scap-security-guide/SOURCES/scap-security-guide-0.1.58-s390x_arch-PR_7385.patch

From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 15:05:35 +0200
Subject: [PATCH 1/3] Add cpe platform for s390x arch

---
 .../guide/system/bootloader-zipl/group.yml    |  2 +-
 shared/applicability/arch.yml                 | 12 +++++++
 shared/applicability/general.yml              |  5 ---
 ...oc_sys_kernel_osrelease_arch_not_s390x.xml | 22 ++-----------
 .../proc_sys_kernel_osrelease_arch_s390x.xml  | 33 +++++++++++++++++++
 5 files changed, 48 insertions(+), 26 deletions(-)
 create mode 100644 shared/applicability/arch.yml
 create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml

diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
index 64c6c8dffbe..4f8ce753726 100644
--- a/linux_os/guide/system/bootloader-zipl/group.yml
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -8,4 +8,4 @@ description: |-
     options to it.
     The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
 
-platform: zipl
+platform: s390x_arch
diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml
new file mode 100644
index 00000000000..48b2aa3ef30
--- /dev/null
+++ b/shared/applicability/arch.yml
@@ -0,0 +1,12 @@
+cpes:
+
+  - not_s390x_arch:
+      name: "cpe:/a:not_s390x_arch"
+      title: "System architecture is not S390X"
+      check_id: proc_sys_kernel_osrelease_arch_not_s390x
+
+  - s390x_arch:
+      name: "cpe:/a:s390x_arch"
+      title: "System architecture is S390X"
+      check_id: proc_sys_kernel_osrelease_arch_s390x
+
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 7382b7dd302..6e3ecfd9bf9 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -24,11 +24,6 @@ cpes:
       title: "Package net-snmp is installed"
       check_id: installed_env_has_net-snmp_package
 
-  - not_s390x_arch:
-      name: "cpe:/a:not_s390x_arch"
-      title: "System architecture is not S390X"
-      check_id: proc_sys_kernel_osrelease_arch_not_s390x
-
   - nss-pam-ldapd:
       name: "cpe:/a:nss-pam-ldapd"
       title: "Package nss-pam-ldapd is installed"
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
index 1fc625a1e75..d95ce249c49 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml
@@ -9,26 +9,8 @@
       <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</description>
     </metadata>
     <criteria>
-      <criterion comment="Architecture is not s390x"
-      test_ref="test_proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
+      <extend_definition comment="Architecture is not s390x"
+      definition_ref="proc_sys_kernel_osrelease_arch_s390x" negate="true"/>
     </criteria>
   </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for s390x architecture"
-      id="test_proc_sys_kernel_osrelease_arch_s390x"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
-  </ind:textfilecontent54_state>
-
 </def-group>
diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
new file mode 100644
index 00000000000..abc6f1b0b88
--- /dev/null
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -0,0 +1,33 @@
+<def-group>
+  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
+  version="1">
+    <metadata>
+      <title>Test for different architecture than s390x</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Architecture is s390x"
+      test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+      comment="proc_sys_kernel is for s390x architecture"
+      id="test_proc_sys_kernel_osrelease_arch_s390x"
+  version="1">
+    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
+    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
+    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
+    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>

From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 12 Aug 2021 16:16:11 +0200
Subject: [PATCH 2/3] Remove zipl CPE platform

The package names for zipl changed recently.
As zipl is an s390 exclusive, lets use the arch check instead of
package name check.
---
 shared/applicability/bootloaders.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml
index 57832118447..6856578621c 100644
--- a/shared/applicability/bootloaders.yml
+++ b/shared/applicability/bootloaders.yml
@@ -4,8 +4,3 @@ cpes:
       name: "cpe:/a:grub2"
       title: "Package grub2 is installed"
       check_id: installed_env_has_grub2_package
-
-  - zipl:
-      name: "cpe:/a:zipl"
-      title: "System uses zipl"
-      check_id: installed_env_has_zipl_package

From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Tue, 17 Aug 2021 19:53:59 +0200
Subject: [PATCH 3/3] Fix typo in check title
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml

Co-authored-by: Jan Černý <jcerny@redhat.com>
---
 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
index abc6f1b0b88..7f416de6475 100644
--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -2,7 +2,7 @@
   <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
   version="1">
     <metadata>
-      <title>Test for different architecture than s390x</title>
+      <title>Test that the architecture is s390x</title>
       <affected family="unix">
         <platform>multi_platform_all</platform>
       </affected>
import scap-security-guide-0.1.57-5.el9 2021-11-03 18:59:06 +00:00			`From cc74d1a5735272c7fe50bff4bb0c2fe049c1f868 Mon Sep 17 00:00:00 2001`
			`From: Watson Sato <wsato@redhat.com>`
			`Date: Thu, 12 Aug 2021 15:05:35 +0200`
			`Subject: [PATCH 1/3] Add cpe platform for s390x arch`

			`---`
			`.../guide/system/bootloader-zipl/group.yml \| 2 +-`
			`shared/applicability/arch.yml \| 12 +++++++`
			`shared/applicability/general.yml \| 5 ---`
			`...oc_sys_kernel_osrelease_arch_not_s390x.xml \| 22 ++-----------`
			`.../proc_sys_kernel_osrelease_arch_s390x.xml \| 33 +++++++++++++++++++`
			`5 files changed, 48 insertions(+), 26 deletions(-)`
			`create mode 100644 shared/applicability/arch.yml`
			`create mode 100644 shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml`

			`diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml`
			`index 64c6c8dffbe..4f8ce753726 100644`
			`--- a/linux_os/guide/system/bootloader-zipl/group.yml`
			`+++ b/linux_os/guide/system/bootloader-zipl/group.yml`
			`@@ -8,4 +8,4 @@ description: \|-`
			`options to it.`
			`The default {{{ full_name }}} boot loader for s390x systems is called zIPL.`

			`-platform: zipl`
			`+platform: s390x_arch`
			`diff --git a/shared/applicability/arch.yml b/shared/applicability/arch.yml`
			`new file mode 100644`
			`index 00000000000..48b2aa3ef30`
			`--- /dev/null`
			`+++ b/shared/applicability/arch.yml`
			`@@ -0,0 +1,12 @@`
			`+cpes:`
			`+`
			`+ - not_s390x_arch:`
			`+ name: "cpe:/a:not_s390x_arch"`
			`+ title: "System architecture is not S390X"`
			`+ check_id: proc_sys_kernel_osrelease_arch_not_s390x`
			`+`
			`+ - s390x_arch:`
			`+ name: "cpe:/a:s390x_arch"`
			`+ title: "System architecture is S390X"`
			`+ check_id: proc_sys_kernel_osrelease_arch_s390x`
			`+`
			`diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml`
			`index 7382b7dd302..6e3ecfd9bf9 100644`
			`--- a/shared/applicability/general.yml`
			`+++ b/shared/applicability/general.yml`
			`@@ -24,11 +24,6 @@ cpes:`
			`title: "Package net-snmp is installed"`
			`check_id: installed_env_has_net-snmp_package`

			`- - not_s390x_arch:`
			`- name: "cpe:/a:not_s390x_arch"`
			`- title: "System architecture is not S390X"`
			`- check_id: proc_sys_kernel_osrelease_arch_not_s390x`
			`-`
			`- nss-pam-ldapd:`
			`name: "cpe:/a:nss-pam-ldapd"`
			`title: "Package nss-pam-ldapd is installed"`
			`diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml`
			`index 1fc625a1e75..d95ce249c49 100644`
			`--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml`
			`+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_not_s390x.xml`
			`@@ -9,26 +9,8 @@`
			`<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</description>`
			`</metadata>`
			`<criteria>`
			`- <criterion comment="Architecture is not s390x"`
			`- test_ref="test_proc_sys_kernel_osrelease_arch_s390x" negate="true"/>`
			`+ <extend_definition comment="Architecture is not s390x"`
			`+ definition_ref="proc_sys_kernel_osrelease_arch_s390x" negate="true"/>`
			`</criteria>`
			`</definition>`
			`- <ind:textfilecontent54_test check="all" check_existence="all_exist"`
			`- comment="proc_sys_kernel is for s390x architecture"`
			`- id="test_proc_sys_kernel_osrelease_arch_s390x"`
			`- version="1">`
			`- <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />`
			`- <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />`
			`- </ind:textfilecontent54_test>`
			`-`
			`- <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">`
			`- <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>`
			`- <ind:pattern operation="pattern match">^.\.(.)$</ind:pattern>`
			`- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>`
			`- </ind:textfilecontent54_object>`
			`-`
			`- <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">`
			`- <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>`
			`- </ind:textfilecontent54_state>`
			`-`
			`</def-group>`
			`diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml`
			`new file mode 100644`
			`index 00000000000..abc6f1b0b88`
			`--- /dev/null`
			`+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml`
			`@@ -0,0 +1,33 @@`
			`+<def-group>`
			`+ <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"`
			`+ version="1">`
			`+ <metadata>`
			`+ <title>Test for different architecture than s390x</title>`
			`+ <affected family="unix">`
			`+ <platform>multi_platform_all</platform>`
			`+ </affected>`
			`+ <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>`
			`+ </metadata>`
			`+ <criteria>`
			`+ <criterion comment="Architecture is s390x"`
			`+ test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />`
			`+ </criteria>`
			`+ </definition>`
			`+ <ind:textfilecontent54_test check="all" check_existence="all_exist"`
			`+ comment="proc_sys_kernel is for s390x architecture"`
			`+ id="test_proc_sys_kernel_osrelease_arch_s390x"`
			`+ version="1">`
			`+ <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />`
			`+ <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />`
			`+ </ind:textfilecontent54_test>`
			`+`
			`+ <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">`
			`+ <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>`
			`+ <ind:pattern operation="pattern match">^.\.(.)$</ind:pattern>`
			`+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>`
			`+ </ind:textfilecontent54_object>`
			`+`
			`+ <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">`
			`+ <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>`
			`+ </ind:textfilecontent54_state>`
			`+</def-group>`

			`From 527728eb84fc152bec4ef49b244999f763dc901f Mon Sep 17 00:00:00 2001`
			`From: Watson Sato <wsato@redhat.com>`
			`Date: Thu, 12 Aug 2021 16:16:11 +0200`
			`Subject: [PATCH 2/3] Remove zipl CPE platform`

			`The package names for zipl changed recently.`
			`As zipl is an s390 exclusive, lets use the arch check instead of`
			`package name check.`
			`---`
			`shared/applicability/bootloaders.yml \| 5 -----`
			`1 file changed, 5 deletions(-)`

			`diff --git a/shared/applicability/bootloaders.yml b/shared/applicability/bootloaders.yml`
			`index 57832118447..6856578621c 100644`
			`--- a/shared/applicability/bootloaders.yml`
			`+++ b/shared/applicability/bootloaders.yml`
			`@@ -4,8 +4,3 @@ cpes:`
			`name: "cpe:/a:grub2"`
			`title: "Package grub2 is installed"`
			`check_id: installed_env_has_grub2_package`
			`-`
			`- - zipl:`
			`- name: "cpe:/a:zipl"`
			`- title: "System uses zipl"`
			`- check_id: installed_env_has_zipl_package`

			`From 985090ffcf34c1d27c526760ef5009605060b3f1 Mon Sep 17 00:00:00 2001`
			`From: Watson Yuuma Sato <wsato@redhat.com>`
			`Date: Tue, 17 Aug 2021 19:53:59 +0200`
			`Subject: [PATCH 3/3] Fix typo in check title`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml`

			`Co-authored-by: Jan Černý <jcerny@redhat.com>`
			`---`
			`shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml`
			`index abc6f1b0b88..7f416de6475 100644`
			`--- a/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml`
			`+++ b/shared/checks/oval/proc_sys_kernel_osrelease_arch_s390x.xml`
			`@@ -2,7 +2,7 @@`
			`<definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"`
			`version="1">`
			`<metadata>`
			`- <title>Test for different architecture than s390x</title>`
			`+ <title>Test that the architecture is s390x</title>`
			`<affected family="unix">`
			`<platform>multi_platform_all</platform>`
			`</affected>`