From e4353d4024323d6e2970e8d7a3fc30b95ed32b32 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 5 May 2023 23:50:51 +0300 Subject: [PATCH 01/44] feature: ssg: add escape_regex_all and escape_regex_sq Use str.translate method like python does. --- docs/templates/template_reference.md | 12 ++++++++++++ ssg/jinja.py | 4 ++++ ssg/utils.py | 27 ++++++++++++++++++++++++--- 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index fc4738dd91b..cbe1c03e4b0 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -1114,6 +1114,18 @@ escape_regex some regular expression, behaves similar to the Python 3’s [**re.escape**](https://docs.python.org/3/library/re.html#re.escape). +escape_regex_all +- Escapes characters in the string for it to be usable as a part of + some regular expression. + Escape all but unprintable and **\w**. + [**re.escape**](https://docs.python.org/3/library/re.html#re.escape). + +escape_regex_sq +- Escapes characters in the string for it to be usable as a part of + some regular expression. + Use `.` -> `[.]` style escape method. And `^` is replaced with `\^'. + Escape all but unprintable and **\w**. + escape_yaml_key - Escape uppercase letters and `^` with additional `^` and convert letters to lovercase. This is because of OVAL's name argument limitations. diff --git a/ssg/jinja.py b/ssg/jinja.py index 7aee25b5ecc..0c84613134e 100644 --- a/ssg/jinja.py +++ b/ssg/jinja.py @@ -23,6 +23,8 @@ banner_anchor_wrap, escape_id, escape_regex, + escape_regex_all, + escape_regex_sq, escape_yaml_key, sha256 ) @@ -94,6 +96,8 @@ def _get_jinja_environment(substitutions_dict): _get_jinja_environment.env.filters['banner_regexify'] = banner_regexify _get_jinja_environment.env.filters['escape_id'] = escape_id _get_jinja_environment.env.filters['escape_regex'] = escape_regex + _get_jinja_environment.env.filters['escape_regex_all'] = escape_regex_all + _get_jinja_environment.env.filters['escape_regex_sq'] = escape_regex_sq _get_jinja_environment.env.filters['escape_yaml_key'] = escape_yaml_key _get_jinja_environment.env.filters['quote'] = shell_quote _get_jinja_environment.env.filters['sha256'] = sha256 diff --git a/ssg/utils.py b/ssg/utils.py index 1c2ac1d4251..d4ff0ba77b2 100644 --- a/ssg/utils.py +++ b/ssg/utils.py @@ -343,12 +343,33 @@ def mkdir_p(path): raise +# Mimic from python 3.11, but drop ws +# SPECIAL_CHARS +# closing ')', '}' and ']' +# '-' (a range in character set) +# '&', '~', (extended character set operations) +# '#' (comment) and WHITESPACE (ignored) in verbose mode +_special_chars_map = {i: '\\' + chr(i) for i in b'()[]{}?*+-|^$\\.&~#'} + def escape_regex(text): # We could use re.escape(), but it escapes too many characters, including plain white space. - # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it. - # See https://docs.python.org/3/library/re.html#re.sub # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. - return re.sub(r"([#$&*+.^`|~:()-])", r"\\\1", text) + return text.translate(_special_chars_map) + + +# all special characters, by ascii order +_all_special_chars_map = {i: '\\' + chr(i) for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~'} +_all_special_chars_map_sq = { + i: (('[' + chr(i) + ']') if i != '^' else ('\\' + chr(i))) + for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~' +} + +def escape_regex_all(text): + return text.translate(_all_special_chars_map) + + +def escape_regex_sq(text): + return text.translate(_all_special_chars_map_sq) def escape_id(text): From 5d5821e746175279655b2d44037518e214f11362 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 12:39:25 +0300 Subject: [PATCH 02/44] change: sysctl: enable fedora Mostly where ever rhel8 / rhel9 is used. --- .../sysctl_net_ipv6_conf_all_accept_ra/rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_conf_all_forwarding/rule.yml | 2 +- .../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 +- .../tests/value_1.pass.sh | 2 +- .../tests/value_2.pass.sh | 2 +- .../sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml | 2 +- .../sysctl_net_ipv4_tcp_rfc1337/rule.yml | 2 +- .../sysctl_kernel_kptr_restrict/rule.yml | 2 +- .../tests/value_1.pass.sh | 2 +- .../tests/value_2.pass.sh | 2 +- .../sysctl_kernel_core_pattern/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../tests/system_default.pass.sh | 2 +- .../tests/value_0.fail.sh | 2 +- .../tests/value_1.pass.sh | 2 +- .../tests/value_2.pass.sh | 2 +- shared/macros/01-general.jinja | 14 +++++++------- shared/macros/10-ocil.jinja | 4 ++-- shared/macros/10-warning.jinja | 2 +- shared/templates/sysctl/ansible.template | 2 +- shared/templates/sysctl/bash.template | 2 +- shared/templates/sysctl/oval.template | 8 ++++---- 24 files changed, 34 insertions(+), 34 deletions(-) diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml index 94815148334..a425bfdf867 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: alinux2,alinux3,anolis8,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 +prodtype: alinux2,alinux3,anolis8,fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15,ubuntu2004,ubuntu2204 title: 'Configure Accepting Router Advertisements on All IPv6 Interfaces' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml index 67ba7b2236a..d8003f1ec09 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15 +prodtype: fedora,sle12,sle15 title: 'Disable Kernel Parameter for IPv6 Forwarding by default' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml index a75bcc616d7..261af9aea5e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel7,rhel8,rhel9 +prodtype: fedora,rhel7,rhel8,rhel9 title: 'Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml index e3b2b18f03e..2e6e722ebb5 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml @@ -87,7 +87,7 @@ template: name: sysctl vars: sysctlvar: net.ipv4.conf.all.rp_filter - {{% if 'ol' in product or 'rhel' in product %}} + {{% if product in ['fedora'] or 'ol' in product or 'rhel' in product %}} sysctlval: - '1' - '2' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh index 583b70a3b97..7cba4000510 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh index ef545976dc6..4c029a5a8d1 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml index 59462471b30..86aaf669d5f 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle15 +prodtype: fedora,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,sle15 title: 'Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml index f62f1616f2c..25ecaf57f45 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_rfc1337/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 +prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 title: 'Enable Kernel Parameter to Use TCP RFC 1337 on IPv4 Interfaces' diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 367934b5672..2af92dd3407 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -69,7 +69,7 @@ template: name: sysctl vars: sysctlvar: kernel.kptr_restrict - {{% if 'ol' in product or 'rhel' in product %}} + {{% if product in ['fedora'] or 'ol' in product or 'rhel' in product %}} sysctlval: - '1' - '2' diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh index 70189666c16..d0e07492343 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh index 209395fa9a1..2b4f2df2aed 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = multi_platform_ol,multi_platform_rhel +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml index e369854060b..66023baffe8 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml @@ -13,7 +13,7 @@ rationale: |- severity: medium -{{% if product in ["rhel9"] %}} +{{% if product in ["fedora", "rhel9"] %}} conflicts: - sysctl_kernel_core_pattern_empty_string {{% endif %}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml index 2babb28e361..16d797c1939 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel9 +prodtype: fedora,rhel9 title: 'Disable storing core dumps' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml index 259d1f901c6..c9f14d3fbbb 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhel9 +prodtype: fedora,rhel9 title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh index b9776227bdb..5c24a041634 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh index 9f19e0140b4..3411f8c8b2b 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh index e976db594c8..6ce43317db1 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh index b1537175eb4..7768bbe56a2 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Enterprise Linux 9 +# platform = Red Hat Enterprise Linux 9,multi_platform_fedora # Clean sysctl config directories rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index e6abd0a2fae..92f08808293 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -272,7 +272,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo To configure the system to prevent the {{{ module }}} kernel module from being loaded, add the following line to the file /etc/modprobe.d/{{{ module }}}.conf:
install {{{ module }}} /bin/true
- {{% if product in ["ol7", "ol8", "rhel7", "rhel8"] %}} + {{% if product in ["fedora", "ol7", "ol8", "rhel7", "rhel8"] %}} To configure the system to prevent the {{{ module }}} from being used, add the following line to file /etc/modprobe.d/{{{ module }}}.conf:
blacklist {{{ module }}}
@@ -977,7 +977,7 @@ Operator see #}} {{% macro rule_notapplicable_when_ovirt_installed() %}} -{{%- if product == "rhel8" %}} +{{%- if product in ["fedora", "rhel8"] %}} - no_ovirt {{%- endif %}} {{% endmacro %}} @@ -989,7 +989,7 @@ Operator see #}} {{%- macro describe_grub2_argument(arg_name_value) -%}} -{{%- if product in ["ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or "ubuntu" in product -%}} To ensure that {{{ arg_name_value }}} is added as a kernel command line argument to newly installed kernels, add {{{ arg_name_value }}} to the default Grub2 command line for Linux operating systems. Modify the line within @@ -1067,7 +1067,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} #}} {{%- macro aide_string() -%}} -{{%- if 'rhel' not in product and 'ubuntu' not in product and product != 'ol8' -%}} +{{%- if product not in ['fedora', 'ol8'] and 'rhel' not in product and 'ubuntu' not in product -%}} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 {{%- else -%}} p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -1084,9 +1084,9 @@ p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch {{{ aide_string() }}} /usr/sbin/aureport {{{ aide_string() }}} /usr/sbin/autrace {{{ aide_string() }}} - {{% if 'rhel' not in product and product != 'ol8' %}}/usr/sbin/audispd {{{ aide_string() }}}{{% endif %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}}/usr/sbin/audispd {{{ aide_string() }}}{{% endif %}} {{% if product == 'ol8' %}}/usr/sbin/rsyslogd {{{ aide_string() }}}{{% endif %}} - {{% if product == 'rhel9' %}}/usr/sbin/autrace {{{ aide_string() }}}{{% endif %}} + {{% if product in ['fedora', 'rhel9'] %}}/usr/sbin/autrace {{{ aide_string() }}}{{% endif %}} /usr/sbin/augenrules {{{ aide_string() }}} {{% endmacro %}} @@ -1120,7 +1120,7 @@ Part of the grub2_bootloader_argument(_absent) templates. {{%- else -%}} {{{ raise("Unknown action" + action) }}} {{%- endif -%}} - {{%- if product in ["rhel8", "ol8"] -%}} + {{%- if product in ["fedora", "ol8", "rhel8"] -%}} {{# Suppress the None output of append -#}} {{{ grub_helper_args.append("--env=/boot/grub2/grubenv") or "" }}} {{%- endif -%}} diff --git a/shared/macros/10-ocil.jinja b/shared/macros/10-ocil.jinja index f021abc92ae..be0e2eaff2c 100644 --- a/shared/macros/10-ocil.jinja +++ b/shared/macros/10-ocil.jinja @@ -702,7 +702,7 @@ ocil_clause: '"{{{ part }}} is not a mountpoint" is returned' If the system is configured to prevent the loading of the {{{ module }}} kernel module, it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf. These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event. - {{% if product in ["ol7", "ol8", "rhel7", "rhel8"] %}} + {{% if product in ["fedora", "ol7", "ol8", "rhel7", "rhel8"] %}} These lines can also instruct the module loading system to ignore the {{{ module }}} kernel module via blacklist keyword. {{% endif %}} Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: @@ -1011,7 +1011,7 @@ ocil_clause: "the correct value is not returned" The parameter should have form `parameter=value`. #}} {{%- macro ocil_grub2_argument(arg_name_value) -%}} -{{%- if product in ["ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel7", "rhel8", "rhel9"] or "ubuntu" in product -%}} Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If it includes {{{ arg_name_value }}}, then the parameter will be configured for newly installed kernels. diff --git a/shared/macros/10-warning.jinja b/shared/macros/10-warning.jinja index 8ab6dd7c2a9..79627bce27d 100644 --- a/shared/macros/10-warning.jinja +++ b/shared/macros/10-warning.jinja @@ -5,7 +5,7 @@ :param rationale: Explanation why RHV needs the rule disabled. #}} {{% macro warning_ovirt_rule_notapplicable(rationale) %}} -{{%- if product == "rhel8" %}} +{{%- if product in ["fedora", "rhel8"] %}} - general: |- This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. {{{ rationale }}}. diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 4c2eade72e6..5a2fbc95307 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -17,7 +17,7 @@ - "/run/sysctl.d/" - "/usr/local/lib/sysctl.d/" {{% endif %}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - "/usr/lib/sysctl.d/" {{% endif %}} contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 49e4d949be0..66814fe42e3 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -7,7 +7,7 @@ # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files {{% if product in [ "sle12", "sle15"] %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do -{{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{% elif product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do {{% else %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index 3fe6de1c185..1a0c60a83fb 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -134,7 +134,7 @@ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} {{% endif %}} @@ -174,7 +174,7 @@ {{{ state_static_sysctld("run_sysctld") }}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} object_static_run_sysctld_{{{ rule_id }}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} object_static_usr_lib_sysctld_{{{ rule_id }}} {{% endif %}} @@ -249,7 +249,7 @@ {{{ sysctl_match() }}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} /usr/lib/sysctl.d ^.*\.conf$ From d0c432bb527d2e01020027ed0232066fbdb39740 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 4 May 2023 13:08:02 +0300 Subject: [PATCH 03/44] feature: bash: add bash_sed_escape_* bash_sed_escape_regexp is for s regexp and bash_sed_escape_replacement is for replacement --- shared/macros/10-bash.jinja | 46 +++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 44642ab1ea8..14d23430e87 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -15,6 +15,52 @@ Then, assume that variables of that names are defined and contain the correct va {{%- endmacro -%}} +{{# +Escape value to be used in sed s command as regexp, all but \w is quoted:: + +Any control characters are replaced with space except \0 (null character) and +\t (horizontal tab). \0 does not work right in shell anyways (only as input +separator and there as 0 length). As hex \x01-\x08 \x0a-1f \x7f. + +There is bash_sed_escape_replacement for replacement escape. + + variable=$'q"$(foo^bar)/`rm -rf`' + {{{ bash_sed_escape_regexp("variable", "result_variable") }}} + sed -Ei "s/${result_variable}/replacement/" file + +:param variable: string, shell variable name with content to be escaped +:param result_variable: string, shell variable name where escaped content is placed + +#}} +{{%- macro bash_sed_escape_regexp(variable, result_variable) -%}} +{{#- + First weed out control characters. See: ascii(7) + Then escape other than \w and ^ with [ ]. And then ^ with \^. + And use bash replacement to remove \n. +-#}} +{{{ result_variable }}}="$(LC_ALL=C sed 's/[\x01-\x08\x0a-\x1f\x7f]/ /g;s/[^^a-zA-Z0-9_]/[&]/g;s/\^/\\^/g' <<< "{{{ "${" ~ variable ~ "//[$'\n']/ }" }}}")" +{{%- endmacro -%}} + + +{{# + Escape value to be used in sed s as replacement, against / and \ (like \1) + +Any control characters are replaced with space except \0 (null character) and +\t (horizontal tab). \0 does not work right in shell anyways. As hex \x01-\x08 +\x0a-1f \x7f + +:param variable shell: variable name with content to be escaped +:param result_variable: shell variable name where escaped content is placed +:param delim: optional delim in s expression, default '/' + +#}} +{{%- macro bash_sed_escape_replacement(variable, result_variable, delim="/") -%}} +{{{ result_variable }}}="{{{ "${" ~ variable }}}//\\/\\\\/}" +{{{ result_variable }}}="{{{ "${" ~ result_variable }}}//[$'\x01-\x08\x0a-\x1f\x7f']/ }" +{{{ result_variable }}}="{{{ "${" ~ result_variable }}}//\{{{ delim }}}/\\\{{{ delim ~ "}" }}}" +{{%- endmacro -%}} + + {{# Make sure that we have a line like this in pamFile (additional options are left as-is): type control module option=valueRegexArg From eca3fc7db0ba63f0b477ae7b24a4fca874d078a4 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 11:34:17 +0300 Subject: [PATCH 04/44] feature: bash: add bash_sysctl_* /etc/sysctl.conf or any related directories might not exist. Implement `bash_sysctl_test_clean` to ensure all sysctl directories and files do exist, and there can only be configuration at `/etc/sysctl.conf`. Implement `bash_sysctl_set_remediate_file_name`. Only one place to set where file used to set `sysctl` remediation variables. Implement `bash_sysctl_set_config_directories`. Per product list of directories we are managing. Not all products manage all directories. If there is some reason to modify this phase, now there is shared place to do it. Use it in all `sysctl` template tests. Also match documentation to implementation. From: sysctl.conf(5) ... FILES /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf ... --- docs/templates/template_reference.md | 4 +- shared/macros/10-bash.jinja | 61 ++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index cbe1c03e4b0..a20f0d94304 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -834,8 +834,10 @@ The selected value can be changed in the profile (consult the actual variable fo sysctl configurations: - /etc/sysctl.conf - /etc/sysctl.d/\*.conf + - /lib/sysctl.d/\*.conf (does not apply to Fedora, RHEL and OL) - /run/sysctl.d/\*.conf - - /usr/lib/sysctl.d/\*.conf (does not apply to RHEL and OL) + - /usr/local/lib/sysctl.d/\*.conf (only if SLE) + - /usr/lib/sysctl.d/\*.conf (does not apply to Fedora, RHEL and OL) A sysctl option is allowed to be defined in more than one file within the scanned directories as long as those values are compliant. diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 14d23430e87..3c845f8e27b 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2432,6 +2432,67 @@ fi {{%- endmacro %}} +{{# +Set shell variable containing sysctl.d directories to handle + +This is not about directories sysctl supports in product, but what directories +are considered managed. + +:param variable: string, shell array variable name to be set +:param all_possible: boolean, default false, limit per product + +See: sysctl.conf(5) +#}} +{{%- macro bash_sysctl_set_config_directories(variable, all_possible=false) -%}} +{{{ variable }}}=( + /etc/sysctl.d + /run/sysctl.d +{{%- if product in [ "sle12", "sle15"] or all_possible %}} + /usr/local/lib/sysctl.d +{{%- endif -%}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] or all_possible %}} + /usr/lib/sysctl.d + /lib/sysctl.d +{{%- endif %}} +) +{{%- endmacro -%}} + + +{{# +Set shell variable to sysctl filename used in remediate + +:param variable: string, shell variable name to be set +:param SYSCTLVAR: sysctl variable name in question +#}} +{{%- macro bash_sysctl_set_remediate_file_name(variable, SYSCTLVAR) -%}} +{{{ variable }}}= +{{%- if sysctl_remediate_drop_in_file == "true" -%}} +"/etc/sysctl.d/{{{ SYSCTLVAR | replace(".", "_") | replace('/', '_') }}}.conf" +{{%- else -%}} +"/etc/sysctl.conf" +{{%- endif %}} +{{%- endmacro -%}} + + +{{# +Generate code to clean sysctl environment + +:param all_possible: boolean, default true, not limit per product + +Ensure test environment is controlled, meaning empty, but existing directories +and /etc/sysctl.conf as pre-existing stage. Meant to be used at start of sysctl +test cases. +#}} +{{%- macro bash_sysctl_test_clean(all_possible=true) -%}} +{{{ bash_sysctl_set_config_directories('sysctl_directories', all_possible=all_possible) }}} +mkdir -p -- "${sysctl_directories[@]}" +for d in "${sysctl_directories[@]}"; do + rm -rf -- "${d}"/* +done +[ -f /etc/sysctl.conf ] || touch /etc/sysctl.conf +{{%- endmacro -%}} + + {{# This macro creates a Bash conditional which is used to determine if a remediation is applicable. The condition compares the actual version of the From 95f6a3e54774945302f5a7bdc1a9f3219a0e5ffa Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 11:44:01 +0300 Subject: [PATCH 05/44] fix: bash_replace_or_append: use bash_sed_escape_replacement Use bash pattern to strip key from undesirables instead of invoking sed. Some style fixes. --- shared/macros/10-bash.jinja | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 3c845f8e27b..af7723fc570 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1537,7 +1537,6 @@ cce="{{{ cce_identifiers['cce'] }}}" #}} {{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s') -%}} - # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') @@ -1547,24 +1546,25 @@ fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "{{{ key }}}") +stripped_key="{{{ key }}}" +stripped_key="${stripped_key//[$'^=$,;+']}" # shellcheck disable=SC2059 -printf -v formatted_output "{{{ format }}}" "$stripped_key" "{{{ value }}}" +printf -v formatted_output "{{{ format }}}" "${stripped_key}" "{{{ value }}}" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "{{{ key }}}\\>" "{{{ config_file }}}"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - "${sed_command[@]}" "s/{{{ key }}}\\>.*/$escaped_formatted_output/gi" "{{{ config_file }}}" + {{{ bash_sed_escape_replacement("formatted_output", "escaped_formatted_output") }}} + "${sed_command[@]}" "s/{{{ key }}}\\>.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" else # \n is precaution for case where file ends without trailing newline - {{% if cce_identifiers and 'cce' in cce_identifiers -%}} + {{%- if cce_identifiers and 'cce' in cce_identifiers %}} {{{ set_cce_value() }}} - printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "{{{ config_file }}}" >> "{{{ config_file }}}" + printf '\n# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "{{{ config_file }}}" >> "{{{ config_file }}}" {{%- endif %}} - printf '%s\n' "$formatted_output" >> "{{{ config_file }}}" + printf '%s\n' "${formatted_output}" >> "{{{ config_file }}}" fi {{%- endmacro -%}} From de77cd15cfe84f6e9d9c674510ad9aa3ac303493 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 15:07:17 +0300 Subject: [PATCH 06/44] fix: bash_replace_or_append: add LC_ALL=C to sed too --- shared/macros/10-bash.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index af7723fc570..f584f1a4818 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1557,7 +1557,7 @@ printf -v formatted_output "{{{ format }}}" "${stripped_key}" "{{{ value }}}" # so if we search for 'setting', 'setting2' won't match. if LC_ALL=C grep -q -m 1 -i -e "{{{ key }}}\\>" "{{{ config_file }}}"; then {{{ bash_sed_escape_replacement("formatted_output", "escaped_formatted_output") }}} - "${sed_command[@]}" "s/{{{ key }}}\\>.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" + LC_ALL=C "${sed_command[@]}" "s/{{{ key }}}\\>.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" else # \n is precaution for case where file ends without trailing newline {{%- if cce_identifiers and 'cce' in cce_identifiers %}} From 6807cb400f1312d18a0d6060d08e1bf6d7500a48 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 13:37:04 +0300 Subject: [PATCH 07/44] feature: bash_replace_or_append: add key_regex Baseline function striped_key just does not support complex enough regexps for key. --- shared/macros/10-bash.jinja | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index f584f1a4818..a8164ab4419 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1534,9 +1534,13 @@ cce="{{{ cce_identifiers['cce'] }}}" :param key: Configuration option to change :param value: Value of the configuration option to change :param format: Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =) +:param key_regex: Optional argument, If not empty string, used as regex to match key. #}} -{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s') -%}} +{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s', key_regex='') -%}} +{{%- if key_regex == '' -%}} +{{%- set key_regex = key -%}} +{{%- endif -%}} # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') @@ -1555,9 +1559,9 @@ printf -v formatted_output "{{{ format }}}" "${stripped_key}" "{{{ value }}}" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "{{{ key }}}\\>" "{{{ config_file }}}"; then +if LC_ALL=C grep -q -m 1 -i -e "{{{ key_regex }}}\\>" "{{{ config_file }}}"; then {{{ bash_sed_escape_replacement("formatted_output", "escaped_formatted_output") }}} - LC_ALL=C "${sed_command[@]}" "s/{{{ key }}}\\>.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" + LC_ALL=C "${sed_command[@]}" "s/{{{ key_regex }}}\\>.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" else # \n is precaution for case where file ends without trailing newline {{%- if cce_identifiers and 'cce' in cce_identifiers %}} From a9d8a7d1ffc99a8d758bbc0338441e0f9c06543e Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 13:52:22 +0300 Subject: [PATCH 08/44] feature: bash_replace_or_append: add ignore_case Sometimes data is not case insensitive and case can not be ignored. --- shared/macros/10-bash.jinja | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index a8164ab4419..1da6d12269e 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1535,9 +1535,10 @@ cce="{{{ cce_identifiers['cce'] }}}" :param value: Value of the configuration option to change :param format: Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =) :param key_regex: Optional argument, If not empty string, used as regex to match key. +:param ignore_case: boolean, Default true. #}} -{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s', key_regex='') -%}} +{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s', key_regex='', ignore_case=true) -%}} {{%- if key_regex == '' -%}} {{%- set key_regex = key -%}} {{%- endif -%}} @@ -1548,6 +1549,11 @@ if test -L "{{{ config_file }}}"; then sed_command+=('--follow-symlinks') fi +grep_command=(grep) +{{%- if ignore_case %}} +grep_command+=(-i) +{{%- endif %}} + # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key="{{{ key }}}" @@ -1559,7 +1565,7 @@ printf -v formatted_output "{{{ format }}}" "${stripped_key}" "{{{ value }}}" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "{{{ key_regex }}}\\>" "{{{ config_file }}}"; then +if LC_ALL=C "${grep_command[@]}" -q -m 1 -e "{{{ key_regex }}}\\>" "{{{ config_file }}}"; then {{{ bash_sed_escape_replacement("formatted_output", "escaped_formatted_output") }}} LC_ALL=C "${sed_command[@]}" "s/{{{ key_regex }}}\\>.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" else From fe359f9dd7e45ab4f4447137a5df79d8a3362cec Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 15:04:32 +0300 Subject: [PATCH 09/44] feature: bash_replace_or_append: add word_boundary Sometimes data does not end at word boundary as regexp word boundary \> understands it. --- shared/macros/10-bash.jinja | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 1da6d12269e..9c5243c6bbc 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -1536,9 +1536,10 @@ cce="{{{ cce_identifiers['cce'] }}}" :param format: Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =) :param key_regex: Optional argument, If not empty string, used as regex to match key. :param ignore_case: boolean, Default true. +:param word_boundary: regex, Default "\>". #}} -{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s', key_regex='', ignore_case=true) -%}} +{{%- macro bash_replace_or_append(config_file, key, value, format='%s = %s', key_regex='', ignore_case=true, word_boundary="\\>") -%}} {{%- if key_regex == '' -%}} {{%- set key_regex = key -%}} {{%- endif -%}} @@ -1563,11 +1564,11 @@ stripped_key="${stripped_key//[$'^=$,;+']}" printf -v formatted_output "{{{ format }}}" "${stripped_key}" "{{{ value }}}" # If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), +# We search for the key string followed by a word boundary (matched by {{{ word_boundary }}}), # so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C "${grep_command[@]}" -q -m 1 -e "{{{ key_regex }}}\\>" "{{{ config_file }}}"; then +if LC_ALL=C "${grep_command[@]}" -q -m 1 -e "{{{ key_regex ~ word_boundary }}}" "{{{ config_file }}}"; then {{{ bash_sed_escape_replacement("formatted_output", "escaped_formatted_output") }}} - LC_ALL=C "${sed_command[@]}" "s/{{{ key_regex }}}\\>.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" + LC_ALL=C "${sed_command[@]}" "s/{{{ key_regex ~ word_boundary }}}.*/${escaped_formatted_output}/gi" "{{{ config_file }}}" else # \n is precaution for case where file ends without trailing newline {{%- if cce_identifiers and 'cce' in cce_identifiers %}} From c3632e21b05c7f04305c3ab55900ea3772d09f45 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 4 Mar 2022 19:44:37 +0200 Subject: [PATCH 10/44] fix: sysctl/tests: use bash_sysctl_test_clean --- .../tests/value_1.pass.sh | 3 +-- .../tests/value_2.pass.sh | 3 +-- .../tests/wrong_value_run_sysctl_d.fail.sh | 3 +-- .../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 3 +-- .../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 3 +-- .../tests/correct_value.pass.sh | 3 +-- .../tests/correct_value_with_spaces.pass.sh | 3 +-- .../tests/wrong_value.fail.sh | 3 +-- .../tests/wrong_value_d_directory.fail.sh | 4 ++-- .../tests/wrong_value_runtime.fail.sh | 3 +-- .../tests/wrong_value_three_entries.fail.sh | 3 +-- .../tests/wrong_value_two_entries.fail.sh | 3 +-- .../tests/system_default.pass.sh | 3 +-- .../tests/value_0.fail.sh | 3 +-- .../tests/value_1.pass.sh | 3 +-- .../tests/value_2.pass.sh | 3 +-- shared/templates/sysctl/tests/comment.fail.sh | 3 +-- shared/templates/sysctl/tests/correct_value.pass.sh | 3 +-- .../sysctl/tests/correct_value_usr_local_lib.pass.sh | 6 ++---- shared/templates/sysctl/tests/line_not_there.fail.sh | 3 +-- .../sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh | 3 +-- .../tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh | 3 +-- shared/templates/sysctl/tests/symlink_conflicting.fail.sh | 3 +-- .../templates/sysctl/tests/symlink_different_option.pass.sh | 3 +-- .../sysctl/tests/symlink_repeated_sysctl_conf.pass.sh | 3 +-- .../templates/sysctl/tests/symlink_root_duplicate.pass.sh | 3 +-- .../sysctl/tests/symlink_root_duplicate_conflicting.fail.sh | 3 +-- .../templates/sysctl/tests/symlink_root_incompliant.fail.sh | 3 +-- shared/templates/sysctl/tests/symlink_same_option.pass.sh | 3 +-- shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh | 3 +-- shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh | 3 +-- .../sysctl/tests/two_sysctls_on_d_conflicting.fail.sh | 3 +-- .../templates/sysctl/tests/two_sysctls_on_same_file.pass.sh | 3 +-- .../sysctl/tests/two_sysctls_on_same_file_name.pass.sh | 3 +-- .../tests/two_sysctls_on_same_file_name_conflicting.fail.sh | 3 +-- shared/templates/sysctl/tests/wrong_runtime.fail.sh | 3 +-- shared/templates/sysctl/tests/wrong_value.fail.sh | 3 +-- .../templates/sysctl/tests/wrong_value_d_directory.fail.sh | 3 +-- .../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 6 ++---- 39 files changed, 42 insertions(+), 82 deletions(-) diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh index 7cba4000510..ee9e6a74d3a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh index 4c029a5a8d1..d0c43416c74 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh index d02cf11f072..7b33847679a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/wrong_value_run_sysctl_d.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf echo "net.ipv4.conf.default.accept_source_route = 1" >> /run/sysctl.d/run.conf diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh index d0e07492343..ba7cb328bcb 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh index 2b4f2df2aed..3478c09fffb 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh index 71f0f5db142..cfdda40559e 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh index b6688e6ca91..bcc639a5f32 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern= " >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh index 1c5fabcc136..89825157bb3 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh index 6c574b92762..a70d26885b1 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* + +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh index 8c729677b86..20d1f8984c8 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh index e56e927ec56..ded9a4d527a 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh index 6c065b1e038..086876f7971 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.core_pattern/d" /etc/sysctl.conf echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh index 5c24a041634..17dd179a946 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh @@ -1,5 +1,4 @@ #!/bin/bash # platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh index 3411f8c8b2b..68ae457fbef 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh index 6ce43317db1..754c6fc0cc9 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh index 7768bbe56a2..d4e93f95399 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = Red Hat Enterprise Linux 9,multi_platform_fedora -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/comment.fail.sh b/shared/templates/sysctl/tests/comment.fail.sh index 793963a9bb4..2d357ace920 100644 --- a/shared/templates/sysctl/tests/comment.fail.sh +++ b/shared/templates/sysctl/tests/comment.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "# {{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/correct_value.pass.sh b/shared/templates/sysctl/tests/correct_value.pass.sh index 92aba14cf4b..d147b94ff49 100644 --- a/shared/templates/sysctl/tests/correct_value.pass.sh +++ b/shared/templates/sysctl/tests/correct_value.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh index 19769ebae7e..840072e8b9f 100644 --- a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh @@ -3,12 +3,10 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -{{% if product not in ["sle12","sle15"] %}} -rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} +{{% if product not in ["sle12","sle15"] %}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -mkdir /usr/local/lib/sysctl.d/ echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf # set correct runtime value to check if the filesystem configuration is evaluated properly diff --git a/shared/templates/sysctl/tests/line_not_there.fail.sh b/shared/templates/sysctl/tests/line_not_there.fail.sh index 40b86bc183c..23ba42bfbcb 100644 --- a/shared/templates/sysctl/tests/line_not_there.fail.sh +++ b/shared/templates/sysctl/tests/line_not_there.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh index b8ab0b83e3a..f1c5127cbe6 100644 --- a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh +++ b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh index db7421debaf..53be8b34b8b 100644 --- a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_conflicting.fail.sh b/shared/templates/sysctl/tests/symlink_conflicting.fail.sh index e8109d0f9fd..338b7d56637 100644 --- a/shared/templates/sysctl/tests/symlink_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/symlink_conflicting.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_different_option.pass.sh b/shared/templates/sysctl/tests/symlink_different_option.pass.sh index d8020b5bed1..bfead4c09cf 100644 --- a/shared/templates/sysctl/tests/symlink_different_option.pass.sh +++ b/shared/templates/sysctl/tests/symlink_different_option.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh b/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh index 50b1c5da72c..0c61b136eb9 100644 --- a/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh +++ b/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh b/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh index 0fb25ae7383..439d80b2f47 100644 --- a/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh +++ b/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh b/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh index 001a59f24e3..5fa2bc3df86 100644 --- a/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh b/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh index 001a59f24e3..5fa2bc3df86 100644 --- a/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh +++ b/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlink_same_option.pass.sh b/shared/templates/sysctl/tests/symlink_same_option.pass.sh index 4a35ea14eee..ba583d6ce6e 100644 --- a/shared/templates/sysctl/tests/symlink_same_option.pass.sh +++ b/shared/templates/sysctl/tests/symlink_same_option.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh b/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh index 0b7f0405603..af5beef7c00 100644 --- a/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh +++ b/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh index 098aa71058d..56c9b41e8cf 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh b/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh index 9b40f6dae72..40a1161e60b 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh index 8646946b5ca..3e06620656c 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh index 4e7e0c39c4d..8c27cdefdd6 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh index 384a54296e4..a1da2a2aa43 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_runtime.fail.sh b/shared/templates/sysctl/tests/wrong_runtime.fail.sh index b7cc218460e..9d759fd4a1c 100644 --- a/shared/templates/sysctl/tests/wrong_runtime.fail.sh +++ b/shared/templates/sysctl/tests/wrong_runtime.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_value.fail.sh b/shared/templates/sysctl/tests/wrong_value.fail.sh index aeee5050f93..4d43ddc15ed 100644 --- a/shared/templates/sysctl/tests/wrong_value.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh index fe6345945c4..0fe9e6aa6fc 100644 --- a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh @@ -3,8 +3,7 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /etc/sysctl.d/98-sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh index 5b03e6c3969..19b96b576b1 100644 --- a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh @@ -3,12 +3,10 @@ # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} -# Clean sysctl config directories -{{% if product not in ["sle12","sle15"] %}} -rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* +{{{ bash_sysctl_test_clean() }}} +{{% if product not in ["sle12","sle15"] %}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -mkdir /usr/local/lib/sysctl.d/ echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf # Setting correct runtime value From b2b78bfa2ee1adfb6f0aba5d6eccff0c2790ed08 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 13:13:46 +0300 Subject: [PATCH 11/44] fix: sysctl/tests: use bash_sysctl_set_config_directories --- .../sysctl/tests/correct_value_usr_local_lib.pass.sh | 7 +++++-- .../sysctl/tests/wrong_value_usr_local_lib.fail.sh | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh index 840072e8b9f..ee7ab684f38 100644 --- a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh @@ -5,10 +5,13 @@ {{{ bash_sysctl_test_clean() }}} -{{% if product not in ["sle12","sle15"] %}} +{{{ bash_sysctl_set_config_directories('sysctl_directories') }}} +for d in "${sysctl_directories[@]}"; do +if [[ "${d}" == /usr/local/lib/sysctl.d ]]; then sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_CORRECT_VALUE }}}" >> /usr/local/lib/sysctl.d/correct.conf # set correct runtime value to check if the filesystem configuration is evaluated properly sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" -{{% endif %}} +fi +done diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh index 19b96b576b1..96a0f7c99d3 100644 --- a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh @@ -5,10 +5,13 @@ {{{ bash_sysctl_test_clean() }}} -{{% if product not in ["sle12","sle15"] %}} +{{{ bash_sysctl_set_config_directories('sysctl_directories') }}} +for d in "${sysctl_directories[@]}"; do +if [[ "${d}" == /usr/local/lib/sysctl.d ]]; then sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf # Setting correct runtime value sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" -{{% endif %}} +fi +done From a3f855860b901d99e96e2b4a1c32c3292879cadc Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 4 May 2023 12:43:31 +0300 Subject: [PATCH 12/44] fix: sysctl/bash: follow sysctl quirks more Try to implement support for all quirks from manuals. Use slightly changed logic, `bash_sed_escape_regexp`, and `quote` to achieve this. Avoid per product quirks here by using `bash_sysctl_set_config_directories` and `bash_sysctl_set_remediate_file_name`. Add LC_ALL=C to checks. Assume sysctl values can never contain \n. Most probably bad OVAL with too broad regex capture, or no capture at all, so it gets all whitespace around. sed does not allow multiline regexps and you get errors like: sed: -e expression #1, char 67: unterminated `s' command use set -epu to fail if there is any issues. Try to minimize unnecessary newlines in created files. --- shared/templates/sysctl/bash.template | 128 ++++++++++++++++++-------- 1 file changed, 91 insertions(+), 37 deletions(-) diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 66814fe42e3..7bb57e541b9 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -4,63 +4,117 @@ # complexity = low # disruption = medium -# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files -{{% if product in [ "sle12", "sle15"] %}} -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do -{{% elif product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do -{{% else %}} -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do -{{% endif %}} - matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done +# +# sysctl.d directories managed here. This might not be all sysctl.d supported +# directories. +# +{{{ bash_sysctl_set_config_directories('sysctl_directories') }}} # # Set sysctl config file which to save the desired value # -{{% if sysctl_remediate_drop_in_file == "true" %}} -SYSCONFIG_FILE='/etc/sysctl.d/{{{ SYSCTLVAR | replace(".","_") }}}.conf' -{{% else %}} -SYSCONFIG_FILE="/etc/sysctl.conf" -{{% endif %}} +{{{ bash_sysctl_set_remediate_file_name('SYSCONFIG_FILE', SYSCTLVAR) }}} +# +# key and value at hand +# +sysctlvar={{{ SYSCTLVAR | quote }}} {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} {{{ bash_instantiate_variables("sysctl_" ~ SYSCTLID ~ "_value") }}} +{{#- + TODO: Seems some values contain \n, they mess up sed below this should be + fixed in OVAL. +#}} # -# Set runtime for {{{ SYSCTLVAR }}} +# Replace any control characters with space. Mainly to get rid of '\n'. +# Sysctl does have '\t', so it is allowed. # -/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="$sysctl_{{{ SYSCTLID }}}_value" +sysctl_{{{ SYSCTLID }}}_value="${sysctl_{{{ SYSCTLID }}}_value//[$'\x01-\x08\x0a-\x1f\x7f']/ }" +{{%- else %}} +sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTLVAL | quote }}} +{{%- endif %}} # -# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value -# else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf +# Escape SYSCTLVAR to be used as a key for replacements. +# +# man sysctl(8) +# The '/' separator is also accepted in place of a '.'. +# +# man sysctl.conf(5) +# whitespace before and after a token ... is ignored +# ... +# Lines which begin with a # or ; are considered comments and ignored. +# ... +# If a line begins with a single -, any attempts to set the value that fail +# will be ignored. +# +# man sysctl.d(5) +# Note that either "/" or "." may be used as separators within sysctl +# variable names. If the first separator is a slash, remaining slashes +# and dots are left intact. If the first separator is a dot, dots and +# slashes are interchanged. # -{{% if sysctl_remediate_drop_in_file == "true" %}} -sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf -{{% endif %}} -{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , '$sysctl_' ~ SYSCTLID ~ '_value') }}} +# Note following features might not implemented properly: +# - sysctl.d features about globs or ignoring globs. +# +{{#- +Word boundary must be "=" because defafult "\>" does not work with for example +"=1". And we want to end used match with "=" as we do not want to mixup with +glob stuff. +-#}} +{{%- set word_boundary = "=" %}} -{{%- else %}} +# +# {{{ SYSCTLVAR }}} regexp +# +{{{ bash_sed_escape_regexp("sysctlvar", "sysctlvar_rx") }}} +{{#- +The pattern substitution relies bash_sed_escape_regexp to do escape as + . -> [.] + / -> [/] +both are replaced as [./], this ensures their interchangeability. +#}} +sysctlvar_rx="^[[:blank:]]*[-]\?[[:blank:]]*${sysctlvar_rx//\[[.\/]\]/[./]}[[:blank:]]*" + +# +# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files +# +for d in "${sysctl_directories[@]}"; do + [[ -d "${d}" ]] || continue + for f in "${d}"/*.conf; do + [[ -f "${f}" ]] || continue + readarray -t matching_list < <(LC_ALL=C grep -e "${sysctlvar_rx}{{{ word_boundary }}}" "${f}" | sort -u || :) + for entry in "${matching_list[@]}"; do + {{{ bash_sed_escape_regexp("entry", "escaped_entry") | indent(12) }}} + # comment out "{{{ SYSCTLVAR }}}" matches to preserve user data + LC_ALL=C sed --follow-symlinks -i "s/^${escaped_entry}$/# &/" "${f}" + done + done +done # # Set runtime for {{{ SYSCTLVAR }}} # -/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}" +/sbin/sysctl -q -n -w "${sysctlvar}"="${sysctl_{{{ SYSCTLID }}}_value}" # +{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} +# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value +# else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf +{{%- else %}} # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}" -# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf +# else, add "{{{ SYSCTLVAR }}} = {{{ SYSCTLVAL }}}" to /etc/sysctl.conf +{{%- endif %}} # -{{% if sysctl_remediate_drop_in_file == "true" %}} -sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf -{{% endif %}} -{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^' ~ SYSCTLVAR , SYSCTLVAL ) }}} +{{%- if sysctl_remediate_drop_in_file == "true" %}} +LC_ALL=C sed --follow-symlinks -i "/${sysctlvar_rx}{{{ word_boundary }}}/d" /etc/sysctl.conf {{%- endif %}} +{{{ bash_replace_or_append( + "${SYSCONFIG_FILE}", + SYSCTLVAR, + "${sysctl_" ~ SYSCTLID ~ "_value}", + key_regex="${sysctlvar_rx}", + word_boundary=word_boundary, + ignore_case=false, +) }}} From 82624ff46badabdfc67e2385af4ecfb4f6b566cf Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 5 May 2023 18:48:16 +0300 Subject: [PATCH 13/44] fix: sysctl/tests: change wrong_value_d_directory.fail.sh to test all directories And thus wrong_value_usr_local_lib.fail.sh is not needed any more. Now wrong_value_d_directory.fail.sh tests OVAL that it finds all relevant wrong values. During remediation test that all relevant wrong values are fixed. I believe testing one directory at a time is not benefical usage of testing resources. As we want to test one item, it is to test if list of directories implemented in OVAL or in remediation are not in sync. --- .../tests/wrong_value_d_directory.fail.sh | 5 ++++- .../tests/wrong_value_usr_local_lib.fail.sh | 17 ----------------- 2 files changed, 4 insertions(+), 18 deletions(-) delete mode 100644 shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh diff --git a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh index 0fe9e6aa6fc..635c741cfc8 100644 --- a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh @@ -6,7 +6,10 @@ {{{ bash_sysctl_test_clean() }}} sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /etc/sysctl.d/98-sysctl.conf +{{{ bash_sysctl_set_config_directories('sysctl_directories', all_possible=true) }}} +for d in "${sysctl_directories[@]}"; do +echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> "${d}"/98-sysctl.conf +done # Setting correct runtime value sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh deleted file mode 100644 index 96a0f7c99d3..00000000000 --- a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -{{% if SYSCTLVAL == "" %}} -# variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} -{{% endif %}} - -{{{ bash_sysctl_test_clean() }}} - -{{{ bash_sysctl_set_config_directories('sysctl_directories') }}} -for d in "${sysctl_directories[@]}"; do -if [[ "${d}" == /usr/local/lib/sysctl.d ]]; then -sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf -echo "{{{ SYSCTLVAR }}} = {{{ SYSCTL_WRONG_VALUE }}}" >> /usr/local/lib/sysctl.d/wrong.conf - -# Setting correct runtime value -sysctl -w {{{ SYSCTLVAR }}}="{{{ SYSCTL_CORRECT_VALUE }}}" -fi -done From 5af086bedbff3732c057a3cfb4bad022379ae6a7 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 12:07:37 +0300 Subject: [PATCH 14/44] fix: sysctl: allow template to set correct_sysctlval_for_testing, wrong_sysctlval_for_testing Implemented heuristics might not work always, especially with multivalue settings like `net.ipv4.ip_local_port_range`. Also handle 'E226 missing whitespace around arithmetic operator'. --- docs/templates/template_reference.md | 9 +++++++-- shared/templates/sysctl/template.py | 6 +++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index a20f0d94304..0c770c62713 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -864,8 +864,13 @@ The selected value can be changed in the profile (consult the actual variable fo in the OVAL check, but won't be used in the remediations. All remediations will use an XCCDF value instead. - - **wrong_sysctlval_for_testing** - the value that is always wrong. This - will be used in templated test scenarios when **sysctlval** is a list. + - **correct_sysctlval_for_testing** - the value that is always correct. + This will be used in templated test scenarios when **sysctlval** is a + list or comes from variable. + + - **wrong_sysctlval_for_testing** - the value that is always wrong. + This will be used in templated test scenarios when **sysctlval** is a + list or comes from variable. - **missing_parameter_pass** - if set to `true` the check will pass if the setting for the given **sysctlvar** is not present in sysctl diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py index d9e0449fbb6..d30a21b0f07 100644 --- a/shared/templates/sysctl/template.py +++ b/shared/templates/sysctl/template.py @@ -31,13 +31,17 @@ def preprocess(data, lang): elif data["datatype"] == "string": data["sysctl_correct_value"] = "correct_value" data["sysctl_wrong_value"] = "wrong_value" + if "correct_sysctlval_for_testing" in data: + data["sysctl_correct_value"] = data["correct_sysctlval_for_testing"] + if "wrong_sysctlval_for_testing" in data: + data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] elif isinstance(data["sysctlval"], list): data["sysctl_correct_value"] = data["sysctlval"][0] data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] else: data["sysctl_correct_value"] = data["sysctlval"] if data["datatype"] == "int": - data["sysctl_wrong_value"] = str((int(data["sysctlval"])+1) % 2) + data["sysctl_wrong_value"] = str((int(data["sysctlval"]) + 1) % 2) elif data["datatype"] == "string": data["sysctl_wrong_value"] = "wrong_value" return data From 7591877a20950697eda4ef2b295b232fdcdba2c4 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 31 Mar 2023 16:23:51 +0300 Subject: [PATCH 15/44] change: sysctl_kernel_perf_event_paranoid: allow 3 too There is patchset to enable this: https://patchwork.kernel.org/project/linux-hardening/patch/1469630746-32279-1-git-send-email-jeffv@google.com/ Some distros might have this enabled. Add variable sysctl_kernel_perf_event_paranoid_value as variable is required when multiple values possible. --- .../rule.yml | 9 +++- ...ysctl_kernel_perf_event_paranoid_value.var | 45 +++++++++++++++++++ products/fedora/profiles/ospp.profile | 1 + 3 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid_value.var diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml index 05535b7b54f..21283c87c27 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml @@ -32,7 +32,9 @@ references: fixtext: |- Configure {{{ full_name }}} to only allow root to do kernel profiling. - {{{ fixtext_sysctl(sysctl="kernel.perf_event_paranoid", value="2") | indent(4) }}} + {{{ fixtext_sysctl(sysctl="kernel.perf_event_paranoid", value=xccdf_value("sysctl_kernel_perf_event_paranoid_value")) | indent(4) }}} + If value is "3" and supported by kernel version, then disallowed all + unprivileged perf event use. srg_requirement: '{{{ full_name }}} must prevent kernel profiling by unprivileged users.' @@ -42,5 +44,8 @@ template: name: sysctl vars: sysctlvar: kernel.perf_event_paranoid - sysctlval: '2' + sysctlval: + - '2' + - '3' datatype: int + wrong_sysctlval_for_testing: '0' diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid_value.var new file mode 100644 index 00000000000..272f1254cbd --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid_value.var @@ -0,0 +1,45 @@ +documentation_complete: true + +title: kernel.perf_event_paranoid + +description: |- + Controls use of the performance events system by unprivileged users + (without CAP_PERFMON). The default value is 2. + + For backward compatibility reasons access to system performance monitoring + and observability remains open for CAP_SYS_ADMIN privileged processes but + CAP_SYS_ADMIN usage for secure system performance monitoring and + observability operations is discouraged with respect to CAP_PERFMON use + cases. + + -1 + Allow use of (almost) all events by all users. + Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK. + + >=0 + Disallow ftrace function tracepoint by users without CAP_PERFMON. + Disallow raw tracepoint access by users without CAP_PERFMON. + + >=1 + Disallow CPU event access by users without CAP_PERFMON. + + >=2 + Disallow kernel profiling by users without CAP_PERFMON. + + >=3 + Disallow all unprivileged perf event use. + This requires patch not yet upstreamed. + +type: number + +operator: equals + +interactive: false + +options: + -1: "-1" + 0: "0" + 1: "1" + 2: "2" + 3: "3" + default: "2" diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index 42a17b419a2..e409b7c860a 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -44,6 +44,7 @@ selections: - sysctl_user_max_user_namespaces - sysctl_kernel_dmesg_restrict - sysctl_kernel_perf_event_paranoid + - sysctl_kernel_perf_event_paranoid_value=2 - sysctl_kernel_unprivileged_bpf_disabled - sysctl_net_core_bpf_jit_harden - sysctl_kernel_core_pattern From af46ce039ca6791b8335a49848a63908a129e115 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 11:56:45 +0300 Subject: [PATCH 16/44] feature: oval: add oval_list_to_set Oval set can have only up to 2 items. This converts list to one set as it can get quite tedious if done by hand. --- shared/macros/10-oval.jinja | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 307df197d98..0548d0d7417 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1004,6 +1004,44 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- endmacro %}} +{{# +Convert list to set, complicated as one set can contain 1 or 2 items, but list +can contain more thant that. Set needs to be build from sub sets of items or +previous level sets. Do it recursiverly. + +:param list_to_handle: list of elements +:param _result_list: internal, do not set +#}} +{{%- macro oval_list_to_set(list_to_handle, _result_list=[]) -%}} +{{%- if (list_to_handle | length) == 0 -%}} +{{%- if (_result_list | length) <= 1 -%}} +{{%- for item in _result_list %}} +{{{ item }}} +{{%- endfor -%}} +{{%- else -%}} +{{{ oval_list_to_set(_result_list, []) }}} +{{%- endif -%}} +{{%- else -%}} +{{%- set result_list_item -%}} + +{{%- for item in list_to_handle -%}} +{{%- if loop.index0 < 2 %}} + {{{ item | indent }}} +{{%- endif -%}} +{{%- endfor %}} + +{{%- endset -%}} +{{%- set next_list = namespace(lst=[]) -%}} +{{%- for item in list_to_handle -%}} +{{%- if loop.index0 >= 2 -%}} +{{%- set next_list.lst = next_list.lst + [item] -%}} +{{%- endif -%}} +{{%- endfor -%}} +{{{ oval_list_to_set(next_list.lst, _result_list + [result_list_item]) }}} +{{%- endif -%}} +{{%- endmacro -%}} + + {{%- macro mount_active_criterion(path) %}} From 9a6b2a2cfd255767301d9910fbd080b79e076a82 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Wed, 10 May 2023 18:43:08 +0300 Subject: [PATCH 17/44] feature: oval: add oval_var_trim --- shared/macros/10-oval.jinja | 41 +++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 0548d0d7417..8cff3eb3136 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1042,6 +1042,47 @@ previous level sets. Do it recursiverly. {{%- endmacro -%}} +{{# +Convert variable to trimmed variable where whitespace is removed before and after. + +Creates new variable from old by adding "_trim" + possible suffix. + +:param variable: variable to trim +:param suffix: extra suffix +:param DATATYPE: int / string +#}} +{{%- macro oval_var_trim(variable, suffix="", DATATYPE="string") -%}} + +{{%- if DATATYPE == "int" %}} + + + + + + + + +{{%- else %}} +{{#- +Capture either + - empty + - one char of non space + - starting and ending with non space + => this should implement "trim" like feature to strip any whitespace before + and after +#}} + + + + +{{%- endif %}} +{{%- endmacro -%}} + + {{%- macro mount_active_criterion(path) %}} From 3d7726698652f37a25e9b778559d69e2e3430c82 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 6 May 2023 21:23:43 +0300 Subject: [PATCH 18/44] fix: sysctl: correct_value_usr_local_lib: only on sle --- .../templates/sysctl/tests/correct_value_usr_local_lib.pass.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh index ee7ab684f38..e35fd455594 100644 --- a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh @@ -1,4 +1,5 @@ #!/bin/bash +# platform = multi_platform_sle {{% if SYSCTLVAL == "" %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} From 4267427c3aeecb7832b343dcc508899154e9f471 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 16:34:49 +0300 Subject: [PATCH 19/44] style: sysctl/oval: indent 4 --- shared/templates/sysctl/oval.template | 370 +++++++++++++------------- 1 file changed, 188 insertions(+), 182 deletions(-) diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index 1a0c60a83fb..088767bf830 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -12,10 +12,11 @@ {{% elif SYSCTLVAL is sequence %}} {{% for x in SYSCTLVAL %}} - + {{% endfor %}} {{% endif %}} {{%- endmacro -%}} + {{%- macro sysctl_match() -%}} ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ 1 @@ -23,94 +24,94 @@ {{%- if "P" in FLAGS -%}} - - {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - - - - + + {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + + + + + {{%- elif "I" in FLAGS -%}} - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + {{% if product in ["ubuntu1604", "ubuntu1804"] %}} - + {{% else %}} - + {{% endif %}} - - - - - - + + + + + + {{%- endif %}} {{%- if "R" in FLAGS -%}} - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} - - - - + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} + + + + - - + + {{% if SYSCTLVAL is string %}} - + {{% elif SYSCTLVAL is sequence %}} {{% for x in SYSCTLVAL %}} - + {{% endfor %}} {{% endif %}} - + - - {{{ SYSCTLVAR }}} - + + {{{ SYSCTLVAR }}} + {{% if SYSCTLVAL is string %}} {{% if SYSCTLVAL == "" %}} - - - + + + - + {{%- else %}} - + {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} + {{{ SYSCTLVAL_REGEX }}} {{% else %}} - {{{ SYSCTLVAL }}} + {{{ SYSCTLVAL }}} {{% endif %}} - + {{%- endif %}} {{% elif SYSCTLVAL is sequence %}} {{% for x in SYSCTLVAL %}} - - {{{ x }}} - + + {{{ x }}} + {{% endfor %}} {{% endif %}} @@ -119,167 +120,172 @@ {{%- if "S" in FLAGS -%}} - - {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} + + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} -{{% if MISSING_PARAMETER_PASS == "true" %}} - -{{% endif %}} - - - - - - + + + + + + + {{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - + {{% endif %}} - - - - + + + + {{% if MISSING_PARAMETER_PASS == "true" %}} - - + {{% endif %}} - + + - - - + + + - - {{{ state_static_sysctld("sysctl") }}} - + + {{{ state_static_sysctld("sysctl") }}} + - - {{{ state_static_sysctld("etc_sysctld") }}} - + + {{{ state_static_sysctld("etc_sysctld") }}} + - - {{{ state_static_sysctld("run_sysctld") }}} - + + {{{ state_static_sysctld("run_sysctld") }}} + {{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - {{{ state_static_sysctld("usr_lib_sysctld") }}} - + + {{{ state_static_sysctld("usr_lib_sysctld") }}} + {{% endif %}} - - {{{ state_static_sysctld("usr_local_lib_sysctld") }}} - + + {{{ state_static_sysctld("usr_local_lib_sysctld") }}} + - - - + + + - - - - object_static_etc_sysctls_{{{ rule_id }}} - object_static_run_usr_local_sysctls_{{{ rule_id }}} - - + + + + object_static_etc_sysctls_{{{ rule_id }}} + object_static_run_usr_local_sysctls_{{{ rule_id }}} + + - - - object_static_sysctl_{{{ rule_id }}} - object_static_etc_sysctld_{{{ rule_id }}} - - + + + object_static_sysctl_{{{ rule_id }}} + object_static_etc_sysctld_{{{ rule_id }}} + + - - - object_static_usr_local_lib_sysctld_{{{ rule_id }}} - object_static_run_usr_sysctls_{{{ rule_id }}} - - + + + object_static_usr_local_lib_sysctld_{{{ rule_id }}} + object_static_run_usr_sysctls_{{{ rule_id }}} + + - - - object_static_run_sysctld_{{{ rule_id }}} + + + object_static_run_sysctld_{{{ rule_id }}} {{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - object_static_usr_lib_sysctld_{{{ rule_id }}} + object_static_usr_lib_sysctld_{{{ rule_id }}} {{% endif %}} - - - - - /etc/sysctl.conf - {{{ sysctl_match() }}} - + + - - /etc/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - + + /etc/sysctl.conf + {{{ sysctl_match() }}} + - - /run/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - + + /etc/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + - - /usr/local/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - + + /run/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + + + /usr/local/lib/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + {{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - /usr/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - + + + /usr/lib/sysctl.d + ^.*\.conf$ + {{{ sysctl_match() }}} + {{% endif %}} {{% if SYSCTLVAL is string %}} {{% if SYSCTLVAL == "" %}} - - - + + + - + {{% else %}} - + {{% if OPERATION == "pattern match" %}} - {{{ SYSCTLVAL_REGEX }}} + {{{ SYSCTLVAL_REGEX }}} {{% else %}} - {{{ SYSCTLVAL }}} + {{{ SYSCTLVAL }}} {{% endif %}} - + {{% endif %}} {{% elif SYSCTLVAL is sequence %}} {{% for x in SYSCTLVAL %}} - - {{{ x }}} - + + {{{ x }}} + {{% endfor %}} {{% endif %}} From a85e3f6398da8fa94c2710e05f63762064231122 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 16:44:52 +0300 Subject: [PATCH 20/44] style: sysctl/oval: remove extra ws --- shared/templates/sysctl/oval.template | 90 +++++++++++++-------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index 088767bf830..b64a0bc6551 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -6,15 +6,15 @@ {{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} {{%- endif %}} -{{% macro state_static_sysctld(prefix) -%}} +{{%- macro state_static_sysctld(prefix) -%}} -{{% if SYSCTLVAL is string %}} +{{%- if SYSCTLVAL is string %}} -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} +{{%- elif SYSCTLVAL is sequence -%}} +{{%- for x in SYSCTLVAL %}} -{{% endfor %}} -{{% endif %}} +{{%- endfor -%}} +{{%- endif -%}} {{%- endmacro -%}} {{%- macro sysctl_match() -%}} @@ -35,19 +35,19 @@ -{{%- elif "I" in FLAGS -%}} +{{%- elif "I" in FLAGS %}} {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} -{{% if product in ["ubuntu1604", "ubuntu1804"] %}} +{{%- if product in ["ubuntu1604", "ubuntu1804"] %}} -{{% else %}} +{{%- else %}} -{{% endif %}} +{{%- endif %}} @@ -58,8 +58,8 @@ -{{%- endif %}} -{{%- if "R" in FLAGS -%}} +{{%- endif -%}} +{{%- if "R" in FLAGS %}} @@ -74,20 +74,20 @@ comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" check="all" check_existence="all_exist" state_operator="OR"> -{{% if SYSCTLVAL is string %}} +{{%- if SYSCTLVAL is string %}} -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} +{{%- elif SYSCTLVAL is sequence -%}} +{{%- for x in SYSCTLVAL %}} -{{% endfor %}} -{{% endif %}} +{{%- endfor -%}} +{{%- endif %}} {{{ SYSCTLVAR }}} -{{% if SYSCTLVAL is string %}} -{{% if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAL is string -%}} +{{%- if SYSCTLVAL == "" %}} @@ -97,27 +97,27 @@ comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/> {{%- else %}} -{{% if OPERATION == "pattern match" %}} +{{%- if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} -{{% else %}} +{{%- else %}} {{{ SYSCTLVAL }}} -{{% endif %}} - {{%- endif %}} -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} + +{{%- endif -%}} +{{%- elif SYSCTLVAL is sequence -%}} +{{%- for x in SYSCTLVAL %}} {{{ x }}} -{{% endfor %}} -{{% endif %}} +{{%- endfor -%}} +{{%- endif %}} {{%- endif -%}} -{{%- if "S" in FLAGS -%}} +{{%- if "S" in FLAGS %}} @@ -144,10 +144,10 @@ test_ref="test_{{{ rule_id }}}_not_defined" negate="true"/> -{{% if MISSING_PARAMETER_PASS == "true" %}} +{{%- if MISSING_PARAMETER_PASS == "true" %}} -{{% endif %}} +{{%- endif %}} @@ -226,9 +226,9 @@ object_static_run_sysctld_{{{ rule_id }}} -{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} object_static_usr_lib_sysctld_{{{ rule_id }}} -{{% endif %}} +{{%- endif %}} @@ -254,16 +254,16 @@ ^.*\.conf$ {{{ sysctl_match() }}} -{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} /usr/lib/sysctl.d ^.*\.conf$ {{{ sysctl_match() }}} -{{% endif %}} -{{% if SYSCTLVAL is string %}} -{{% if SYSCTLVAL == "" %}} +{{%- endif -%}} +{{%- if SYSCTLVAL is string -%}} +{{%- if SYSCTLVAL == "" %}} -{{% else %}} +{{%- else %}} -{{% if OPERATION == "pattern match" %}} +{{%- if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} -{{% else %}} +{{%- else %}} {{{ SYSCTLVAL }}} -{{% endif %}} +{{%- endif %}} -{{% endif %}} -{{% elif SYSCTLVAL is sequence %}} -{{% for x in SYSCTLVAL %}} +{{%- endif -%}} +{{%- elif SYSCTLVAL is sequence -%}} +{{%- for x in SYSCTLVAL %}} {{{ x }}} -{{% endfor %}} -{{% endif %}} +{{%- endfor -%}} +{{%- endif %}} {{%- endif -%}} From e647e3c40021935b3921971e85f4117b2e705ced Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 5 May 2023 20:02:00 +0300 Subject: [PATCH 21/44] change: sysctl/oval: sysctl quirks Handle sysctl_dirs as a list. Rename elements according to Style Guide. Try to minimize extra newlines and use indentation as per Style Guide. Use oval_list_to_set to create for 'unfiltered'. Try to handle sysctl quirks. Check sysctlval type. This helps logic. --- shared/templates/sysctl/oval.template | 183 ++++++++++---------------- shared/templates/sysctl/template.py | 49 +++++-- 2 files changed, 104 insertions(+), 128 deletions(-) diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index b64a0bc6551..c29a3afab40 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -2,23 +2,42 @@ {{%- set COMMENT_VALUE="the appropriate value" %}} {{%- elif SYSCTLVAL is string %}} {{%- set COMMENT_VALUE=SYSCTLVAL %}} -{{%- else %}} +{{%- else -%}} {{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} {{%- endif %}} -{{%- macro state_static_sysctld(prefix) -%}} - +{{%- macro state_static_sysctld(suffix) -%}} + {{%- if SYSCTLVAL is string %}} - -{{%- elif SYSCTLVAL is sequence -%}} + +{{%- else -%}} {{%- for x in SYSCTLVAL %}} - + {{%- endfor -%}} {{%- endif -%}} {{%- endmacro -%}} +{{%- set sysctl_dirs = ['/etc/sysctl.d', '/run/sysctl.d'] -%}} +{{%- if product in [ "sle12", "sle15"] or all_possible -%}} +{{%- set sysctl_dirs = sysctl_dirs + ['/usr/local/lib/sysctl.d'] -%}} +{{%- endif -%}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] or all_possible -%}} +{{%- set sysctl_dirs = sysctl_dirs + ['/usr/lib/sysctl.d'] -%}} +{{%- set sysctl_dirs = sysctl_dirs + ['/lib/sysctl.d'] -%}} +{{%- endif -%}} + +{{%- macro sysctl_d_id(sysctl_dir) -%}} +{{{- sysctl_dir.lstrip('/') | replace('/', '_') | replace ('.', '') -}}} +{{%- endmacro -%}} + +{{%- macro obj_static_sysctld_id(suffix) -%}} +obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} +{{%- endmacro -%}} + {{%- macro sysctl_match() -%}} - ^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$ + ^[ \t]*-?[ \t]*{{{ + SYSCTLVAR | escape_regex_sq | replace('[.]', '[./]') | replace('[/]', '[./]') + }}}[ \t]*=[ \t]*(|\S|\S[^\n]*\S)[ \t]*$ 1 {{%- endmacro -%}} {{%- if "P" in FLAGS -%}} @@ -73,17 +92,17 @@ - + {{%- if SYSCTLVAL is string %}} -{{%- elif SYSCTLVAL is sequence -%}} +{{%- else -%}} {{%- for x in SYSCTLVAL %}} {{%- endfor -%}} {{%- endif %}} - + {{{ SYSCTLVAR }}} {{%- if SYSCTLVAL is string -%}} @@ -106,7 +125,7 @@ {{%- endif %}} {{%- endif -%}} -{{%- elif SYSCTLVAL is sequence -%}} +{{%- else -%}} {{%- for x in SYSCTLVAL %}} {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} - - - -{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - -{{% endif %}} - +{{%- for sysctl_dir in sysctl_dirs %}} + +{{%- endfor %}} {{%- if MISSING_PARAMETER_PASS == "true" %}} + test_ref="test_{{{ rule_id }}}_static_not_defined"/> {{%- endif %}} - - + comment="{{{ SYSCTLVAR }}} static configuration not defined"> + {{{ state_static_sysctld("sysctl") }}} - - {{{ state_static_sysctld("etc_sysctld") }}} - - - - {{{ state_static_sysctld("run_sysctld") }}} - + + /etc/sysctl.conf + {{{ sysctl_match() }}} + +{{%- for sysctl_dir in sysctl_dirs %}} -{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - {{{ state_static_sysctld("usr_lib_sysctld") }}} + {{{ state_static_sysctld(sysctl_d_id(sysctl_dir)) }}} -{{% endif %}} - - {{{ state_static_sysctld("usr_local_lib_sysctld") }}} - + + {{{ sysctl_dir }}} + ^.*\.conf$ + {{{ sysctl_match() }}} + +{{%- endfor %}} - - - - object_static_etc_sysctls_{{{ rule_id }}} - object_static_run_usr_local_sysctls_{{{ rule_id }}} - - - - - - object_static_sysctl_{{{ rule_id }}} - object_static_etc_sysctld_{{{ rule_id }}} - - - - - - object_static_usr_local_lib_sysctld_{{{ rule_id }}} - object_static_run_usr_sysctls_{{{ rule_id }}} - - - - - - object_static_run_sysctld_{{{ rule_id }}} -{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - object_static_usr_lib_sysctld_{{{ rule_id }}} -{{%- endif %}} - - - - - /etc/sysctl.conf - {{{ sysctl_match() }}} - - - - /etc/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - - - /run/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - - - - /usr/local/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} + +{{%- set obj_refs = namespace(lst=[]) -%}} +{{%- set obj_refs.lst = obj_refs.lst + ['' ~ obj_static_sysctld_id("sysctl") ~ ''] -%}} +{{%- for sysctl_dir in sysctl_dirs -%}} +{{%- set obj_refs.lst = obj_refs.lst + ['' ~ obj_static_sysctld_id(sysctl_d_id(sysctl_dir)) ~ ''] -%}} +{{%- endfor -%}} + {{{ oval_list_to_set(obj_refs.lst) | indent(8) }}} -{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - /usr/lib/sysctl.d - ^.*\.conf$ - {{{ sysctl_match() }}} - -{{%- endif -%}} {{%- if SYSCTLVAL is string -%}} {{%- if SYSCTLVAL == "" %}} - + @@ -273,7 +224,7 @@ {{%- else %}} - + {{%- if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} {{%- else %}} @@ -281,9 +232,9 @@ {{%- endif %}} {{%- endif -%}} -{{%- elif SYSCTLVAL is sequence -%}} +{{%- else -%}} {{%- for x in SYSCTLVAL %}} - + {{{ x }}} {{%- endfor -%}} diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py index d30a21b0f07..bddd0392ca6 100644 --- a/shared/templates/sysctl/template.py +++ b/shared/templates/sysctl/template.py @@ -1,19 +1,29 @@ import ssg.utils -def preprocess(data, lang): - data["sysctlid"] = ssg.utils.escape_id(data["sysctlvar"]) - if not data.get("sysctlval"): - data["sysctlval"] = "" - ipv6_flag = "P" - if data["sysctlid"].find("ipv6") >= 0: - ipv6_flag = "I" - data["flags"] = "SR" + ipv6_flag - if "operation" not in data: - data["operation"] = "equals" - if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: +def validate_sysctlval_type(data): + # Testing type helps logic in OVAL, remediations and tests + # We test "", string and what is left is list. + + if isinstance(data["sysctlval"], list): + if len(data["sysctlval"]) == 0: + raise ValueError( + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) + for val in data["sysctlval"]: + if isinstance(data["sysctlval"], str): + return False + elif not(isinstance(data["sysctlval"], str)): + return False + + return True + + +def validate(data): + if not validate_sysctlval_type(data): raise ValueError( - "The sysctlval parameter of {0} is an empty list".format( + "The 'sysctlval' parameter of {0} must be either not set," + " string or, list of strings".format( data["_rule_id"])) # Configure data for test scenarios @@ -24,6 +34,18 @@ def preprocess(data, lang): "{2} to add tests for it.".format( data["datatype"], data["_rule_id"], __file__)) + +def preprocess(data, lang): + data["sysctlid"] = ssg.utils.escape_id(data["sysctlvar"]) + if not data.get("sysctlval"): + data["sysctlval"] = "" + ipv6_flag = "P" + if data["sysctlid"].find("ipv6") >= 0: + ipv6_flag = "I" + data["flags"] = "SR" + ipv6_flag + if "operation" not in data: + data["operation"] = "equals" + if data["sysctlval"] == "": if data["datatype"] == "int": data["sysctl_correct_value"] = "0" @@ -44,4 +66,7 @@ def preprocess(data, lang): data["sysctl_wrong_value"] = str((int(data["sysctlval"]) + 1) % 2) elif data["datatype"] == "string": data["sysctl_wrong_value"] = "wrong_value" + + validate(data) + return data From ce39fa26956e7d82a753308c473935fbd3e6254c Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 29 Apr 2023 19:16:43 +0300 Subject: [PATCH 22/44] change: sysctl/ansible: ensure sysctl value is actually set ansible-doc sysctl ... - sysctl_set Verify token value with the sysctl command and set with -w if necessary. ... --- shared/templates/sysctl/ansible.template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 5a2fbc95307..21cd02a0fec 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -10,7 +10,7 @@ paths: - "/etc/sysctl.d/" - "/run/sysctl.d/" -{{% else %}} +{{% else %}} find: paths: - "/etc/sysctl.d/" @@ -60,4 +60,4 @@ {{% endif %}} state: present reload: yes - + sysctl_set: true From 49c99fc1eab7281371c2cff236c308fd2881cd58 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 5 May 2023 18:31:39 +0300 Subject: [PATCH 23/44] feature: sysctl: add ansible_sysctl_set_config_directories --- shared/macros/10-ansible.jinja | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 103a1150b1b..5fcedba822d 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1581,6 +1581,29 @@ Part of the grub2_bootloader_argument_absent template. {{%- endmacro -%}} +{{# +Ansible value containing sysctl.d directories to handle, as ansible array + +This is not about directories sysctl supports in product, but what directories +are considered managed. + +:param all_possible: boolean, default false, limit per product + +See: sysctl.conf(5) +#}} +{{%- macro ansible_sysctl_set_config_directories(all_possible=false) -%}} +{{%- set lst = ['/etc/sysctl.d', '/run/sysctl.d'] -%}} +{{% if product in [ "sle12", "sle15"] or all_possible -%}} +{{%- set lst = lst + ['/usr/local/lib/sysctl.d'] -%}} +{{%- endif -%}} +{{%- if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] or all_possible -%}} +{{%- set lst = lst + ['/usr/lib/sysctl.d'] -%}} +{{%- set lst = lst + ['/lib/sysctl.d'] -%}} +{{%- endif -%}} +{{{- lst -}}} +{{%- endmacro -%}} + + {{%- macro ansible_mount_conditional(path) -%}} '"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list' {{%- endmacro -%}} From 94584870495b8329dfc885f87643a2af91a601bc Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 5 May 2023 18:32:17 +0300 Subject: [PATCH 24/44] feature: sysctl: use ansible_sysctl_set_config_directories --- .../ansible/shared.yml | 4 +--- shared/templates/sysctl/ansible.template | 15 +-------------- 2 files changed, 2 insertions(+), 17 deletions(-) diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml index f4dc5110fee..7c6a162d19f 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml @@ -5,9 +5,7 @@ # disruption = medium - name: List /etc/sysctl.d/*.conf files find: - paths: - - /etc/sysctl.d/ - - /run/sysctl.d/ + paths: {{{ ansible_sysctl_set_config_directories }}} contains: ^[\s]*kernel.core_pattern.*$ patterns: '*.conf' file_type: any diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 21cd02a0fec..0afe59b71a1 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -5,21 +5,8 @@ # disruption = medium - name: List /etc/sysctl.d/*.conf files -{{% if product in ["sle12","sle15"] %}} find: - paths: - - "/etc/sysctl.d/" - - "/run/sysctl.d/" -{{% else %}} - find: - paths: - - "/etc/sysctl.d/" - - "/run/sysctl.d/" - - "/usr/local/lib/sysctl.d/" -{{% endif %}} -{{% if product not in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - - "/usr/lib/sysctl.d/" -{{% endif %}} + paths: {{{ ansible_sysctl_set_config_directories() }}} contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' patterns: "*.conf" file_type: any From c985906db5a6c2818e6b0517351903a7ffe41128 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 18:42:29 +0300 Subject: [PATCH 25/44] change: sysctl/ansible: sysctl quirks --- shared/templates/sysctl/ansible.template | 37 +++++++++++++++++------- 1 file changed, 26 insertions(+), 11 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 0afe59b71a1..f85c7df97d7 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -4,10 +4,18 @@ # complexity = low # disruption = medium +{{#- sysctl quirks -#}} +{{%- set setsysctlvar_rx -%}} +^[ \\t]*-?[ \\t]*{{{ + SYSCTLVAR | escape_regex_sq | + replace('[.]', '[./]') | replace('[/]', '[./]') + }}}[ \\t]*= +{{%- endset %}} - name: List /etc/sysctl.d/*.conf files find: paths: {{{ ansible_sysctl_set_config_directories() }}} - contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' + contains: >- + {{{ setsysctlvar_rx }}}.*$ patterns: "*.conf" file_type: any register: find_sysctl_d @@ -15,19 +23,24 @@ - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files replace: path: "{{ item.path }}" - regexp: '^[\s]*{{{ SYSCTLVAR }}}' + regexp: >- + {{{ setsysctlvar_rx }}} replace: '#{{{ SYSCTLVAR }}}' loop: "{{ find_sysctl_d.files }}" -{{% if sysctl_remediate_drop_in_file == "true" %}} - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf replace: path: "/etc/sysctl.conf" - regexp: '^[\s]*{{{ SYSCTLVAR }}}' + regexp: >- + {{{ setsysctlvar_rx }}} replace: '#{{{ SYSCTLVAR }}}' -{{% endif %}} - +{{%- if sysctl_remediate_drop_in_file != "true" %}} +{{#- sysctl module manages only last entry #}} + before: >- + .*\n{{{ setsysctlvar_rx | trim('^') }}} +{{%- endif %}} {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} + - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - name: Ensure sysctl {{{ SYSCTLVAR }}} is set @@ -35,16 +48,18 @@ name: "{{{ SYSCTLVAR }}}" value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" {{%- else %}} + - name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} sysctl: name: "{{{ SYSCTLVAR }}}" value: "{{{ SYSCTLVAL }}}" {{%- endif %}} -{{% if sysctl_remediate_drop_in_file == "true" %}} - sysctl_file: "/etc/sysctl.d/{{{ SYSCTLVAR | replace('.','_') }}}.conf" -{{% else %}} - sysctl_file: "/etc/sysctl.conf" -{{% endif %}} + sysctl_file: >- +{{%- if sysctl_remediate_drop_in_file == "true" %}} + /etc/sysctl.d/{{{ SYSCTLVAR | replace('.','_') | replace('/', '_') }}}.conf +{{%- else %}} + /etc/sysctl.conf +{{%- endif %}} state: present reload: yes sysctl_set: true From 5ed305722c90a514287654aa74fa12c9e8da9576 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 18:45:02 +0300 Subject: [PATCH 26/44] sysctl/ansible: comment keep previous --- shared/templates/sysctl/ansible.template | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index f85c7df97d7..74fd71dcdd4 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -24,16 +24,16 @@ replace: path: "{{ item.path }}" regexp: >- - {{{ setsysctlvar_rx }}} - replace: '#{{{ SYSCTLVAR }}}' + ({{{ setsysctlvar_rx }}}) + replace: '# \g<1>' loop: "{{ find_sysctl_d.files }}" - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf replace: path: "/etc/sysctl.conf" regexp: >- - {{{ setsysctlvar_rx }}} - replace: '#{{{ SYSCTLVAR }}}' + ({{{ setsysctlvar_rx }}}) + replace: '# \g<1>' {{%- if sysctl_remediate_drop_in_file != "true" %}} {{#- sysctl module manages only last entry #}} before: >- From 779e30b76d431bc7bd36087465a34549bc63fcfb Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sat, 29 Apr 2023 19:17:12 +0300 Subject: [PATCH 27/44] change: sysctl_net_ipv4_ip_local_port_range: add variable support When you combine xccdf variables and other format than simple int / string, there is no generict way to implement comparison. So I decided just to use per name comparison method. --- .../rule.yml | 9 ++-- ...ctl_net_ipv4_ip_local_port_range_value.var | 17 +++++++ shared/templates/sysctl/oval.template | 45 +++++++++++++++++++ 3 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range_value.var diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml index e5bb4813841..2d9134927aa 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range/rule.yml @@ -4,7 +4,7 @@ prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9,sle12,sle15 title: 'Set Kernel Parameter to Increase Local Port Range' -description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}}' +description: '{{{ describe_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value=xccdf_value("sysctl_net_ipv4_ip_local_port_range_value")) }}}' rationale: |- This setting defines the local port range that is used by TCP and UDP to @@ -23,13 +23,12 @@ identifiers: references: anssi: BP28(R22) -{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value="32768 65535") }}} +{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.ip_local_port_range", value=xccdf_value("sysctl_net_ipv4_ip_local_port_range_value")) }}} template: name: sysctl vars: sysctlvar: net.ipv4.ip_local_port_range datatype: string - sysctlval: 32768 65535 - operation: pattern match - sysctlval_regex: '32768\s*65535' + correct_sysctlval_for_testing: 32768 65535 + wrong_sysctlval_for_testing: 48000 60000 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range_value.var new file mode 100644 index 00000000000..349b8879d3d --- /dev/null +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_ip_local_port_range_value.var @@ -0,0 +1,17 @@ +documentation_complete: true + +title: net.ipv4.ip_local_port_range + +description: |- + Configure the local port range that is used by TCP and UDP to choose the + local port. First number is start of range and last number is last of range. + +type: string + +operator: equals + +interactive: true + +options: + default: 32768 65535 + fedora: 32768 60999 diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index c29a3afab40..edb14013fbd 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -40,6 +40,39 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} }}}[ \t]*=[ \t]*(|\S|\S[^\n]*\S)[ \t]*$ 1 {{%- endmacro -%}} + +{{%- macro sysctl_local_variables(suffix) -%}} +{{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} + + + + + + + + + + + + + + + ^\s*( + + \s+ + + )\s*$ + + +{{%- endif -%}} +{{%- endmacro -%}} + {{%- if "P" in FLAGS -%}} @@ -108,9 +141,15 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} {{%- if SYSCTLVAL is string -%}} {{%- if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} + +{{%- else %}} +{{%- endif %}} +{{{ sysctl_local_variables("") }}} @@ -217,9 +256,15 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} {{%- if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} + +{{%- else %}} +{{%- endif %}} +{{{ sysctl_local_variables("_static") }}} From e751de4a677173baa900f058c73859db3d29d1e1 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 5 May 2023 15:47:22 +0300 Subject: [PATCH 28/44] fix: sysctl: remove unnecessary tests/shared/sysctl.sh Function sysctl_set_kernel_setting_to is not used anywhere. --- tests/shared/sysctl.sh | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 tests/shared/sysctl.sh diff --git a/tests/shared/sysctl.sh b/tests/shared/sysctl.sh deleted file mode 100644 index 6a424a3641a..00000000000 --- a/tests/shared/sysctl.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -# Sets the kernel setting using sysctl exec as well as in sysctl config file. -# $1: The setting name without the leading 'kernel.' -# $2: The value to set the setting to -function sysctl_set_kernel_setting_to { - local setting_name="kernel.$1" setting_value="$2" - sysctl -w "$setting_name=$setting_value" - if grep -q "^$setting_name" /etc/sysctl.conf; then - sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf - else - echo "$setting_name = $setting_value" >> /etc/sysctl.conf - fi -} From ee35e9402e1ad06bac257390a4f93a787d733eae Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Wed, 10 May 2023 13:39:36 +0300 Subject: [PATCH 29/44] change: sysctl/oval: use oval_var_trim --- shared/templates/sysctl/oval.template | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index edb14013fbd..c67e4fa4e53 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -70,6 +70,8 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} )\s*$ +{{%- else %}} + {{{ oval_var_trim(rule_id ~ "_value", suffix=suffix, DATATYPE=DATATYPE) }}} {{%- endif -%}} {{%- endmacro -%}} @@ -146,7 +148,7 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} var_ref="local_var_{{{ rule_id }}}_regex"/> {{%- else %}} + var_ref="{{{ rule_id }}}_value_trim"/> {{%- endif %}} {{{ sysctl_local_variables("") }}} @@ -260,7 +262,7 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} {{%- else %}} - {{%- endif %}} From 74636276499b36d99a2af8c098630d6025c38b37 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Wed, 10 May 2023 20:23:37 +0300 Subject: [PATCH 30/44] fix: sysctl: allow to handle empty values Previously SYSCTLVAL == "" was variable and this did not allow to handle empty values. Change SYSCTLVAL to be not defined if having variable and this issue is solved. --- shared/templates/sysctl/ansible.template | 12 +++++++++--- shared/templates/sysctl/bash.template | 4 ++-- shared/templates/sysctl/oval.template | 19 ++++++++----------- shared/templates/sysctl/template.py | 10 ++++++---- shared/templates/sysctl/tests/comment.fail.sh | 2 +- .../sysctl/tests/correct_value.pass.sh | 2 +- .../tests/correct_value_usr_local_lib.pass.sh | 2 +- .../sysctl/tests/line_not_there.fail.sh | 2 +- .../one_sysctl_conf_one_sysctl_d.pass.sh | 2 +- ...sctl_conf_one_sysctl_d_conflicting.fail.sh | 2 +- .../sysctl/tests/symlink_conflicting.fail.sh | 2 +- .../tests/symlink_different_option.pass.sh | 2 +- .../symlink_repeated_sysctl_conf.pass.sh | 2 +- .../tests/symlink_root_duplicate.pass.sh | 2 +- ...symlink_root_duplicate_conflicting.fail.sh | 2 +- .../tests/symlink_root_incompliant.fail.sh | 2 +- .../sysctl/tests/symlink_same_option.pass.sh | 2 +- .../tests/symlinks_to_same_file.pass.sh | 2 +- .../sysctl/tests/two_sysctls_on_d.pass.sh | 2 +- .../two_sysctls_on_d_conflicting.fail.sh | 2 +- .../tests/two_sysctls_on_same_file.pass.sh | 2 +- .../two_sysctls_on_same_file_name.pass.sh | 2 +- ...ctls_on_same_file_name_conflicting.fail.sh | 2 +- .../sysctl/tests/wrong_runtime.fail.sh | 2 +- .../sysctl/tests/wrong_value.fail.sh | 2 +- .../tests/wrong_value_d_directory.fail.sh | 2 +- 26 files changed, 47 insertions(+), 42 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 74fd71dcdd4..797afb3a093 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -39,20 +39,26 @@ before: >- .*\n{{{ setsysctlvar_rx | trim('^') }}} {{%- endif %}} -{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} +{{%- if SYSCTLVAL is none or SYSCTLVAL is not string %}} - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - name: Ensure sysctl {{{ SYSCTLVAR }}} is set sysctl: name: "{{{ SYSCTLVAR }}}" - value: "{{ sysctl_{{{ SYSCTLID }}}_value }}" + # Ansible sysctl module doesn't allow empty string. A space string is + # allowed and has the same semantics as sysctl will ignore spaces. + # center(1) adds one space to empty string. + value: >- + {{ sysctl_{{{ SYSCTLID }}}_value | center(1) }} {{%- else %}} - name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} sysctl: name: "{{{ SYSCTLVAR }}}" - value: "{{{ SYSCTLVAL }}}" + # Ansible sysctl module doesn't allow empty string. A space string is + # allowed and has the same semantics as sysctl will ignore spaces. + value: {{% if SYSCTLVAL == "" %}}" "{{% else %}}"{{{ SYSCTLVAL }}}"{{% endif %}} {{%- endif %}} sysctl_file: >- {{%- if sysctl_remediate_drop_in_file == "true" %}} diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 7bb57e541b9..e997e57c74e 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -19,7 +19,7 @@ # key and value at hand # sysctlvar={{{ SYSCTLVAR | quote }}} -{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} +{{%- if SYSCTLVAL is none or SYSCTLVAL is not string %}} {{{ bash_instantiate_variables("sysctl_" ~ SYSCTLID ~ "_value") }}} {{#- @@ -99,7 +99,7 @@ done /sbin/sysctl -q -n -w "${sysctlvar}"="${sysctl_{{{ SYSCTLID }}}_value}" # -{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} +{{%- if SYSCTLVAL is none or SYSCTLVAL is not string %}} # If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value # else, add "{{{ SYSCTLVAR }}} = value" to /etc/sysctl.conf {{%- else %}} diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index c67e4fa4e53..d4d6b90377c 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -1,4 +1,4 @@ -{{%- if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAL is none %}} {{%- set COMMENT_VALUE="the appropriate value" %}} {{%- elif SYSCTLVAL is string %}} {{%- set COMMENT_VALUE=SYSCTLVAL %}} @@ -8,7 +8,7 @@ {{%- macro state_static_sysctld(suffix) -%}} -{{%- if SYSCTLVAL is string %}} +{{%- if SYSCTLVAL is none or SYSCTLVAL is string -%}} {{%- else -%}} {{%- for x in SYSCTLVAL %}} @@ -128,7 +128,7 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" check="all" check_existence="all_exist" state_operator="OR"> -{{%- if SYSCTLVAL is string %}} +{{%- if SYSCTLVAL is none or SYSCTLVAL is string %}} {{%- else -%}} {{%- for x in SYSCTLVAL %}} @@ -140,8 +140,8 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} {{{ SYSCTLVAR }}} -{{%- if SYSCTLVAL is string -%}} -{{%- if SYSCTLVAL == "" %}} + +{{%- if SYSCTLVAL is none %}} {{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} -{{%- else %}} +{{%- elif SYSCTLVAL is string %}} {{%- if OPERATION == "pattern match" %}} {{{ SYSCTLVAL }}} {{%- endif %}} -{{%- endif -%}} {{%- else -%}} {{%- for x in SYSCTLVAL %}} @@ -254,8 +253,7 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} {{{ oval_list_to_set(obj_refs.lst) | indent(8) }}} -{{%- if SYSCTLVAL is string -%}} -{{%- if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAL is none %}} {{%- if SYSCTLVAR == "net.ipv4.ip_local_port_range" %}} @@ -270,7 +268,7 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} -{{%- else %}} +{{%- elif SYSCTLVAL is string -%}} {{%- if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} @@ -278,7 +276,6 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} {{{ SYSCTLVAL }}} {{%- endif %}} -{{%- endif -%}} {{%- else -%}} {{%- for x in SYSCTLVAL %}} diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py index bddd0392ca6..bee769295b3 100644 --- a/shared/templates/sysctl/template.py +++ b/shared/templates/sysctl/template.py @@ -3,7 +3,9 @@ def validate_sysctlval_type(data): # Testing type helps logic in OVAL, remediations and tests - # We test "", string and what is left is list. + # We test none, string and what is left is list. + if data["sysctlval"] is None: + return True if isinstance(data["sysctlval"], list): if len(data["sysctlval"]) == 0: @@ -37,8 +39,8 @@ def validate(data): def preprocess(data, lang): data["sysctlid"] = ssg.utils.escape_id(data["sysctlvar"]) - if not data.get("sysctlval"): - data["sysctlval"] = "" + if "sysctlval" not in data: + data["sysctlval"] = None ipv6_flag = "P" if data["sysctlid"].find("ipv6") >= 0: ipv6_flag = "I" @@ -46,7 +48,7 @@ def preprocess(data, lang): if "operation" not in data: data["operation"] = "equals" - if data["sysctlval"] == "": + if data["sysctlval"] is None: if data["datatype"] == "int": data["sysctl_correct_value"] = "0" data["sysctl_wrong_value"] = "1" diff --git a/shared/templates/sysctl/tests/comment.fail.sh b/shared/templates/sysctl/tests/comment.fail.sh index 2d357ace920..692e387b9c9 100644 --- a/shared/templates/sysctl/tests/comment.fail.sh +++ b/shared/templates/sysctl/tests/comment.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/correct_value.pass.sh b/shared/templates/sysctl/tests/correct_value.pass.sh index d147b94ff49..65ccc6b66d5 100644 --- a/shared/templates/sysctl/tests/correct_value.pass.sh +++ b/shared/templates/sysctl/tests/correct_value.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh index e35fd455594..e0a40fb900e 100644 --- a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # platform = multi_platform_sle -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/line_not_there.fail.sh b/shared/templates/sysctl/tests/line_not_there.fail.sh index 23ba42bfbcb..f049440a4be 100644 --- a/shared/templates/sysctl/tests/line_not_there.fail.sh +++ b/shared/templates/sysctl/tests/line_not_there.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh index f1c5127cbe6..c816b525e18 100644 --- a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh +++ b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh index 53be8b34b8b..7cab1741ffa 100644 --- a/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/one_sysctl_conf_one_sysctl_d_conflicting.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlink_conflicting.fail.sh b/shared/templates/sysctl/tests/symlink_conflicting.fail.sh index 338b7d56637..fcf3e779d61 100644 --- a/shared/templates/sysctl/tests/symlink_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/symlink_conflicting.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlink_different_option.pass.sh b/shared/templates/sysctl/tests/symlink_different_option.pass.sh index bfead4c09cf..fc6a257b36e 100644 --- a/shared/templates/sysctl/tests/symlink_different_option.pass.sh +++ b/shared/templates/sysctl/tests/symlink_different_option.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh b/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh index 0c61b136eb9..a6205c37a3d 100644 --- a/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh +++ b/shared/templates/sysctl/tests/symlink_repeated_sysctl_conf.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh b/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh index 439d80b2f47..ea57d4692bf 100644 --- a/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh +++ b/shared/templates/sysctl/tests/symlink_root_duplicate.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh b/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh index 5fa2bc3df86..48a2d6d362e 100644 --- a/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/symlink_root_duplicate_conflicting.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh b/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh index 5fa2bc3df86..48a2d6d362e 100644 --- a/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh +++ b/shared/templates/sysctl/tests/symlink_root_incompliant.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlink_same_option.pass.sh b/shared/templates/sysctl/tests/symlink_same_option.pass.sh index ba583d6ce6e..482857d119c 100644 --- a/shared/templates/sysctl/tests/symlink_same_option.pass.sh +++ b/shared/templates/sysctl/tests/symlink_same_option.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh b/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh index af5beef7c00..494670b00b6 100644 --- a/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh +++ b/shared/templates/sysctl/tests/symlinks_to_same_file.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh index 56c9b41e8cf..e56798156b6 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_d.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh b/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh index 40a1161e60b..05f258ebe5d 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_d_conflicting.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh index 3e06620656c..a9fe25b2a50 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh index 8c27cdefdd6..b46924f7b1b 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh index a1da2a2aa43..45e03b266b6 100644 --- a/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh +++ b/shared/templates/sysctl/tests/two_sysctls_on_same_file_name_conflicting.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/wrong_runtime.fail.sh b/shared/templates/sysctl/tests/wrong_runtime.fail.sh index 9d759fd4a1c..6bb48b88cff 100644 --- a/shared/templates/sysctl/tests/wrong_runtime.fail.sh +++ b/shared/templates/sysctl/tests/wrong_runtime.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/wrong_value.fail.sh b/shared/templates/sysctl/tests/wrong_value.fail.sh index 4d43ddc15ed..1e572f8198b 100644 --- a/shared/templates/sysctl/tests/wrong_value.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} diff --git a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh index 635c741cfc8..0e8d3d8bb8c 100644 --- a/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value_d_directory.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -{{% if SYSCTLVAL == "" %}} +{{% if SYSCTLVAL is none or SYSCTLVAL is not string %}} # variables = sysctl_{{{ SYSCTLID }}}_value={{{ SYSCTL_CORRECT_VALUE }}} {{% endif %}} From 8de43b2e3d8f3f1c546bb85252cfcfa11ba7ec73 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Sun, 7 May 2023 12:27:25 +0300 Subject: [PATCH 31/44] change: sysctl_kernel_core_pattern_empty_string: use sysctl template Handle emtpy string in ansible because `sysctl` module does not handle empty string. --- .../ansible/shared.yml | 33 --- .../bash/shared.sh | 53 ----- .../oval/shared.xml | 212 ------------------ .../rule.yml | 7 + 4 files changed, 7 insertions(+), 298 deletions(-) delete mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml delete mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh delete mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml deleted file mode 100644 index 7c6a162d19f..00000000000 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +++ /dev/null @@ -1,33 +0,0 @@ -# platform = multi_platform_all -# reboot = true -# strategy = disable -# complexity = low -# disruption = medium -- name: List /etc/sysctl.d/*.conf files - find: - paths: {{{ ansible_sysctl_set_config_directories }}} - contains: ^[\s]*kernel.core_pattern.*$ - patterns: '*.conf' - file_type: any - register: find_sysctl_d - -- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf - files - replace: - path: '{{ item.path }}' - regexp: ^[\s]*kernel.core_pattern - replace: '#kernel.core_pattern' - loop: '{{ find_sysctl_d.files }}' - -- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files - replace: - path: /etc/sysctl.conf - regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)' - replace: '#kernel.core_pattern\1' - -- name: Ensure sysctl kernel.core_pattern is set to empty - sysctl: - name: kernel.core_pattern - value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces - state: present - reload: true diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh deleted file mode 100644 index 2b2f1cd70b6..00000000000 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +++ /dev/null @@ -1,53 +0,0 @@ -# platform = multi_platform_all -# reboot = true -# strategy = disable -# complexity = low -# disruption = medium - -# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do - - matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) - if ! test -z "$matching_list"; then - while IFS= read -r entry; do - escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") - # comment out "kernel.core_pattern" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f - done <<< "$matching_list" - fi -done - -# -# Set runtime for kernel.core_pattern -# -/sbin/sysctl -q -n -w kernel.core_pattern="" - -# -# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty -# else, add "kernel.core_pattern =" to /etc/sysctl.conf -# -# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. -# Otherwise, regular sed command will do. -sed_command=('sed' '-i') -if test -L "/etc/sysctl.conf"; then - sed_command+=('--follow-symlinks') -fi - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") - -# shellcheck disable=SC2059 -printf -v formatted_output "%s=" "$stripped_key" - -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf" -else - # \n is precaution for case where file ends without trailing newline - - printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf" -fi diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml deleted file mode 100644 index e06965cab38..00000000000 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +++ /dev/null @@ -1,212 +0,0 @@ - - - - - {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} - - - - - - - - - - {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}} - - - - - - - - - - - - kernel.core_pattern - - - - - - - - - - {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}} - - - - - - - - - - - - - - - - - - - - - - - - - - - -{{% if target_oval_version >= [5, 11] %}} - - - - - - - local_var_sysctl_kernel_core_pattern_empty_string_counter - - - - 1 - - - - - - - - - - - - - object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered - state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink - - - - - - - - - - - - - - - - - - var_obj_symlink_sysctl_kernel_core_pattern_empty_string - var_obj_blank_sysctl_kernel_core_pattern_empty_string - - - - - local_var_blank_path_sysctl_kernel_core_pattern_empty_string - - - - - - - - local_var_symlinks_sysctl_kernel_core_pattern_empty_string - - - - - - - - - - - - - state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string - - - - - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - -{{% endif %}} - - - - - - - - object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string - object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string - - - - - - object_static_sysctl_sysctl_kernel_core_pattern_empty_string - object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string - - - - - - object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string - - - - - /etc/sysctl.conf - ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ - 1 - - - - /etc/sysctl.d - ^.*\.conf$ - ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ - 1 - - - - /run/sysctl.d - ^.*\.conf$ - ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ - 1 - - - - - - diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml index 16d797c1939..a5384bc1e55 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml @@ -43,3 +43,10 @@ ocil: | kernel.core_pattern = $ platform: machine + +template: + name: sysctl + vars: + sysctlvar: kernel.core_pattern + sysctlval: "" + datatype: string From 1d4a6635127ced5a76557ecba1d2c56e1b2e3eca Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 09:49:06 +0300 Subject: [PATCH 32/44] bugfix: aide_check_audit_tools: Ensure no suffix prefix Change state_aide_check_attributes to ensure no prefix/suffix for pattern. Fix correct_with_selinux.pass.sh Also use packages to ensure aide package is installed in tests. --- .../aide/aide_check_audit_tools/oval/shared.xml | 2 +- .../aide/aide_check_audit_tools/tests/correct.pass.sh | 3 +-- .../tests/correct_with_selinux.pass.sh | 5 ++--- .../aide_check_audit_tools/tests/extra_suffix.fail.sh | 11 +++++++++++ .../aide_check_audit_tools/tests/not_config.fail.sh | 3 +-- 5 files changed, 16 insertions(+), 8 deletions(-) create mode 100644 linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml index 63f3177a27b..012c31e92d6 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml @@ -22,7 +22,7 @@ {{% if 'rhel' not in product and 'ubuntu' not in product and product != 'ol8' %}} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 {{% else %}} - p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512 + ^p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512$ {{% endif %}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh index 1a1ab8aedd1..5f751bee542 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# packages = aide - -yum -y install aide aide --init diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh index 769deaa4fbe..f80f6fd52d3 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh @@ -1,12 +1,11 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel - -yum -y install aide +# packages = aide declare -a bins bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') for theFile in "${bins[@]}" do - echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha5122" >> /etc/aide.conf + echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf done diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh new file mode 100644 index 00000000000..692a60d0e10 --- /dev/null +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/extra_suffix.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# packages = aide + +declare -a bins +bins=('/usr/sbin/auditctl' '/usr/sbin/auditd' '/usr/sbin/augenrules' '/usr/sbin/aureport' '/usr/sbin/ausearch' '/usr/sbin/autrace' '/usr/sbin/rsyslogd') + +for theFile in "${bins[@]}" +do + echo "$theFile p+i+n+u+g+s+b+acl+selinux+xattrs+sha5122" >> /etc/aide.conf +done diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh index 868a3d2b37a..65bf851237c 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh @@ -1,8 +1,7 @@ #!/bin/bash # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# packages = aide - -yum -y install aide aide --init declare -a bins From 3f951f15ce53186b1ffab569abd23ef6345a844c Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 13:30:53 +0300 Subject: [PATCH 33/44] fix: aide_check_audit_tools: support fedora --- .../aide/aide_check_audit_tools/ansible/shared.yml | 4 ++-- .../aide/aide_check_audit_tools/bash/shared.sh | 4 ++-- .../aide/aide_check_audit_tools/oval/shared.xml | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml index 5905ea8d0e6..7d5d28b5785 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml @@ -15,14 +15,14 @@ - name: Set audit_tools fact set_fact: audit_tools: - {{% if 'rhel' not in product and product != 'ol8' %}}- /usr/sbin/audispd{{% endif %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}}- /usr/sbin/audispd{{% endif %}} - /usr/sbin/auditctl - /usr/sbin/auditd - /usr/sbin/augenrules - /usr/sbin/aureport - /usr/sbin/ausearch - /usr/sbin/autrace - {{% if product == 'ol8' or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}} + {{% if product in ['fedora', 'ol8'] or 'rhel' in product %}}- /usr/sbin/rsyslogd{{% endif %}} - name: Ensure existing AIDE configuration for audit tools are correct lineinfile: diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh index a81e25c3950..e43219dcb4b 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh @@ -14,11 +14,11 @@ "/usr/sbin/autrace", "/usr/sbin/augenrules" ] %}} -{{% if 'rhel' not in product and product != 'ol8' %}} +{{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}} {{% set auditfiles = auditfiles + ["/usr/sbin/audispd"] %}} {{% endif %}} -{{% if product == 'ol8' or 'rhel' in product %}} +{{% if product in ['fedora', 'ol8'] or 'rhel' in product %}} {{% set auditfiles = auditfiles + ["/usr/sbin/rsyslogd"] %}} {{% endif %}} diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml index 012c31e92d6..b68ea3ee836 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml @@ -8,10 +8,10 @@ - {{% if 'rhel' not in product and product != 'ol8' %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product %}} {{% endif %}} - {{% if product == 'ol8' or 'rhel' in product %}} + {{% if product in ['fedora', 'ol8'] or 'rhel' in product %}} {{% endif %}} @@ -19,7 +19,7 @@ - {{% if 'rhel' not in product and 'ubuntu' not in product and product != 'ol8' %}} + {{% if product not in ['fedora', 'ol8'] and 'rhel' not in product and 'ubuntu' not in product %}} p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 {{% else %}} ^p\+i\+n\+u\+g\+s\+b\+acl(|\+selinux)\+xattrs\+sha512$ From fe0930f123caa3ee383cfa1c0627e7b25548ebcd Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 16:13:43 +0300 Subject: [PATCH 34/44] bugfix: rsyslog_remote_loghost: word_boundary is space or tab Default word_boundary in bash_replace_or_append \> does not work with *.* and like. Replace regexp in all types to be the same. Avoid copy-paste in OVAL. rsyslog.conf(5) ... Rules (selector + action) Every rule line consists of two fields, a selector field and an action field. These two fields are separated by one or more spaces or tabs. The selector field specifies a pattern of facilities and priorities belonging to the specified action. ... --- .../rsyslog_remote_loghost/ansible/shared.yml | 5 +++-- .../rsyslog_remote_loghost/bash/shared.sh | 9 ++++++++- .../rsyslog_remote_loghost/oval/shared.xml | 5 +++-- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml index 45825e0e9f6..b268295e6c2 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml @@ -6,8 +6,9 @@ {{{ ansible_instantiate_variables("rsyslog_remote_loghost_address") }}} - name: "Set rsyslog remote loghost" - lineinfile: + ansible.builtin.lineinfile: dest: /etc/rsyslog.conf - regexp: "^\\*\\.\\*" + regexp: >- + ^\*\.\*[ \\t]+(?:@|\:omrelp\:) line: "*.* @@{{ rsyslog_remote_loghost_address }}" create: yes diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh index b80e47d30b3..f703c5a9e0b 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh @@ -2,4 +2,11 @@ {{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}} -{{{ bash_replace_or_append('/etc/rsyslog.conf', '^\*\.\*', "@@$rsyslog_remote_loghost_address", '%s %s') }}} +{{{ bash_replace_or_append( + '/etc/rsyslog.conf', + '*.*', + "@@${rsyslog_remote_loghost_address}", + '%s %s', + key_regex='^\*\.\*[ \t]\+(@|\:omrelp\:)', + word_boundary='', +) }}} diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml index 0fdd24e18c2..c881574bcb8 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml @@ -1,3 +1,4 @@ +{{%- set remote_rx = "^\*\.\*[ \t]+(?:@|\:omrelp\:)" -%}} {{{ oval_metadata("Syslog logs should be sent to a remote loghost") }}} @@ -33,14 +34,14 @@ /etc/rsyslog.conf - ^\*\.\*[\s]+(?:@|\:omrelp\:) + {{{ remote_rx }}} 1 /etc/rsyslog.d ^.+\.conf$ - ^\*\.\*[\s]+(?:@|\:omrelp\:) + {{{ remote_rx }}} 1 From 17c6d509718d9170716238334ed277988df91b32 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 12 May 2023 17:00:55 +0300 Subject: [PATCH 35/44] fix: rsyslog_logfiles_attributes_modify/bash: handle conf w/o paths Also drop comment or empty lines with whitespace start of line. --- .../rsyslog_logfiles_attributes_modify/bash.template | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template index d6755d56924..3c3b937c3cb 100644 --- a/shared/templates/rsyslog_logfiles_attributes_modify/bash.template +++ b/shared/templates/rsyslog_logfiles_attributes_modify/bash.template @@ -56,8 +56,15 @@ do # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then - NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}") - LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") + NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[[:space:]]*\(#\|$\)/d" "${LOG_FILE}") + rc=0 + LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}") || rc=$? + # No paths + if (( rc == 1 )); then + continue + fi + # under set -e fail here + (( rc == 0 || rc == 1 )) FILTERED_PATHS=$(awk '{if(NF>=2&&($NF~/^\//||$NF~/^-\//)){sub(/^-\//,"/",$NF);print $NF}}' <<< "${LINES_WITH_PATHS}") CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}") MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}") From e2b701f06211c911cd9e3bb68f32a3ebef3955b5 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 18:00:13 +0300 Subject: [PATCH 36/44] fix: sysctl/ansible: FQDN --- shared/templates/sysctl/ansible.template | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 797afb3a093..5e70ffd542a 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -12,7 +12,7 @@ }}}[ \\t]*= {{%- endset %}} - name: List /etc/sysctl.d/*.conf files - find: + ansible.builtin.find: paths: {{{ ansible_sysctl_set_config_directories() }}} contains: >- {{{ setsysctlvar_rx }}}.*$ @@ -21,7 +21,7 @@ register: find_sysctl_d - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from config files - replace: + ansible.builtin.replace: path: "{{ item.path }}" regexp: >- ({{{ setsysctlvar_rx }}}) @@ -29,7 +29,7 @@ loop: "{{ find_sysctl_d.files }}" - name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.conf - replace: + ansible.builtin.replace: path: "/etc/sysctl.conf" regexp: >- ({{{ setsysctlvar_rx }}}) @@ -44,7 +44,7 @@ - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - name: Ensure sysctl {{{ SYSCTLVAR }}} is set - sysctl: + ansible.posix.sysctl: name: "{{{ SYSCTLVAR }}}" # Ansible sysctl module doesn't allow empty string. A space string is # allowed and has the same semantics as sysctl will ignore spaces. @@ -54,7 +54,7 @@ {{%- else %}} - name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} - sysctl: + ansible.posix.sysctl: name: "{{{ SYSCTLVAR }}}" # Ansible sysctl module doesn't allow empty string. A space string is # allowed and has the same semantics as sysctl will ignore spaces. From 497217742eb4b91cc05d715186dedf469a642846 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 21:50:25 +0300 Subject: [PATCH 37/44] fix: oval_list_to_set: work with older than 2.10 Jinja2 --- shared/macros/10-oval.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 8cff3eb3136..576cbd00c63 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1031,13 +1031,13 @@ previous level sets. Do it recursiverly. {{%- endfor %}} {{%- endset -%}} -{{%- set next_list = namespace(lst=[]) -%}} +{{%- set next_list = [] -%}} {{%- for item in list_to_handle -%}} {{%- if loop.index0 >= 2 -%}} -{{%- set next_list.lst = next_list.lst + [item] -%}} +{{%- set _ = next_list.append(item) -%}} {{%- endif -%}} {{%- endfor -%}} -{{{ oval_list_to_set(next_list.lst, _result_list + [result_list_item]) }}} +{{{ oval_list_to_set(next_list, _result_list + [result_list_item]) }}} {{%- endif -%}} {{%- endmacro -%}} From b906e08a24a90e7e41f07b0dcaf4cdf807a9dd1a Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 21:50:37 +0300 Subject: [PATCH 38/44] fix: sysctl/oval: work with older than 2.10 Jinja2 --- shared/templates/sysctl/oval.template | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index d4d6b90377c..9a750fe3424 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -245,12 +245,12 @@ obj_{{{ rule_id }}}_static_sysctld_{{{ suffix }}} -{{%- set obj_refs = namespace(lst=[]) -%}} -{{%- set obj_refs.lst = obj_refs.lst + ['' ~ obj_static_sysctld_id("sysctl") ~ ''] -%}} +{{%- set obj_refs = [] -%}} +{{%- set _ = obj_refs.append('' ~ obj_static_sysctld_id("sysctl") ~ '') -%}} {{%- for sysctl_dir in sysctl_dirs -%}} -{{%- set obj_refs.lst = obj_refs.lst + ['' ~ obj_static_sysctld_id(sysctl_d_id(sysctl_dir)) ~ ''] -%}} +{{%- set _ = obj_refs.append('' ~ obj_static_sysctld_id(sysctl_d_id(sysctl_dir)) ~ '') -%}} {{%- endfor -%}} - {{{ oval_list_to_set(obj_refs.lst) | indent(8) }}} + {{{ oval_list_to_set(obj_refs) | indent(8) }}} {{%- if SYSCTLVAL is none %}} From 9e31c29541d9f8629e6d59ddb40192de3e3492e5 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 22:44:26 +0300 Subject: [PATCH 39/44] fix: oval_list_to_set: work with older than 2.8 Jinja2 --- shared/macros/10-oval.jinja | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 576cbd00c63..f0fcb862b19 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1022,15 +1022,7 @@ previous level sets. Do it recursiverly. {{{ oval_list_to_set(_result_list, []) }}} {{%- endif -%}} {{%- else -%}} -{{%- set result_list_item -%}} - -{{%- for item in list_to_handle -%}} -{{%- if loop.index0 < 2 %}} - {{{ item | indent }}} -{{%- endif -%}} -{{%- endfor %}} - -{{%- endset -%}} +{{%- set result_list_item = _oval_list_to_set_block(list_to_handle) -%}} {{%- set next_list = [] -%}} {{%- for item in list_to_handle -%}} {{%- if loop.index0 >= 2 -%}} @@ -1042,6 +1034,18 @@ previous level sets. Do it recursiverly. {{%- endmacro -%}} +{{#- This exists only because 2.8 has set block assignment, but CentOS has Jinja 2.7 -#}} +{{%- macro _oval_list_to_set_block(list_to_handle) -%}} + +{{%- for item in list_to_handle -%}} +{{%- if loop.index0 < 2 %}} + {{{ item | indent }}} +{{%- endif -%}} +{{%- endfor %}} + +{{%- endmacro -%}} + + {{# Convert variable to trimmed variable where whitespace is removed before and after. From d773b168e45604b7b804a05d2bcad8ba419a14c0 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 12 May 2023 08:38:47 +0300 Subject: [PATCH 40/44] fix: sysctl/ansible: work with older than 2.8 Jinja2 --- shared/templates/sysctl/ansible.template | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 5e70ffd542a..435ec7fd229 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -5,12 +5,7 @@ # disruption = medium {{#- sysctl quirks -#}} -{{%- set setsysctlvar_rx -%}} -^[ \\t]*-?[ \\t]*{{{ - SYSCTLVAR | escape_regex_sq | - replace('[.]', '[./]') | replace('[/]', '[./]') - }}}[ \\t]*= -{{%- endset %}} +{{%- set setsysctlvar_rx = '^[ \\t]*-?[ \\t]*' ~ SYSCTLVAR | escape_regex_sq | replace('[.]', '[./]') | replace('[/]', '[./]') ~ '[ \\t]*=' %}} - name: List /etc/sysctl.d/*.conf files ansible.builtin.find: paths: {{{ ansible_sysctl_set_config_directories() }}} From 054b3d3986026c532c2f9534155ceda5db29c5ab Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Thu, 11 May 2023 22:48:42 +0300 Subject: [PATCH 41/44] fix: sysctl/ansible: work with older than v2.11.0 Jinja2 --- shared/templates/sysctl/ansible.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 435ec7fd229..bdcc6be51d0 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -32,7 +32,7 @@ {{%- if sysctl_remediate_drop_in_file != "true" %}} {{#- sysctl module manages only last entry #}} before: >- - .*\n{{{ setsysctlvar_rx | trim('^') }}} + .*\n{{{ setsysctlvar_rx.lstrip('^') }}} {{%- endif %}} {{%- if SYSCTLVAL is none or SYSCTLVAL is not string %}} From d3565e2d42015a3e55802089c7f317c5944a44e9 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Tue, 9 May 2023 15:11:00 +0300 Subject: [PATCH 42/44] fix: escape_regex*: be also python 2 compatible --- ssg/utils.py | 50 +++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 11 deletions(-) diff --git a/ssg/utils.py b/ssg/utils.py index d4ff0ba77b2..d6297bb596c 100644 --- a/ssg/utils.py +++ b/ssg/utils.py @@ -5,6 +5,7 @@ import errno import os import re +import sys from collections import namedtuple import hashlib @@ -343,33 +344,60 @@ def mkdir_p(path): raise +# CentOS 7 etc has PY2 +_PY2 = bool(sys.version_info[0] == 2) + +if _PY2: + def _py2_text_translate(text, table): + result = [] + for char in text: + if char in table: + result.append(table[char]) + else: + result.append(char) + return "".join(result) + + +def _binary_type_conversion(i): + return str(i) if _PY2 else chr(i) + + +_text_translate = _py2_text_translate if _PY2 else str.translate + # Mimic from python 3.11, but drop ws # SPECIAL_CHARS # closing ')', '}' and ']' # '-' (a range in character set) # '&', '~', (extended character set operations) # '#' (comment) and WHITESPACE (ignored) in verbose mode -_special_chars_map = {i: '\\' + chr(i) for i in b'()[]{}?*+-|^$\\.&~#'} +_special_chars_map = { + i: '\\' + _binary_type_conversion(i) + for i in b'()[]{}?*+-|^$\\.&~#' +} +# all special characters (not \w), by ascii order +_all_special_chars_map = { + i: '\\' + _binary_type_conversion(i) + for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~' +} +_all_special_chars_map_sq = { + i: (('[' + _binary_type_conversion(i) + ']') + if _binary_type_conversion(i) != '^' else ('\\' + _binary_type_conversion(i))) + for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~' +} + def escape_regex(text): # We could use re.escape(), but it escapes too many characters, including plain white space. # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped. - return text.translate(_special_chars_map) + return _text_translate(text, _special_chars_map) -# all special characters, by ascii order -_all_special_chars_map = {i: '\\' + chr(i) for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~'} -_all_special_chars_map_sq = { - i: (('[' + chr(i) + ']') if i != '^' else ('\\' + chr(i))) - for i in b'!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~' -} - def escape_regex_all(text): - return text.translate(_all_special_chars_map) + return _text_translate(text, _all_special_chars_map) def escape_regex_sq(text): - return text.translate(_all_special_chars_map_sq) + return _text_translate(text, _all_special_chars_map_sq) def escape_id(text): From 63fe82c999b3090aff84be2249dc103675b3a3cb Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 12 May 2023 07:26:16 +0300 Subject: [PATCH 43/44] fix: sysctl/ansible: FQDN ansible.posix.sysctl not in 2.9 Newer ansible (mine 2.14) has sysctl at ansible.posix.sysctl. But build system does not accept it: Found module which is not allowed: {'tags', 'name', 'when', 'ansible.posix.sysctl'} and ERROR! couldn't resolve module/action 'ansible.posix.sysctl'. This often indicates a misspelling, missing collection, or incorrect module path. --- shared/templates/sysctl/ansible.template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index bdcc6be51d0..f7f2b4f1f83 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -39,7 +39,7 @@ - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - name: Ensure sysctl {{{ SYSCTLVAR }}} is set - ansible.posix.sysctl: + sysctl: name: "{{{ SYSCTLVAR }}}" # Ansible sysctl module doesn't allow empty string. A space string is # allowed and has the same semantics as sysctl will ignore spaces. @@ -49,7 +49,7 @@ {{%- else %}} - name: Ensure sysctl {{{ SYSCTLVAR }}} is set to {{{ SYSCTLVAL }}} - ansible.posix.sysctl: + sysctl: name: "{{{ SYSCTLVAR }}}" # Ansible sysctl module doesn't allow empty string. A space string is # allowed and has the same semantics as sysctl will ignore spaces. From a89d8343204f9a0be6fe130c7ec7b017664bdcd1 Mon Sep 17 00:00:00 2001 From: Markus Linnala Date: Fri, 12 May 2023 14:48:21 +0300 Subject: [PATCH 44/44] bash: be v4.2 compat the replacement string in double-quoted pattern substitution does not undergo quote removal, as it does in versions after bash-4.2 --- shared/macros/10-bash.jinja | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 9c5243c6bbc..8c94f264ace 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -38,7 +38,7 @@ There is bash_sed_escape_replacement for replacement escape. Then escape other than \w and ^ with [ ]. And then ^ with \^. And use bash replacement to remove \n. -#}} -{{{ result_variable }}}="$(LC_ALL=C sed 's/[\x01-\x08\x0a-\x1f\x7f]/ /g;s/[^^a-zA-Z0-9_]/[&]/g;s/\^/\\^/g' <<< "{{{ "${" ~ variable ~ "//[$'\n']/ }" }}}")" +{{{ result_variable }}}="$(LC_ALL=C sed 's/[\x01-\x08\x0a-\x1f\x7f]/ /g;s/[^^a-zA-Z0-9_]/[&]/g;s/\^/\\^/g' <<< "{{{ "${" ~ variable ~ "}" }}}" | tr '\n' ' ')" {{%- endmacro -%}} @@ -55,9 +55,7 @@ Any control characters are replaced with space except \0 (null character) and #}} {{%- macro bash_sed_escape_replacement(variable, result_variable, delim="/") -%}} -{{{ result_variable }}}="{{{ "${" ~ variable }}}//\\/\\\\/}" -{{{ result_variable }}}="{{{ "${" ~ result_variable }}}//[$'\x01-\x08\x0a-\x1f\x7f']/ }" -{{{ result_variable }}}="{{{ "${" ~ result_variable }}}//\{{{ delim }}}/\\\{{{ delim ~ "}" }}}" +{{{ result_variable }}}="$(LC_ALL=C sed 's/[\x01-\x08\x0a-\x1f\x7f]/ /g;s/\\/\\\\/g' <<< "{{{ "${" ~ variable }}}//\{{{ delim }}}/\\\{{{ delim ~ "}" }}}")" {{%- endmacro -%}} @@ -1557,8 +1555,7 @@ grep_command+=(-i) # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. -stripped_key="{{{ key }}}" -stripped_key="${stripped_key//[$'^=$,;+']}" +stripped_key="$(LC_ALL=C sed 's/[\^=$,;+]//g' <<< "{{{ key }}}")" # shellcheck disable=SC2059 printf -v formatted_output "{{{ format }}}" "${stripped_key}" "{{{ value }}}"