{{%- if "P" in FLAGS -%}} - - - {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - - - - - +{{%- macro sysctl_local_variables(suffix) -%}} +{{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} + + + + + -{{%- elif "I" in FLAGS -%}} + + + + + - - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - -{{% if product in ["ubuntu1604", "ubuntu1804"] %}} - -{{% else %}} - -{{% endif %}} - - - - - - - + + + ^\s*( + + \s+ + + )\s*$ + + +{{%- else %}} + {{{ oval_var_trim(rule_id ~ "_value", suffix=suffix, DATATYPE=DATATYPE) }}} +{{%- endif -%}} +{{%- endmacro -%}} -{{%- endif %}} -{{%- if "R" in FLAGS -%}} +{{%- if "P" in FLAGS -%}} - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} - - - - - - - -{{% if SYSCTLVAL is string %}} - -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} - -{{% endfor %}} -{{% endif %}} - + + {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + + + + + - - {{{ SYSCTLVAR }}} - -{{% if SYSCTLVAL is string %}} -{{% if SYSCTLVAL == "" %}} - - - +{{%- elif "I" in FLAGS %}} - + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + +{{%- if product in ["ubuntu1604", "ubuntu1804"] %}} + {{%- else %}} - -{{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} -{{% else %}} - {{{ SYSCTLVAL }}} -{{% endif %}} - + {{%- endif %}} -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} - - {{{ x }}} - -{{% endfor %}} -{{% endif %}} + + + + + + {{%- endif -%}} -{{%- if "S" in FLAGS -%}} +{{%- if "R" in FLAGS %}} - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} - -{{% if MISSING_PARAMETER_PASS == "true" %}} - -{{% endif %}} - + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} - - - - -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -{{% endif %}} - + - - -{{% if MISSING_PARAMETER_PASS == "true" %}} - - -{{% endif %}} - - - - - - - - {{{ state_static_sysctld("sysctl") }}} - + - - {{{ state_static_sysctld("etc_sysctld") }}} - + + +{{%- if SYSCTLVAL is none or SYSCTLVAL is string %}} + +{{%- else -%}} +{{%- for x in SYSCTLVAL %}} + +{{%- endfor -%}} +{{%- endif %}} + - - {{{ state_static_sysctld("run_sysctld") }}} - + + {{{ SYSCTLVAR }}} + -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - {{{ state_static_sysctld("usr_lib_sysctld") }}} - -{{% endif %}} +{{%- if SYSCTLVAL is none %}} + +{{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} + +{{%- else %}} + +{{%- endif %}} + +{{{ sysctl_local_variables("") }}} - - {{{ state_static_sysctld("usr_local_lib_sysctld") }}} - + +{{%- elif SYSCTLVAL is string %}} + +{{%- if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} +{{%- else %}} + {{{ SYSCTLVAL }}} +{{%- endif %}} + +{{%- else -%}} +{{%- for x in SYSCTLVAL %}} + + {{{ x }}} + +{{%- endfor -%}} +{{%- endif %}} + - - - +{{%- endif -%}} +{{%- if "S" in FLAGS %}} - - - - object_static_etc_sysctls_{{{ rule_id }}} - object_static_run_usr_local_sysctls_{{{ rule_id }}} - - + + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + + + + +{{%- for sysctl_dir in sysctl_dirs %}} + +{{%- endfor %}} + + + +{{%- if MISSING_PARAMETER_PASS == "true" %}} + +{{%- endif %}} + + - - - object_static_sysctl_{{{ rule_id }}} - object_static_etc_sysctld_{{{ rule_id }}} - - + + + - - - object_static_usr_local_lib_sysctld_{{{ rule_id }}} - object_static_run_usr_sysctls_{{{ rule_id }}} - - + + {{{ state_static_sysctld("sysctl") }}} + - - - object_static_run_sysctld_{{{ rule_id }}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - object_static_usr_lib_sysctld_{{{ rule_id }}} -{{% endif %}} - - + + /etc/sysctl.conf + {{{ sysctl_match() }}} + +{{%- for sysctl_dir in sysctl_dirs %}} - - /etc/sysctl.conf - {{{ sysctl_match() }}} - + + {{{ state_static_sysctld(sysctl_d_id(sysctl_dir)) }}} + - - /etc/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - + + {{{ sysctl_dir }}} + ^.*\.conf$ + {{{ sysctl_match() }}} + +{{%- endfor %}} - - /run/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - + + + - - /usr/local/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - + + +{{%- set obj_refs = [] -%}} +{{%- set _ = obj_refs.append('' ~ obj_static_sysctld_id("sysctl") ~ '') -%}} +{{%- for sysctl_dir in sysctl_dirs -%}} +{{%- set _ = obj_refs.append('' ~ obj_static_sysctld_id(sysctl_d_id(sysctl_dir)) ~ '') -%}} +{{%- endfor -%}} + {{{ oval_list_to_set(obj_refs) | indent(8) }}} + -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - /usr/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - -{{% endif %}} -{{% if SYSCTLVAL is string %}} -{{% if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAL is none %}} - - - + +{{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} + +{{%- else %}} + +{{%- endif %}} + +{{{ sysctl_local_variables("_static") }}} - -{{% else %}} - -{{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} -{{% else %}} - {{{ SYSCTLVAL }}} -{{% endif %}} - -{{% endif %}} -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} - - {{{ x }}} - -{{% endfor %}} -{{% endif %}} + +{{%- elif SYSCTLVAL is string -%}} + +{{%- if OPERATION == "pattern match" %}} + {{{ SYSCTLVAL_REGEX }}} +{{%- else %}} + {{{ SYSCTLVAL }}} +{{%- endif %}} + +{{%- else -%}} +{{%- for x in SYSCTLVAL %}} + + {{{ x }}} + +{{%- endfor -%}} +{{%- endif %}} {{%- endif -%}} diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py index d9e0449fbb6..bee769295b3 100644 --- a/shared/templates/sysctl/template.py +++ b/shared/templates/sysctl/template.py @@ -1,19 +1,31 @@ import ssg.utils -def preprocess(data, lang): - data["sysctlid"] = ssg.utils.escape_id(data["sysctlvar"]) - if not data.get("sysctlval"): - data["sysctlval"] = "" - ipv6_flag = "P" - if data["sysctlid"].find("ipv6") >= 0: - ipv6_flag = "I" - data["flags"] = "SR" + ipv6_flag - if "operation" not in data: - data["operation"] = "equals" - if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: +def validate_sysctlval_type(data): + # Testing type helps logic in OVAL, remediations and tests + # We test none, string and what is left is list. + if data["sysctlval"] is None: + return True + + if isinstance(data["sysctlval"], list): + if len(data["sysctlval"]) == 0: + raise ValueError( + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + for val in data["sysctlval"]: + if isinstance(data["sysctlval"], str): + return False + elif not(isinstance(data["sysctlval"], str)): + return False + + return True + + +def validate(data): + if not validate_sysctlval_type(data): raise ValueError( - "The sysctlval parameter of {0} is an empty list".format( + "The 'sysctlval' parameter of {0} must be either not set," + " string or, list of strings".format( data["_rule_id"])) # Configure data for test scenarios @@ -24,20 +36,39 @@ def preprocess(data, lang): "{2} to add tests for it.".format( data["datatype"], data["_rule_id"], __file__)) - if data["sysctlval"] == "": + +def preprocess(data, lang): + data["sysctlid"] = ssg.utils.escape_id(data["sysctlvar"]) + if "sysctlval" not in data: + data["sysctlval"] = None + ipv6_flag = "P" + if data["sysctlid"].find("ipv6") >= 0: + ipv6_flag = "I" + data["flags"] = "SR" + ipv6_flag + if "operation" not in data: + data["operation"] = "equals" + + if data["sysctlval"] is None: if data["datatype"] == "int": data["sysctl_correct_value"] = "0" data["sysctl_wrong_value"] = "1" elif data["datatype"] == "string": data["sysctl_correct_value"] = "correct_value" data["sysctl_wrong_value"] = "wrong_value" + if "correct_sysctlval_for_testing" in data: + data["sysctl_correct_value"] = data["correct_sysctlval_for_testing"] + if "wrong_sysctlval_for_testing" in data: + data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] elif isinstance(data["sysctlval"], list): data["sysctl_correct_value"] = data["sysctlval"][0] data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] else: data["sysctl_correct_value"] = data["sysctlval"] if data["datatype"] == "int": - data["sysctl_wrong_value"] = str((int(data["sysctlval"])+1) % 2) + data["sysctl_wrong_value"] = str((int(data["sysctlval"]) + 1) % 2) elif data["datatype"] == "string": data["sysctl_wrong_value"] = "wrong_value" + + validate(data) + return data diff --git a/shared/templates/sysctl/tests/comment.fail.sh b/shared/templates/sysctl/tests/comment.fail.sh index 793963a9bb4..692e387b9c9 100644 --- a/shared/templates/sysctl/tests/comment.fail.sh +++ b/shared/templates/sysctl/tests/comment.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "# {{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/correct_value.pass.sh b/shared/templates/sysctl/tests/correct_value.pass.sh index 92aba14cf4b..65ccc6b66d5 100644 --- a/shared/templates/sysctl/tests/correct_value.pass.sh +++ b/shared/templates/sysctl/tests/correct_value.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh index 19769ebae7e..e0a40fb900e 100644 --- a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh @@ -1,16 +1,18 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +# platform = multi_platform_sle +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -{{% if product not in ["sle12","sle15"] %}} -rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} +{{{ bash_sysctl_set_config_directories('sysctl_directories') }}} +for d in "${sysctl_directories[@]}"; do +if [[ "${d}" == /usr/local/lib/sysctl.d ]]; then sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -mkdir /usr/local/lib/sysctl.d/ echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf # set correct runtime value to check if the filesystem configuration is evaluated properly sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" -{{% endif %}} +fi +done diff --git a/shared/templates/sysctl/tests/line_not_there.fail.sh b/shared/templates/sysctl/tests/line_not_there.fail.sh index 40b86bc183c..f049440a4be 100644 --- a/shared/templates/sysctl/tests/line_not_there.fail.sh +++ b/shared/templates/sysctl/tests/line_not_there.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh index b8ab0b83e3a..c816b525e18 100644 --- a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh +++ b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh index db7421debaf..7cab1741ffa 100644 --- a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_conflicting.fail.sh b/shared/templates/sysctl/tests/symlink_conflicting.fail.sh index e8109d0f9fd..fcf3e779d61 100644 --- a/shared/templates/sysctl/tests/symlink_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/symlink_conflicting.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_different_option.pass.sh b/shared/templates/sysctl/tests/symlink_different_option.pass.sh index d8020b5bed1..fc6a257b36e 100644 --- a/shared/templates/sysctl/tests/symlink_different_option.pass.sh +++ b/shared/templates/sysctl/tests/symlink_different_option.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh b/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh index 50b1c5da72c..a6205c37a3d 100644 --- a/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh +++ b/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh b/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh index 0fb25ae7383..ea57d4692bf 100644 --- a/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh +++ b/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh b/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh index 001a59f24e3..48a2d6d362e 100644 --- a/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh b/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh index 001a59f24e3..48a2d6d362e 100644 --- a/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh +++ b/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_same_option.pass.sh b/shared/templates/sysctl/tests/symlink_same_option.pass.sh index 4a35ea14eee..482857d119c 100644 --- a/shared/templates/sysctl/tests/symlink_same_option.pass.sh +++ b/shared/templates/sysctl/tests/symlink_same_option.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh b/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh index 0b7f0405603..494670b00b6 100644 --- a/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh +++ b/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh index 098aa71058d..e56798156b6 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh b/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh index 9b40f6dae72..05f258ebe5d 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh index 8646946b5ca..a9fe25b2a50 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh index 4e7e0c39c4d..b46924f7b1b 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh index 384a54296e4..45e03b266b6 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_runtime.fail.sh b/shared/templates/sysctl/tests/wrong_runtime.fail.sh index b7cc218460e..6bb48b88cff 100644 --- a/shared/templates/sysctl/tests/wrong_runtime.fail.sh +++ b/shared/templates/sysctl/tests/wrong_runtime.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_value.fail.sh b/shared/templates/sysctl/tests/wrong_value.fail.sh index aeee5050f93..1e572f8198b 100644 --- a/shared/templates/sysctl/tests/wrong_value.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value.fail.sh @@ -1,10 +1,9 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh index fe6345945c4..0e8d3d8bb8c 100644 --- a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh @@ -1,13 +1,15 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /etc/sysctl.d/98-sysctl.conf +{{{ bash_sysctl_set_config_directories('sysctl_directories', all_possible=true) }}} +for d in "${sysctl_directories[@]}"; do +echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> "${d}"/98-sysctl.conf +done # Setting correct runtime value sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh deleted file mode 100644 index 5b03e6c3969..00000000000 --- a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -{{% if SYSCTLVAL == "" %}} -# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} -{{% endif %}} - -# Clean sysctl config directories -{{% if product not in ["sle12","sle15"] %}} -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* - -sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -mkdir /usr/local/lib/sysctl.d/ -echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf - -# Setting correct runtime value -sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" -{{% endif %}} diff --git a/ssg/jinja.py b/ssg/jinja.py index 7aee25b5ecc..0c84613134e 100644 --- a/ssg/jinja.py +++ b/ssg/jinja.py @@ -23,6 +23,8 @@ banner_anchor_wrap, escape_id, escape_regex, + escape_regex_all, + escape_regex_sq, escape_yaml_key, sha256 ) @@ -94,6 +96,8 @@ def _get_jinja_environment(substitutions_dict): _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify _get_jinja_environment.env.filters['escape_id'] = escape_id _get_jinja_environment.env.filters['escape_regex'] = escape_regex + _get_jinja_environment.env.filters['escape_regex_all'] = escape_regex_all + _get_jinja_environment.env.filters['escape_regex_sq'] = escape_regex_sq _get_jinja_environment.env.filters['escape_yaml_key'] = escape_yaml_key _get_jinja_environment.env.filters['quote'] = shell_quote _get_jinja_environment.env.filters['sha256'] = sha256 diff --git a/ssg/utils.py b/ssg/utils.py index 1c2ac1d4251..d6297bb596c 100644 --- a/ssg/utils.py +++ b/ssg/utils.py @@ -5,6 +5,7 @@ import errno import os import re +import sys from collections import namedtuple import hashlib @@ -343,12 +344,60 @@ def mkdir_p(path): raise +# CentOS 7 etc has PY2 +_PY2 = bool(sys.version_info[0] == 2) + +if _PY2: + def _py2_text_translate(text, table): + result = [] + for char in text: + if char in table: + result.append(table[char]) + else: + result.append(char) + return "".join(result) + + +def _binary_type_conversion(i): + return str(i) if _PY2 else chr(i) + + +_text_translate = _py2_text_translate if _PY2 else str.translate + +# Mimic from python 3.11, but drop ws +# SPECIAL_CHARS +# closing ')', '}' and ']' +# '-' (a range in character set) +# '&', '~', (extended character set operations) +# '#' (comment) and WHITESPACE (ignored) in verbose mode +_special_chars_map = { + i: '\\' + _binary_type_conversion(i) + for i in b'()[]{}?*+-|^$\\.&~#' +} +# all special characters (not \w), by ascii order +_all_special_chars_map = { + i: '\\' + _binary_type_conversion(i) + for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~' +} +_all_special_chars_map_sq = { + i: (('[' + _binary_type_conversion(i) + ']') + if _binary_type_conversion(i) != '^' else ('\\' + _binary_type_conversion(i))) + for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~' +} + + def escape_regex(text): # We could use re.escape(), but it escapes too many characters, including plain white space. - # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. - # See https://docs.python.org/3/library/re.html#re.sub # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. - return re.sub(r"([#$&*+.^`|~:()-])", r"\\\1", text) + return _text_translate(text, _special_chars_map) + + +def escape_regex_all(text): + return _text_translate(text, _all_special_chars_map) + + +def escape_regex_sq(text): + return _text_translate(text, _all_special_chars_map_sq) def escape_id(text): diff --git a/tests/shared/sysctl.sh b/tests/shared/sysctl.sh deleted file mode 100644 index 6a424a3641a..00000000000 --- a/tests/shared/sysctl.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -# Sets the kernel setting using sysctl exec as well as in sysctl config file. -# $1: The setting name without the leading 'kernel.' -# $2: The value to set the setting to -function sysctl_set_kernel_setting_to { - local setting_name="kernel.$1" setting_value="$2" - sysctl -w "$setting_name=$setting_value" - if grep -q "^$setting_name" /etc/sysctl.conf; then - sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf - else - echo "$setting_name = $setting_value" >> /etc/sysctl.conf - fi -}