Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bash_replace_or_append fixes #10574

Merged
merged 14 commits into from
May 19, 2023
Merged

Conversation

maage
Copy link
Contributor

@maage maage commented May 16, 2023

Description:

At #10534 I had some gripes about ensuring these jinja functions perform as wanted.

Here I extend bats test suite for bash_replace_or_append. Update test script. And use some basic generic bats features instead of doing it by hand.

Handle append situation where config does have newline at EOF. Implement it as own macro bash_ensure_nl_at_eof as there might be other cases where this functionality helps. There is some cases where the issue has been noted and acted upon by just unconditionally adding \n always, not fixed here other than what was in bash_replace_or_append.

Drop extra logic about symlinks in bash_replace_or_append with sed -i and just always follow them. --follow-symlinks should be default where ever there is sed -i.

Add LC_ALL=C to sed in bash_replace_or_append. Something like this should be always default.

Use bats features like setup and $BATS_TEST_TMPDIR to simplify tests. Less code to maintain.

Extend and change tests/unit/bash/execute_tests.sh. Now it shows failed output by default and I hope it helps to diagnose problems faster. There is some options to help diagnose issues.

Run bats tests parallel. This is kind of test parallel over ctest parallel. When bats features are used as is now, there should not be regressions. This is somewhat forward looking change as when test cases accumulate, it will help more and more. For simple developement cycle you just edit jinja macro and / or test suite and then run ctest for bash-unit-tests and time savings are visible.

Rationale:

bash_replace_or_append should be used even more. And it can be used more if there is some assurance it works as expected. Expanded test suite greatly. There are some skipped tests, could be new features, but don't see them as bugs at this time. But I decided was good to document just to be show what limitations are.

Review Hints:

There could be regressions because functionality has changed when file does not have newline at EOF. Or if there is other locale than C.

Also there could be regressions because of old bash versions and such.

CTF regression does impact testing, fix at: ComplianceAsCode/content-test-filtering#44

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label May 16, 2023
@openshift-ci
Copy link

openshift-ci bot commented May 16, 2023

Hi @maage. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@maage
Copy link
Contributor Author

maage commented May 16, 2023

Debian and Ubuntu has old version of bats, v0.4.0 and v1.2.1 respectively I guess. Added patch to disable features if so.

@maage
Copy link
Contributor Author

maage commented May 16, 2023

@maage maage force-pushed the bats-1 branch 3 times, most recently from 0e7920e to 97968ec Compare May 16, 2023 21:26
@marcusburghardt marcusburghardt requested a review from matejak May 17, 2023 08:16
@vojtapolasek vojtapolasek self-assigned this May 17, 2023
@vojtapolasek
Copy link
Collaborator

/ok-to-test

@openshift-ci openshift-ci bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels May 17, 2023
@maage
Copy link
Contributor Author

maage commented May 17, 2023

I see only CTF regression, fix mentioned above.

@maage
Copy link
Contributor Author

maage commented May 17, 2023

Another way to solve BATS issues would be to require at least v1.5.0 during cmake program test.

Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great improvement to the project, thank you very much. I will try to cooperate with @mildas to get the CTF fixed. See my small comment.

tests/unit/bash/test_set_config_file.bats.jinja Outdated Show resolved Hide resolved
@maage
Copy link
Contributor Author

maage commented May 17, 2023

I also changed in rm in tests where checking non existing files and such not to use -f. And I also noticed I had misplaces some new tests, and moved all new tests to one patch.

@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented May 17, 2023

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff
bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated' differs.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
@@ -1,12 +1,5 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -20,11 +13,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^gpgcheck\\>" "/etc/yum.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf"
+ fi
 cce="CCE-80790-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf"
 printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages' differs.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
@@ -1,12 +1,5 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q yum; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/yum.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -20,11 +13,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^localpkg_gpgcheck\\>" "/etc/yum.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^localpkg_gpgcheck\\>.*/$escaped_formatted_output/gi" "/etc/yum.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/yum.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/yum.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/yum.conf"
+ fi
 cce="CCE-80791-7"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/yum.conf" >> "/etc/yum.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/yum.conf" >> "/etc/yum.conf"
 printf '%s\n' "$formatted_output" >> "/etc/yum.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^dcredit\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^dcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-80653-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^dictcheck\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^dictcheck\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-86233-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^difok\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^difok\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-80654-7"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^lcredit\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^lcredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-80655-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^maxclassrepeat\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^maxclassrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-81034-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^maxrepeat\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^maxrepeat\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-82066-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^minclass\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^minclass\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-82046-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^minlen\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^minlen\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-80656-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^ocredit\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^ocredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-80663-8"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -3,13 +3,6 @@
 
 var_password_pam_retry=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,11 +16,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^retry\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^retry\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-80664-6"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -7,13 +7,6 @@
 
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/security/pwquality.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^ucredit\\>" "/etc/security/pwquality.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^ucredit\\>.*/$escaped_formatted_output/gi" "/etc/security/pwquality.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/security/pwquality.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/security/pwquality.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/security/pwquality.conf"
+ fi
 cce="CCE-80665-3"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/security/pwquality.conf" >> "/etc/security/pwquality.conf"
 printf '%s\n' "$formatted_output" >> "/etc/security/pwquality.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction' differs.
--- xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
+++ xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
@@ -1,12 +1,5 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q systemd; then
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/systemd/system.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -20,11 +13,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^CtrlAltDelBurstAction=\\>" "/etc/systemd/system.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^CtrlAltDelBurstAction=\\>.*/$escaped_formatted_output/gi" "/etc/systemd/system.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/systemd/system.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/systemd/system.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/systemd/system.conf"
+ fi
 cce="CCE-80784-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/systemd/system.conf" >> "/etc/systemd/system.conf"
 printf '%s\n' "$formatted_output" >> "/etc/systemd/system.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration' differs.
--- xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
+++ xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
@@ -3,13 +3,6 @@
 
 var_account_disable_post_pw_expiration=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/default/useradd"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,11 +16,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^INACTIVE\\>" "/etc/default/useradd"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
+ LC_ALL=C sed -i --follow-symlinks "s/^INACTIVE\\>.*/$escaped_formatted_output/gi" "/etc/default/useradd"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/default/useradd" ]] && [[ -n "$(tail -c 1 -- "/etc/default/useradd" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/default/useradd"
+ fi
 cce="CCE-80954-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/default/useradd" >> "/etc/default/useradd"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/default/useradd" >> "/etc/default/useradd"
 printf '%s\n' "$formatted_output" >> "/etc/default/useradd"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay' differs.
--- xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
+++ xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay
@@ -3,13 +3,6 @@
 
 var_accounts_fail_delay=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/login.defs"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,11 +16,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^FAIL_DELAY\\>" "/etc/login.defs"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+ LC_ALL=C sed -i --follow-symlinks "s/^FAIL_DELAY\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
+ fi
 cce="CCE-84037-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/login.defs" >> "/etc/login.defs"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
 printf '%s\n' "$formatted_output" >> "/etc/login.defs"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
@@ -3,13 +3,6 @@
 
 var_accounts_user_umask=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/login.defs"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,11 +16,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
+ LC_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.*/$escaped_formatted_output/gi" "/etc/login.defs"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
+ fi
 cce="CCE-82888-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/login.defs" >> "/etc/login.defs"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/login.defs" >> "/etc/login.defs"
 printf '%s\n' "$formatted_output" >> "/etc/login.defs"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server
@@ -7,13 +7,6 @@
 AUDITCONFIG=/etc/audit/audisp-remote.conf
 
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -27,11 +20,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^remote_server\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^remote_server\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 cce="CCE-80925-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action
@@ -5,13 +5,6 @@
 
 
 AUDITCONFIG=/etc/audit/audisp-remote.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,10 +18,11 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
- 
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records
@@ -6,13 +6,6 @@
 option="^transport"
 value="KRB5"
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDISP_REMOTE_CONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -26,11 +19,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "$option\\>" "$AUDISP_REMOTE_CONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/$option\\>.*/$escaped_formatted_output/gi" "$AUDISP_REMOTE_CONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/$option\\>.*/$escaped_formatted_output/gi" "$AUDISP_REMOTE_CONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDISP_REMOTE_CONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_REMOTE_CONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_REMOTE_CONFIG"
+ fi
 cce="CCE-80926-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDISP_REMOTE_CONFIG" >> "$AUDISP_REMOTE_CONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_REMOTE_CONFIG" >> "$AUDISP_REMOTE_CONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDISP_REMOTE_CONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action
@@ -5,13 +5,6 @@
 
 
 AUDITCONFIG=/etc/audit/audisp-remote.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,10 +18,11 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^network_failure_action\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^network_failure_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
- 
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated' differs.
--- xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
+++ xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated
@@ -4,13 +4,6 @@
 var_syslog_active="yes"
 
 AUDISP_SYSLOGCONFIG=/etc/audit/plugins.d/syslog.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDISP_SYSLOGCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -24,11 +17,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^active\\>" "$AUDISP_SYSLOGCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^active\\>.*/$escaped_formatted_output/gi" "$AUDISP_SYSLOGCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDISP_SYSLOGCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDISP_SYSLOGCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDISP_SYSLOGCONFIG"
+ fi
 cce="CCE-80677-8"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDISP_SYSLOGCONFIG" >> "$AUDISP_SYSLOGCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDISP_SYSLOGCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action
@@ -11,13 +11,6 @@
 #
 var_auditd_disk_error_action="$(echo $var_auditd_disk_error_action | cut -d \| -f 1)"
 
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
-
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
 stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^disk_error_action")
@@ -30,11 +23,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
 cce="CCE-84046-2"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
 printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig
@@ -3,13 +3,6 @@
 
 var_auditd_disk_error_action=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,10 +16,11 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^disk_error_action\\>" "/etc/audit/auditd.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_error_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
 else
- # \n is precaution for case where file ends without trailing newline
- 
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
 printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action
@@ -5,13 +5,6 @@
 
 
 var_auditd_disk_full_action="$(echo $var_auditd_disk_full_action | cut -d \| -f 1)"
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,11 +18,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
 cce="CCE-84045-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/audit/auditd.conf" >> "/etc/audit/auditd.conf"
 printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig
+++ xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig
@@ -3,13 +3,6 @@
 
 var_auditd_disk_full_action=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,10 +16,11 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^disk_full_action\\>" "/etc/audit/auditd.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^disk_full_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
 else
- # \n is precaution for case where file ends without trailing newline
- 
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
 printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
@@ -5,13 +5,6 @@
 
 
 AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,11 +18,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 cce="CCE-80678-6"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
@@ -5,13 +5,6 @@
 
 
 AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,11 +18,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^admin_space_left_action\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^admin_space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 cce="CCE-80679-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
@@ -5,13 +5,6 @@
 
 
 AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,11 +18,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^max_log_file\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^max_log_file\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 cce="CCE-80681-0"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
@@ -5,13 +5,6 @@
 
 
 AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,11 +18,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 cce="CCE-80682-8"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig
@@ -3,13 +3,6 @@
 
 var_auditd_max_log_file_action=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/audit/auditd.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,10 +16,11 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^max_log_file_action\\>" "/etc/audit/auditd.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^max_log_file_action\\>.*/$escaped_formatted_output/gi" "/etc/audit/auditd.conf"
 else
- # \n is precaution for case where file ends without trailing newline
- 
+ if [[ -s "/etc/audit/auditd.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/audit/auditd.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/audit/auditd.conf"
+ fi
 printf '%s\n' "$formatted_output" >> "/etc/audit/auditd.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
@@ -5,13 +5,6 @@
 
 
 AUDITCONFIG=/etc/audit/auditd.conf
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -25,11 +18,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^num_logs\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^num_logs\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 cce="CCE-80683-6"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
+++ xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
@@ -12,13 +12,6 @@
 
 AUDITCONFIG=/etc/audit/auditd.conf
 
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "$AUDITCONFIG"; then
- sed_command+=('--follow-symlinks')
-fi
-
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
 stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^space_left_action")
@@ -31,11 +24,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^space_left_action\\>" "$AUDITCONFIG"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
+ LC_ALL=C sed -i --follow-symlinks "s/^space_left_action\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
+ fi
 cce="CCE-80684-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$AUDITCONFIG" >> "$AUDITCONFIG"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "$AUDITCONFIG" >> "$AUDITCONFIG"
 printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
@@ -3,13 +3,6 @@
 
 rsyslog_remote_loghost_address=''
 
-
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "/etc/rsyslog.conf"; then
- sed_command+=('--follow-symlinks')
-fi
 
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
@@ -23,11 +16,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^\*\.\*\\>" "/etc/rsyslog.conf"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^\*\.\*\\>.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
+ LC_ALL=C sed -i --follow-symlinks "s/^\*\.\*\\>.*/$escaped_formatted_output/gi" "/etc/rsyslog.conf"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "/etc/rsyslog.conf" ]] && [[ -n "$(tail -c 1 -- "/etc/rsyslog.conf" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/rsyslog.conf"
+ fi
 cce="CCE-80863-4"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/rsyslog.conf" >> "/etc/rsyslog.conf"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "/etc/rsyslog.conf" >> "/etc/rsyslog.conf"
 printf '%s\n' "$formatted_output" >> "/etc/rsyslog.conf"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
@@ -32,13 +32,6 @@
 # else, add "net.ipv6.conf.all.disable_ipv6 = 1" to /etc/sysctl.conf
 #
 
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "${SYSCONFIG_FILE}"; then
- sed_command+=('--follow-symlinks')
-fi
-
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
 stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.all.disable_ipv6")
@@ -51,11 +44,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.all.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+ LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.all.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+ fi
 cce="CCE-85904-1"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
 printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
@@ -32,13 +32,6 @@
 # else, add "net.ipv6.conf.default.disable_ipv6 = 1" to /etc/sysctl.conf
 #
 
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, regular sed command will do.
-sed_command=('sed' '-i')
-if test -L "${SYSCONFIG_FILE}"; then
- sed_command+=('--follow-symlinks')
-fi
-
 # Strip any search characters in the key arg so that the key can be replaced without
 # adding any search characters to the config file.
 stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv6.conf.default.disable_ipv6")
@@ -51,11 +44,13 @@
 # so if we search for 'setting', 'setting2' won't match.
 if LC_ALL=C grep -q -m 1 -i -e "^net.ipv6.conf.default.disable_ipv6\\>" "${SYSCONFIG_FILE}"; then
 escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
- "${sed_command[@]}" "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
+ LC_ALL=C sed -i --follow-symlinks "s/^net.ipv6.conf.default.disable_ipv6\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
 else
- # \n is precaution for case where file ends without trailing newline
+ if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
+ LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
+ fi
 cce="CCE-86004-9"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
+ printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
 printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
 fi
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
@@ -34,13 +34,6 @@
 # else, add "net.ipv6.conf.all.accept_ra = value" to /etc/sysctl.conf
 #
 
-# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
-# Otherwise, r

... The diff is trimmed here ...

@maage
Copy link
Contributor Author

maage commented May 17, 2023

This seems unrelated,

  File "/home/runner/work/content/content/tests/ssg_test_suite/common.py", line 285, in get_product_context
    product_yaml['cmake_build_type'] = 'Debug'
TypeError: 'Product' object does not support item assignment
Error: Process completed with exit code 1.

I guess issue is that Product does not by design have __setitem__, but now at ssg_test_suite.common.get_product_context dict is replaced with Product if product and then we try to set some values.

% (source .pyenv.sh;python)
Python 3.8.16 (default, Dec  7 2022, 00:00:00) 
[GCC 12.2.1 20221121 (Red Hat 12.2.1-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssg
>>> import ssg.products
>>> pp = ssg.products.Product('products/fedora/product.yml')
>>> pp['a']=1
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: 'Product' object does not support item assignment
>>> h={}
>>> h.update(pp)
>>> h['a']=1

I created #10582

@maage
Copy link
Contributor Author

maage commented May 18, 2023

/hold

This test is wrong,

@test "bash_replace_or_append - Key contains * with remediation" {

@openshift-ci openshift-ci bot added the do-not-merge/hold Used by openshift-ci-robot bot. label May 18, 2023
maage added 6 commits May 18, 2023 18:46
- by default parallel execution if `parallel` available
- by default print output on failure
- add --verbose --quiet
- add --debug
- add --parallel / --no-parallel
- any other parameter provided to bats
Ensure env is cleaned and do not use unset variables.
Use setup to setup common.

There is no need to do cleanup when using `$BATS_TEST_TMPDIR`. bats does
it for us.

This allows tests to be run parallel as resources are not shared between
tests.
Use setup to setup common.

There is no need to create special tmpfile and do cleanup as bats does
it for us.
maage added 8 commits May 18, 2023 18:46
Use setup to setup common.

There is no need to do cleanup as bats does it for us.
This shows test target and there is nice logging.
Use setup to setup common.

There is no need to do cleanup as bats does it for us.

Also use bats to output if needed, not implemented inside test.
Ensure file ends with newline.

Follows always symlinks.
Moved jinja whitespace trim from end to start as it works best that way.
I see no point doing extra test. Functionality does not change.

It exposes bigger TOCTOU window.

And I think all `sed -i` commands should always have
`--follow-symlinks`.

And also have always LC_ALL=C if there is no other reason why not.
Seems Debian 10 has 0.4.0, so need to disable some features.
@maage
Copy link
Contributor Author

maage commented May 18, 2023

Needed to skip the test above. I have bats-2 patchset on top of this, that handles more issues. But it requires more work and touches more code.

execute_tests.sh had a bug when jinja was bad, rc=0

call_set_config_file_rsyslog had a bug,

Some potential shellcheck issues.

And style changes in new code and moved new tests in one block too.

I can change this to Draft and work all in one swoop. But it will take time.

Main production benefit here is bash_ensure_nl_at_eof and bats test infra changes. There could be other avenues already to benefit from them.

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Used by openshift-ci-robot bot. label May 18, 2023
@codeclimate
Copy link

codeclimate bot commented May 18, 2023

Code Climate has analyzed commit 628c5fb and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.5% (0.0% change).

View more on Code Climate.

Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @maage and thank you for additional changes. I see that automatus is failing on some rules. However, I think it is not related to your changes. I checked all rules suggested by content test filtering and I ran Automatus against RHEL 7, RHEL 8, RHEL 9 and Fedora... and there are no unexpected failures.

@vojtapolasek vojtapolasek merged commit 862e7d0 into ComplianceAsCode:master May 19, 2023
@maage
Copy link
Contributor Author

maage commented May 21, 2023

Thanks

@maage maage deleted the bats-1 branch May 21, 2023 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ok-to-test Used by openshift-ci bot.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants