-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bash_replace_or_append fixes #10574
bash_replace_or_append fixes #10574
Conversation
Hi @maage. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Debian and Ubuntu has old version of bats, v0.4.0 and v1.2.1 respectively I guess. Added patch to disable features if so. |
Uh, |
0e7920e
to
97968ec
Compare
/ok-to-test |
I see only CTF regression, fix mentioned above. |
Another way to solve BATS issues would be to require at least v1.5.0 during cmake program test. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great improvement to the project, thank you very much. I will try to cooperate with @mildas to get the CTF fixed. See my small comment.
I also changed in |
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' differs.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
@@ -1,12 +1,5 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -20,11 +13,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf"
+ fi
cce="CCE-80790-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf"
printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' differs.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
@@ -1,12 +1,5 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -20,11 +13,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf"
+ fi
cce="CCE-80791-7"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf"
printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-80653-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-86233-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-80654-7"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-80655-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-81034-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-82066-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-82046-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-80656-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-80663-8"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -3,13 +3,6 @@
var_password_pam_retry=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,11 +16,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-80664-6"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -7,13 +7,6 @@
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
cce="CCE-80665-3"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction' differs.
--- xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
+++ xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
@@ -1,12 +1,5 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q systemd; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/systemd/system.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -20,11 +13,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf"
+ fi
cce="CCE-80784-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf"
printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration' differs.
--- xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
+++ xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
@@ -3,13 +3,6 @@
var_account_disable_post_pw_expiration=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/default/useradd"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,11 +16,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
+ LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd"
+ fi
cce="CCE-80954-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/default/useradd" >> "/etc/default/useradd"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd"
printf '%s\n' "$formatted_output" >> "/etc/default/useradd"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay' differs.
--- xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
+++ xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
@@ -3,13 +3,6 @@
var_accounts_fail_delay=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/login.defs"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,11 +16,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+ LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
+ fi
cce="CCE-84037-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/login.defs" >> "/etc/login.defs"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
@@ -3,13 +3,6 @@
var_accounts_user_umask=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/login.defs"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,11 +16,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+ LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
+ fi
cce="CCE-82888-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/login.defs" >> "/etc/login.defs"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
printf '%s\n' "$formatted_output" >> "/etc/login.defs"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
@@ -7,13 +7,6 @@
AUDITCONFIG=/etc/audit/audisp-remote.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -27,11 +20,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^remote_server\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
cce="CCE-80925-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action
@@ -5,13 +5,6 @@
AUDITCONFIG=/etc/audit/audisp-remote.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,10 +18,11 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
-
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
@@ -6,13 +6,6 @@
option="^transport"
value="KRB5"
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDISP_REMOTE_CONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -26,11 +19,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "$option\\>" "$AUDISP_REMOTE_CONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/$option\\>.*/$escaped_formatted_output/gi" "$AUDISP_REMOTE_CONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/$option\\>.*/$escaped_formatted_output/gi" "$AUDISP_REMOTE_CONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDISP_REMOTE_CONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_REMOTE_CONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_REMOTE_CONFIG"
+ fi
cce="CCE-80926-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDISP_REMOTE_CONFIG" >> "$AUDISP_REMOTE_CONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_REMOTE_CONFIG" >> "$AUDISP_REMOTE_CONFIG"
printf '%s\n' "$formatted_output" >> "$AUDISP_REMOTE_CONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action
@@ -5,13 +5,6 @@
AUDITCONFIG=/etc/audit/audisp-remote.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,10 +18,11 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^network_failure_action\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
-
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
@@ -4,13 +4,6 @@
var_syslog_active="yes"
AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDISP_SYSLOGCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -24,11 +17,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP_SYSLOGCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDISP_SYSLOGCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_SYSLOGCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_SYSLOGCONFIG"
+ fi
cce="CCE-80677-8"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDISP_SYSLOGCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
@@ -11,13 +11,6 @@
#
var_auditd_disk_error_action="$(echo $var_auditd_disk_error_action | cut -d \| -f 1)"
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action")
@@ -30,11 +23,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
cce="CCE-84046-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig
@@ -3,13 +3,6 @@
var_auditd_disk_error_action=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,10 +16,11 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
else
- # \n is precaution for case where file ends without trailing newline
-
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
@@ -5,13 +5,6 @@
var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)"
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,11 +18,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
cce="CCE-84045-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig
@@ -3,13 +3,6 @@
var_auditd_disk_full_action=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,10 +16,11 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
else
- # \n is precaution for case where file ends without trailing newline
-
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
@@ -5,13 +5,6 @@
AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,11 +18,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
cce="CCE-80678-6"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
@@ -5,13 +5,6 @@
AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,11 +18,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^admin_space_left_action\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
cce="CCE-80679-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
@@ -5,13 +5,6 @@
AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,11 +18,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^max_log_file\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
cce="CCE-80681-0"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
@@ -5,13 +5,6 @@
AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,11 +18,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
cce="CCE-80682-8"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig
@@ -3,13 +3,6 @@
var_auditd_max_log_file_action=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,10 +16,11 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "/etc/audit/auditd.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
else
- # \n is precaution for case where file ends without trailing newline
-
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
@@ -5,13 +5,6 @@
AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -25,11 +18,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^num_logs\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
cce="CCE-80683-6"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
@@ -12,13 +12,6 @@
AUDITCONFIG=/etc/audit/auditd.conf
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
-
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action")
@@ -31,11 +24,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
cce="CCE-80684-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
@@ -3,13 +3,6 @@
rsyslog_remote_loghost_address=''
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/rsyslog.conf"; then
- sed_command+=('--follow-symlinks')
-fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
@@ -23,11 +16,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^\*\.\*\\>" "/etc/rsyslog.conf"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^\*\.\*\\>.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^\*\.\*\\>.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/rsyslog.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/rsyslog.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/rsyslog.conf"
+ fi
cce="CCE-80863-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/rsyslog.conf" >> "/etc/rsyslog.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/rsyslog.conf" >> "/etc/rsyslog.conf"
printf '%s\n' "$formatted_output" >> "/etc/rsyslog.conf"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
@@ -32,13 +32,6 @@
# else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf
#
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "${SYSCONFIG_FILE}"; then
- sed_command+=('--follow-symlinks')
-fi
-
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.disable_ipv6")
@@ -51,11 +44,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+ LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+ fi
cce="CCE-85904-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
@@ -32,13 +32,6 @@
# else, add "net.ipv6.conf.default.disable_ipv6 = 1" to /etc/sysctl.conf
#
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "${SYSCONFIG_FILE}"; then
- sed_command+=('--follow-symlinks')
-fi
-
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.disable_ipv6")
@@ -51,11 +44,13 @@
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+ LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+ fi
cce="CCE-86004-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
@@ -34,13 +34,6 @@
# else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf
#
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, r
... The diff is trimmed here ... |
This seems unrelated,
I guess issue is that
I created #10582 |
/hold This test is wrong,
|
- by default parallel execution if `parallel` available - by default print output on failure - add --verbose --quiet - add --debug - add --parallel / --no-parallel - any other parameter provided to bats
Ensure env is cleaned and do not use unset variables.
Use setup to setup common. There is no need to do cleanup when using `$BATS_TEST_TMPDIR`. bats does it for us. This allows tests to be run parallel as resources are not shared between tests.
Use setup to setup common. There is no need to create special tmpfile and do cleanup as bats does it for us.
Use setup to setup common. There is no need to do cleanup as bats does it for us.
This shows test target and there is nice logging.
Use setup to setup common. There is no need to do cleanup as bats does it for us. Also use bats to output if needed, not implemented inside test.
Ensure file ends with newline. Follows always symlinks.
Moved jinja whitespace trim from end to start as it works best that way.
I see no point doing extra test. Functionality does not change. It exposes bigger TOCTOU window. And I think all `sed -i` commands should always have `--follow-symlinks`. And also have always LC_ALL=C if there is no other reason why not.
Seems Debian 10 has 0.4.0, so need to disable some features.
Needed to skip the test above. I have bats-2 patchset on top of this, that handles more issues. But it requires more work and touches more code.
Some potential shellcheck issues. And style changes in new code and moved new tests in one block too. I can change this to Draft and work all in one swoop. But it will take time. Main production benefit here is /hold cancel |
Code Climate has analyzed commit 628c5fb and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.5% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @maage and thank you for additional changes. I see that automatus is failing on some rules. However, I think it is not related to your changes. I checked all rules suggested by content test filtering and I ran Automatus against RHEL 7, RHEL 8, RHEL 9 and Fedora... and there are no unexpected failures.
Thanks |
Description:
At #10534 I had some gripes about ensuring these jinja functions perform as wanted.
Here I extend bats test suite for
bash_replace_or_append
. Update test script. And use some basic generic bats features instead of doing it by hand.Handle append situation where config does have newline at EOF. Implement it as own macro
bash_ensure_nl_at_eof
as there might be other cases where this functionality helps. There is some cases where the issue has been noted and acted upon by just unconditionally adding\n
always, not fixed here other than what was inbash_replace_or_append
.Drop extra logic about symlinks in
bash_replace_or_append
withsed -i
and just always follow them.--follow-symlinks
should be default where ever there issed -i
.Add
LC_ALL=C
tosed
inbash_replace_or_append
. Something like this should be always default.Use bats features like
setup
and$BATS_TEST_TMPDIR
to simplify tests. Less code to maintain.Extend and change
tests/unit/bash/execute_tests.sh
. Now it shows failed output by default and I hope it helps to diagnose problems faster. There is some options to help diagnose issues.Run bats tests parallel. This is kind of test parallel over ctest parallel. When bats features are used as is now, there should not be regressions. This is somewhat forward looking change as when test cases accumulate, it will help more and more. For simple developement cycle you just edit jinja macro and / or test suite and then run ctest for
bash-unit-tests
and time savings are visible.Rationale:
bash_replace_or_append
should be used even more. And it can be used more if there is some assurance it works as expected. Expanded test suite greatly. There are some skipped tests, could be new features, but don't see them as bugs at this time. But I decided was good to document just to be show what limitations are.Review Hints:
There could be regressions because functionality has changed when file does not have newline at EOF. Or if there is other locale than C.
Also there could be regressions because of old bash versions and such.
CTF regression does impact testing, fix at: ComplianceAsCode/content-test-filtering#44