import scap-security-guide-0.1.63-4.el8

This commit is contained in:
CentOS Sources 2022-11-08 01:43:24 -05:00 committed by Stepan Oksanichenko
parent 48dd54229e
commit 1d4339f8b0
19 changed files with 4980 additions and 2473 deletions

View File

@ -1,24 +1,8 @@
From eaa73e6d6e3de62e9ed895de7b4b1f2f1c1280ca Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 9 Aug 2022 10:04:01 +0200
Subject: [PATCH 1/8] Disable profiles not in a good shape
Patch-name: disable-not-in-good-shape-profiles.patch
Patch-status: |-
Disable profiles that are not in good shape for products/rhel8
Patch-id: 0
---
products/rhel8/CMakeLists.txt | 1 -
products/rhel8/profiles/cjis.profile | 2 +-
products/rhel8/profiles/rht-ccp.profile | 2 +-
products/rhel8/profiles/standard.profile | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
index 9c044b68ab..8f6ca03de8 100644
index 5258591c7f..cc4b9c5720 100644
--- a/products/rhel8/CMakeLists.txt
+++ b/products/rhel8/CMakeLists.txt
@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
@@ -11,7 +11,6 @@ ssg_build_product(${PRODUCT})
ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
@ -26,8 +10,8 @@ index 9c044b68ab..8f6ca03de8 100644
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 30843b692e..18394802b9 100644
diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index 035d2705b..c6475f33e 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -36,8 +20,8 @@ index 30843b692e..18394802b9 100644
metadata:
version: 5.4
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index e8e7e3a72f..d293c779bb 100644
diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index c84579592..164ec98c4 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -46,8 +30,8 @@ index e8e7e3a72f..d293c779bb 100644
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
index a63ae2cf32..da669bb843 100644
diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
index a63ae2cf3..da669bb84 100644
--- a/products/rhel8/profiles/standard.profile
+++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
@ -57,5 +41,5 @@ index a63ae2cf32..da669bb843 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.37.1
2.26.2

View File

@ -1,52 +1,21 @@
From c4ce06ce707529c14376ca8bb6e2b03f072e81fd Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Wed, 10 Aug 2022 13:20:29 +0200
Subject: [PATCH 11/12] Merge pull request #9204 from
matejak/applicability_var_tmp
From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 21 Jul 2022 16:42:41 +0200
Subject: [PATCH 1/3] Add platforms for partition existence
Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
Patch-status: Introduce and apply the "partition exists" platform
---
.../mount_option_var_tmp_nodev/rule.yml | 3 ++-
.../tests/notapplicable.pass.sh | 5 +++++
shared/applicability/general.yml | 14 +++++++++++++
.../checks/oval/installed_env_mounts_tmp.xml | 10 ++++++++++
.../oval/installed_env_mounts_var_tmp.xml | 10 ++++++++++
.../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++
.../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++
shared/macros/10-ansible.jinja | 5 +++++
shared/macros/10-bash.jinja | 5 +++++
shared/macros/10-oval.jinja | 20 +++++++++++++++++++
8 files changed, 71 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
shared/macros/10-oval.jinja | 21 +++++++++++++++++++
6 files changed, 65 insertions(+)
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 8ee8c8b12e..741d097328 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -38,7 +38,8 @@ references:
stigid@ol8: OL08-00-040132
stigid@rhel8: RHEL-08-040132
-platform: machine
+platforms:
+ - machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
new file mode 100644
index 0000000000..241c0103d8
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 2d23d75314..e2f5d04ce0 100644
index 2d23d753148..e2f5d04ce00 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -77,6 +77,20 @@ cpes:
@ -72,7 +41,7 @@ index 2d23d75314..e2f5d04ce0 100644
title: "Package polkit is installed"
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
new file mode 100644
index 0000000000..edd8ad050f
index 00000000000..c1bcd6b2431
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -0,0 +1,10 @@
@ -84,11 +53,11 @@ index 0000000000..edd8ad050f
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_test_object("/tmp") }}}
+ {{{ partition_exists_tos("/tmp") }}}
+</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
new file mode 100644
index 0000000000..cf9aafbdb0
index 00000000000..a72f49c8a8f
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -0,0 +1,10 @@
@ -100,13 +69,13 @@ index 0000000000..cf9aafbdb0
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_test_object("/var/tmp") }}}
+ {{{ partition_exists_tos("/var/tmp") }}}
+</def-group>
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 20dc2020e4..5e40fe4aa2 100644
index 2d24f730d3f..478f0072bc7 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1432,3 +1432,8 @@ Part of the grub2_bootloader_argument_absent template.
@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.
when:
- result_pam_file_present.stat.exists
{{%- endmacro -%}}
@ -116,10 +85,10 @@ index 20dc2020e4..5e40fe4aa2 100644
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+{{%- endmacro -%}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 41d9e18a1e..b0f7f3cf4a 100644
index 94c3c6f9570..6a7fb165fd2 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2073,3 +2073,8 @@ else
@@ -2085,3 +2085,8 @@ else
echo "{{{ pam_file }}} was not found" >&2
fi
{{%- endmacro -%}}
@ -129,33 +98,130 @@ index 41d9e18a1e..b0f7f3cf4a 100644
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
+{{%- endmacro -%}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index c8d7bbeffb..f302091f7d 100644
index c8d7bbeffb7..1ec93b6ef7d 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -926,3 +926,23 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- else %}}
{{%- set user_list="nobody" %}}
{{%- endif %}}
+
+
+{{%- macro partition_exists_criterion(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
+{{%- endmacro %}}
+
+{{%- macro partition_exists_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+{{%- macro partition_exists_tos(path) %}}
+{{%- set escaped_path = path | replace("/", "_") %}}
+ <linux:partition_test check="all" check_existence="all_exist"
+ comment="Partition {{{ path }}} exists"
+ id="test_partition_{{{ escaped_path }}}_exists"
+ version="1">
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+ {{#- <linux:partition_state state_ref="" /> #}}
+ </linux:partition_test>
+
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
+ </linux:partition_object>
+{{%- endmacro %}}
--
2.37.1
From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Thu, 21 Jul 2022 16:43:21 +0200
Subject: [PATCH 2/3] Use partition exist platforms on a real rule
---
.../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++-
.../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++
2 files changed, 7 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 8ee8c8b12e0..741d0973283 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -38,7 +38,8 @@ references:
stigid@ol8: OL08-00-040132
stigid@rhel8: RHEL-08-040132
-platform: machine
+platforms:
+ - machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
new file mode 100644
index 00000000000..241c0103d82
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 10 Aug 2022 11:32:38 +0200
Subject: [PATCH 3/3] Improve code style
- Improve description of OVAL macro
- Use the escape_id filter to produce IDs
---
shared/checks/oval/installed_env_mounts_tmp.xml | 2 +-
shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-
shared/macros/10-oval.jinja | 7 +++----
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
index c1bcd6b2431..edd8ad050f5 100644
--- a/shared/checks/oval/installed_env_mounts_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -6,5 +6,5 @@
</criteria>
</definition>
- {{{ partition_exists_tos("/tmp") }}}
+ {{{ partition_exists_test_object("/tmp") }}}
</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
index a72f49c8a8f..cf9aafbdb04 100644
--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -6,5 +6,5 @@
</criteria>
</definition>
- {{{ partition_exists_tos("/var/tmp") }}}
+ {{{ partition_exists_test_object("/var/tmp") }}}
</def-group>
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index 1ec93b6ef7d..f302091f7df 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- macro partition_exists_criterion(path) %}}
-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- set escaped_path = path | escape_id %}}
<criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
{{%- endmacro %}}
-{{%- macro partition_exists_tos(path) %}}
-{{%- set escaped_path = path | replace("/", "_") %}}
+{{%- macro partition_exists_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
<linux:partition_test check="all" check_existence="all_exist"
comment="Partition {{{ path }}} exists"
id="test_partition_{{{ escaped_path }}}_exists"
version="1">
<linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
- {{#- <linux:partition_state state_ref="" /> #}}
</linux:partition_test>
<linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">

View File

@ -1,11 +1,8 @@
From 89687cb88490f24428ae553021c667303980d8f4 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Wed, 10 Aug 2022 16:16:54 +0200
Subject: [PATCH 12/12] Merge pull request #9324 from
matejak/applicability_var_tmp
From 51d7ee352dd2e90cb711d949cc59fb36c7fbe5da Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 10 Aug 2022 13:35:50 +0200
Subject: [PATCH] Add the platform applicability to relevant rules
Patch-name: scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path
Patch-status: Add the platform applicability to relevant rules
---
.../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +-
.../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +-
@ -16,7 +13,7 @@ Patch-status: Add the platform applicability to relevant rules
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
index 45a73e0286..79a19a8d30 100644
index 45a73e0286a..79a19a8d30b 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml
@@ -45,7 +45,7 @@ references:
@ -29,7 +26,7 @@ index 45a73e0286..79a19a8d30 100644
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
index 7356183bab..d3f6d6175e 100644
index 7356183bab3..d3f6d6175e5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml
@@ -44,7 +44,7 @@ references:
@ -42,7 +39,7 @@ index 7356183bab..d3f6d6175e 100644
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
index d153b86934..10790dc95a 100644
index d153b86934f..10790dc95a7 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml
@@ -45,7 +45,7 @@ references:
@ -55,7 +52,7 @@ index d153b86934..10790dc95a 100644
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
index 133e7727ca..05992df4b4 100644
index 133e7727ca7..05992df4b49 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/rule.yml
@@ -31,7 +31,7 @@ references:
@ -68,7 +65,7 @@ index 133e7727ca..05992df4b4 100644
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
index 39fd458ec6..dc00b2f237 100644
index 39fd458ec6b..dc00b2f2376 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml
@@ -38,7 +38,7 @@ references:
@ -81,7 +78,7 @@ index 39fd458ec6..dc00b2f237 100644
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
index 349f334895..f0c26b6d9c 100644
index 349f3348955..f0c26b6d9c5 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml
@@ -38,7 +38,7 @@ references:
@ -93,6 +90,3 @@ index 349f334895..f0c26b6d9c 100644
template:
name: mount_option
--
2.37.1

View File

@ -1,26 +1,48 @@
From 7db8ad5f312b632d6b8a176b615929ffa5cb1de3 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 15 Aug 2022 14:47:40 +0200
Subject: [PATCH 13/13] Merge pull request #9339 from
yuumasato/fix_ansible_partition_conditionals
From 779ffcf0a51a1ad5a13e5b8ee29ce044d93eca55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 15 Aug 2022 13:14:58 +0200
Subject: [PATCH 1/2] Access the mounts via ansible_mounts
Patch-name: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
Patch-status: Fix ansible partition conditionals
It seems that the data about ansible_mounts should be accessed without
the 'ansible_facts' prefix.
---
shared/macros/10-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 5e40fe4aa2..55a78c3a8b 100644
index 478f0072bc7..e8bff0973f5 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1435,5 +1435,5 @@ Part of the grub2_bootloader_argument_absent template.
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
{{%- macro ansible_partition_conditional(path) -%}}
-"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
{{%- endmacro -%}}
From 4963d70d565919d0db6c0bc35f3fd4274d474310 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 15 Aug 2022 13:16:24 +0200
Subject: [PATCH 2/2] Avoid use of json_query and additional dependency
The json_query filter requires package jmespath to be installed.
This also avoids mismatchs in python version between ansible and
python3-jmespath. Some distros (RHEL8) don't have jmespath module
available for the same python version ansible is using.
---
shared/macros/10-ansible.jinja | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index e8bff0973f5..beb2bc11403 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1442,5 +1442,5 @@ Part of the grub2_bootloader_argument_absent template.
{{%- macro ansible_partition_conditional(path) -%}}
-"ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+'"{{{ path }}}" in ansible_mounts | map(attribute="mount") | list'
{{%- endmacro -%}}
--
2.37.2

View File

@ -0,0 +1,33 @@
From 61ff9fd6f455ee49608cab2c851a3819c180c30a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 16 Aug 2022 18:53:02 +0200
Subject: [PATCH] Don't fail rule if /etc/grubenv missing on s390x
There is no need to check /etc/grubenv for fips=1 on s390x systems, it
uses zIPL.
---
.../integrity/fips/enable_fips_mode/oval/shared.xml | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 65056a654c6..7af675de0d3 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -7,9 +7,16 @@
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- {{% if product in ["ol8","rhel8"] %}}
+ {{% if product in ["ol8"] %}}
<criterion comment="check if the kernel boot parameter is configured for FIPS mode"
test_ref="test_grubenv_fips_mode" />
+ {{% elif product in ["rhel8"] %}}
+ <criteria operator="OR">
+ <extend_definition comment="Generic test for s390x architecture"
+ definition_ref="system_info_architecture_s390_64" />
+ <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
+ test_ref="test_grubenv_fips_mode" />
+ </criteria>
{{% endif %}}
</criteria>
</definition>

View File

@ -0,0 +1,107 @@
From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 5 Aug 2022 12:45:24 +0200
Subject: [PATCH] Fix rule sudo_custom_logfile
- Allow only white space after the Default keyword to avoid
matching words that only start with Default.
- If the variable value contains slashes they need to be escaped
because the sed command uses slashes as a separator, otherwise
the sed doesn't replace the wrong line during a remediation.
Also adds 2 test scenarios.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
---
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
shared/templates/sudo_defaults_option/ansible.template | 2 +-
shared/templates/sudo_defaults_option/bash.template | 5 +++--
shared/templates/sudo_defaults_option/oval.template | 2 +-
6 files changed, 14 insertions(+), 5 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index 739f5f14936..94fbaaa33ed 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
ocil: |-
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
new file mode 100644
index 00000000000..13ff4559edb
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
new file mode 100644
index 00000000000..ec24854f0f9
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
index 094fa430b64..c9e344ec772 100644
--- a/shared/templates/sudo_defaults_option/ansible.template
+++ b/shared/templates/sudo_defaults_option/ansible.template
@@ -8,7 +8,7 @@
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
lineinfile:
path: /etc/sudoers
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
validate: /usr/sbin/visudo -cf %s
backrefs: yes
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
index e3563d42db6..e7d962a668d 100644
--- a/shared/templates/sudo_defaults_option/bash.template
+++ b/shared/templates/sudo_defaults_option/bash.template
@@ -9,7 +9,7 @@
{{% endif %}}
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option {{{ OPTION }}}
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
{{%- if not VARIABLE_NAME %}}
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
{{% if '/' in OPTION %}}
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
{{% endif %}}
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
fi
fi
{{% endif %}}
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
index c0d81c95093..a9636a7204a 100644
--- a/shared/templates/sudo_defaults_option/oval.template
+++ b/shared/templates/sudo_defaults_option/oval.template
@@ -13,7 +13,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
</ind:textfilecontent54_object>

View File

@ -0,0 +1,967 @@
From 2d22616a6223e26662c1dc81e0389349defd716a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Wed, 13 Apr 2022 20:06:18 +0800
Subject: [PATCH 01/15] rsyslog: Fix array creation when path has wildcard
This patch fixes the issue that the array is expanded to wildcard path instead of its elements.
A simple test case as follows:
/etc/rsyslog.conf
include(file="/etc/rsyslog.d/*.conf" mode="optional")
/etc/rsyslog.d/custom1.conf
local1.* /tmp/local1.out
/etc/rsyslog.d/custom2.conf
local2.* /tmp/local2.out
---
.../rsyslog_files_permissions/bash/shared.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index b794ea8db31..02b0c36d899 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,8 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
-readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
+readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 37a57668e98ba613d850e4c4ec4363dc7687d06d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 14 Apr 2022 15:58:04 +0800
Subject: [PATCH 02/15] A better fix.
* Should also fixed the CI failure.
---
.../rsyslog_files_permissions/bash/shared.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 02b0c36d899..1aebb8f9da5 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -5,8 +5,10 @@
RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf"
# * And also the log file paths listed after rsyslog's $IncludeConfig directive
# (store the result into array for the case there's shell glob used as value of IncludeConfig)
-readarray -t RSYSLOG_INCLUDE_CONFIG < <(printf '%s\n' $(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2))
-readarray -t RSYSLOG_INCLUDE < <(printf '%s\n' $(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf))
+readarray -t OLD_INC < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)
+readarray -t RSYSLOG_INCLUDE_CONFIG < <(for INCPATH in "${OLD_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
+readarray -t NEW_INC < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf)
+readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf '%s\\n' "${INCPATH}"; done)
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
From 5135fb64fb773400234c740a3feeac206ac7f42a Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 15 Apr 2022 10:47:37 +0800
Subject: [PATCH 03/15] Add test for wildcard paths used in rsyslog
---
.../include_config_syntax_perms_0600.pass.sh | 56 ++++++++++++++++++
.../include_config_syntax_perms_0601.fail.sh | 57 +++++++++++++++++++
2 files changed, 113 insertions(+)
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
create mode 100755 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
new file mode 100755
index 00000000000..7cb09128d78
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0600 from $IncludeConfig passes.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS=0600
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
new file mode 100755
index 00000000000..942eaf086a1
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+# Check rsyslog.conf with log file permissions 0600 from rules and
+# log file permissions 0601 from $IncludeConfig fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+mkdir ${conf_subdir}
+test_subdir_conf=${conf_subdir}/test_subdir.conf
+test_conf=${RSYSLOG_TEST_DIR}/test.conf
+cat << EOF > ${test_subdir_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+
+EOF
From 052558d8d5be3b8ce49067ab8c05ed9ea92bab0b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Thu, 19 May 2022 01:22:19 +0800
Subject: [PATCH 04/15] The way using 'find' can be retired.
---
.../rsyslog_files_permissions/bash/shared.sh | 20 +++++--------------
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 1aebb8f9da5..cece5930ee8 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,22 +13,12 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
-RSYSLOG_CONFIGS=()
-RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+declare -a RSYSLOG_CONFIGS
+RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Get full list of files to be checked
-# RSYSLOG_CONFIGS may contain globs such as
-# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
-# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
-RSYSLOG_FILES=()
-for ENTRY in "${RSYSLOG_CONFIGS[@]}"
-do
- mapfile -t FINDOUT < <(find "$(dirname "${ENTRY}")" -maxdepth 1 -name "$(basename "${ENTRY}")")
- RSYSLOG_FILES+=("${FINDOUT[@]}")
-done
-
-# Check file and fix if needed.
-for LOG_FILE in "${RSYSLOG_FILES[@]}"
+# Browse each file selected above as containing paths of log files
+# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
+for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From 4f1d08642a74c0be7cd02815784a2c81b7b558ee Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:30:37 +0800
Subject: [PATCH 05/15] Cover the include pattern '/etc/rsyslog.d/'
---
.../rsyslog_files_permissions/bash/shared.sh | 20 ++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cece5930ee8..50d36d7426f 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -13,12 +13,30 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
# Declare an array to hold the final list of different log file paths
declare -a LOG_FILE_PATHS
+# Array to hold all rsyslog config entries
declare -a RSYSLOG_CONFIGS
RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+# Array to hold all rsyslog config files
+declare -a RSYSLOG_CONFIG_FILES
+for ENTRY in "${RSYSLOG_CONFIGS[@]}"
+do
+ # If directory, need to include files recursively
+ if [ -d "${ENTRY}" ]
+ then
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
+ elif [ -f "${ENTRY}" ]
+ then
+ RSYSLOG_CONFIG_FILES+=("${ENTRY}")
+ else
+ echo "Invalid include object: ${ENTRY}"
+ fi
+done
+
# Browse each file selected above as containing paths of log files
# ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration)
-for LOG_FILE in "${RSYSLOG_CONFIGS[@]}"
+for LOG_FILE in "${RSYSLOG_CONFIG_FILES[@]}"
do
# From each of these files extract just particular log file path(s), thus:
# * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters,
From d77551b64c4d67226627d0819dc30fff9433ac2b Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 01:46:33 +0800
Subject: [PATCH 06/15] Update test files.
---
.../tests/include_config_syntax_perms_0600.pass.sh | 2 ++
.../tests/include_config_syntax_perms_0601.fail.sh | 2 ++
2 files changed, 4 insertions(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 7cb09128d78..2ddd9fcb697 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -49,8 +49,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 942eaf086a1..73ff3332c6d 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -50,8 +50,10 @@ cat << EOF > $RSYSLOG_CONF
include(file="${RSYSLOG_TEST_DIR}/*/*.conf" mode="optional")
include(file="${RSYSLOG_TEST_DIR}/*.conf" mode="optional")
+include(file="${RSYSLOG_TEST_DIR}" mode="optional")
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*/*.conf
\$IncludeConfig ${RSYSLOG_TEST_DIR}/*.conf
+\$IncludeConfig ${RSYSLOG_TEST_DIR}
EOF
From 9a97bfa1ca4c918a39a68131e5fbc46fa7b00961 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Fri, 20 May 2022 10:03:32 +0800
Subject: [PATCH 07/15] Rsyslog says we should include all files
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
.../include_config_syntax_perms_0600.pass.sh | 16 +++++++++++++++-
.../include_config_syntax_perms_0601.fail.sh | 16 +++++++++++++++-
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 50d36d7426f..cd5014105e9 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -24,7 +24,7 @@ do
# If directory, need to include files recursively
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f -name '*.conf')
+ readarray -t FINDOUT < <(find "${ENTRY}" -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 2ddd9fcb697..755865ca522 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,20 +9,24 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -31,12 +35,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 73ff3332c6d..063b1a0cbe5 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,20 +10,24 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 3
+create_rsyslog_test_logs 4
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
# create test configuration file
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
mkdir ${conf_subdir}
test_subdir_conf=${conf_subdir}/test_subdir.conf
test_conf=${RSYSLOG_TEST_DIR}/test.conf
+test_bak=${RSYSLOG_TEST_DIR}/test.bak
+
cat << EOF > ${test_subdir_conf}
# rsyslog configuration file
+# test_subdir_conf
#### RULES ####
@@ -32,12 +36,22 @@ EOF
cat << EOF > ${test_conf}
# rsyslog configuration file
+# test_conf
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
+cat << EOF > ${test_bak}
+# rsyslog configuration file
+# test_bak
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[3]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From fcfc7c126ed76488085ef35cd0fd497c272aa364 Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sat, 21 May 2022 16:02:26 +0800
Subject: [PATCH 08/15] Match glob() function of rsyslog
---
.../rsyslog_files_permissions/bash/shared.sh | 5 ++-
.../include_config_syntax_perms_0600.pass.sh | 39 ++++++++++++-------
.../include_config_syntax_perms_0601.fail.sh | 39 ++++++++++++-------
3 files changed, 55 insertions(+), 28 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index cd5014105e9..38105bf086b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -21,10 +21,11 @@ RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYS
declare -a RSYSLOG_CONFIG_FILES
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
- # If directory, need to include files recursively
+ # If directory, rsyslog will search for config files in recursively.
+ # However, files in hidden sub-directories or hidden files will be ignored.
if [ -d "${ENTRY}" ]
then
- readarray -t FINDOUT < <(find "${ENTRY}" -type f)
+ readarray -t FINDOUT < <(find "${ENTRY}" -not -path '*/.*' -type f)
RSYSLOG_CONFIG_FILES+=("${FINDOUT[@]}")
elif [ -f "${ENTRY}" ]
then
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
index 755865ca522..a5a2f67fadc 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0600.pass.sh
@@ -9,48 +9,61 @@ source $SHARED/rsyslog_log_utils.sh
PERMS=0600
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index 063b1a0cbe5..a9d0adfb727 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -10,48 +10,61 @@ PERMS_PASS=0600
PERMS_FAIL=0601
# setup test data
-create_rsyslog_test_logs 4
+create_rsyslog_test_logs 5
# setup test log files and permissions
chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[1]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[3]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[4]}
-# create test configuration file
+# create test configuration files
conf_subdir=${RSYSLOG_TEST_DIR}/subdir
+conf_hiddir=${RSYSLOG_TEST_DIR}/.hiddir
mkdir ${conf_subdir}
-test_subdir_conf=${conf_subdir}/test_subdir.conf
-test_conf=${RSYSLOG_TEST_DIR}/test.conf
-test_bak=${RSYSLOG_TEST_DIR}/test.bak
+mkdir ${conf_hiddir}
-cat << EOF > ${test_subdir_conf}
+test_conf_in_subdir=${conf_subdir}/in_subdir.conf
+test_conf_name_bak=${RSYSLOG_TEST_DIR}/name.bak
+
+test_conf_in_hiddir=${conf_hiddir}/in_hiddir.conf
+test_conf_dot_name=${RSYSLOG_TEST_DIR}/.name.conf
+
+cat << EOF > ${test_conf_in_subdir}
# rsyslog configuration file
-# test_subdir_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[2]}
+*.* ${RSYSLOG_TEST_LOGS[1]}
EOF
-cat << EOF > ${test_conf}
+cat << EOF > ${test_conf_name_bak}
# rsyslog configuration file
-# test_conf
#### RULES ####
-*.* ${RSYSLOG_TEST_LOGS[1]}
+*.* ${RSYSLOG_TEST_LOGS[2]}
EOF
-cat << EOF > ${test_bak}
+cat << EOF > ${test_conf_in_hiddir}
# rsyslog configuration file
-# test_bak
+# not used
#### RULES ####
*.* ${RSYSLOG_TEST_LOGS[3]}
EOF
+cat << EOF > ${test_conf_dot_name}
+# rsyslog configuration file
+# not used
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[4]}
+EOF
+
# create rsyslog.conf configuration file
cat << EOF > $RSYSLOG_CONF
# rsyslog configuration file
From 313094b7d5c13ba38a2d02fad544cd4665c5a17d Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Sun, 22 May 2022 21:10:16 +0800
Subject: [PATCH 09/15] Fixed incorrect parsing of rules in old code
---
.../rsyslog_files_permissions/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index 38105bf086b..e1129e34c81 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -54,7 +54,7 @@ do
then
NORMALIZED_CONFIG_FILE_LINES=$(sed -e "/^[#|$]/d" "${LOG_FILE}")
LINES_WITH_PATHS=$(grep '[^/]*\s\+\S*/\S\+$' <<< "${NORMALIZED_CONFIG_FILE_LINES}")
- FILTERED_PATHS=$(sed -e 's/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g' <<< "${LINES_WITH_PATHS}")
+ FILTERED_PATHS=$(awk '{if(NF>=2&&($2~/^\//||$2~/^-\//)){sub(/^-\//,"/",$2);print $2}}' <<< "${LINES_WITH_PATHS}")
CLEANED_PATHS=$(sed -e "s/[\"')]//g; /\\/etc.*\.conf/d; /\\/dev\\//d" <<< "${FILTERED_PATHS}")
MATCHED_ITEMS=$(sed -e "/^$/d" <<< "${CLEANED_PATHS}")
# Since above sed command might return more than one item (delimited by newline), split the particular
From 86f655ac79d879c1f47bda7a06cc15a64e65e5fb Mon Sep 17 00:00:00 2001
From: Flos Lonicerae <lonicerae@gmail.com>
Date: Tue, 24 May 2022 00:42:17 +0800
Subject: [PATCH 10/15] Added platform.
---
.../tests/include_config_syntax_perms_0601.fail.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
index a9d0adfb727..fe4db0a3c91 100755
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_config_syntax_perms_0601.fail.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
# Check rsyslog.conf with log file permissions 0600 from rules and
# log file permissions 0601 from $IncludeConfig fails.
From e71901895f29af9a34fe81938be1332691b6f64a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 13:56:39 +0200
Subject: [PATCH 11/15] Reset the arrays before using them
When bash remediations for a profile are generated, it can happen that a
variable with same name is used for multiple remediations.
So let's reset the array before using it.
---
.../rsyslog_files_permissions/bash/shared.sh | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
index e1129e34c81..d1856ffbe7b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh
@@ -14,11 +14,14 @@ readarray -t RSYSLOG_INCLUDE < <(for INCPATH in "${NEW_INC[@]}"; do eval printf
declare -a LOG_FILE_PATHS
# Array to hold all rsyslog config entries
-declare -a RSYSLOG_CONFIGS
-RSYSLOG_CONFIGS+=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
+RSYSLOG_CONFIGS=()
+RSYSLOG_CONFIGS=("${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}")
-# Array to hold all rsyslog config files
-declare -a RSYSLOG_CONFIG_FILES
+# Get full list of files to be checked
+# RSYSLOG_CONFIGS may contain globs such as
+# /etc/rsyslog.d/*.conf /etc/rsyslog.d/*.frule
+# So, loop over the entries in RSYSLOG_CONFIGS and use find to get the list of included files.
+RSYSLOG_CONFIG_FILES=()
for ENTRY in "${RSYSLOG_CONFIGS[@]}"
do
# If directory, rsyslog will search for config files in recursively.
From 525dce106bf8d054c83e8d79acbb92cc16224e4c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 14:55:37 +0200
Subject: [PATCH 12/15] Don't parse hidden config files for Includes
Let's follow rsyslog behavior and not capture process hidden config
files for includes.
---
.../rsyslog_files_permissions/oval/shared.xml | 9 ++++
...00_IncludeConfig_perms_0601_hidden.pass.sh | 53 +++++++++++++++++++
2 files changed, 62 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
index a04e6fd8900..d13177216c3 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
@@ -17,8 +17,17 @@
<ind:filepath>/etc/rsyslog.conf</ind:filepath>
<ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <filter action="exclude">state_permissions_ignore_hidden_paths</filter>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_permissions_ignore_hidden_paths" comment="ignore hidden conf files" version="1">
+ <!-- Among the paths matched in object_rfp_rsyslog_include_config_value there can be paths from
+ include() or $IncludeConfig that point to hidden dirs or files.
+ Rsyslog ignores these conf files, so we should ignore them too.
+ -->
+ <ind:subexpression operation="pattern match">^.*\/\..*$</ind:subexpression>
+ </ind:textfilecontent54_state>
+
<!-- Turn that glob value into Perl's regex so it can be used as filepath pattern below -->
<local_variable id="var_rfp_include_config_regex" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
<unique>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
new file mode 100644
index 00000000000..9b0185c6b2f
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_hidden.pass.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# create hidden test2 configuration file
+test_conf2=${RSYSLOG_TEST_DIR}/.test2.conf
+cat << EOF > ${test_conf2}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[2]}
+EOF
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From d872c4a2cfcd3331b7aae954aacf3d0d481d1582 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 15:49:11 +0200
Subject: [PATCH 13/15] Add test for for missing rsyslog included files
The rsyslog conf file may include other config files.
If the included missing files are missing rsyslog will generate an
error, but will still continue working.
https://www.rsyslog.com/doc/master/rainerscript/include.html#include-a-required-file
There is not a good way of ensuring that all files defined in a list of paths exist.
---
...0_IncludeConfig_perms_0601_missing.pass.sh | 45 +++++++++++++++++++
1 file changed, 45 insertions(+)
create mode 100644 linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
new file mode 100644
index 00000000000..b929f2a94ab
--- /dev/null
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/tests/include_perms_0600_IncludeConfig_perms_0601_missing.pass.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8,multi_platform_fedora,Oracle Linux 8
+
+# Check rsyslog.conf with log file permisssions 0600 from rules and
+# log file permissions 0601 from include() fails.
+
+source $SHARED/rsyslog_log_utils.sh
+
+PERMS_PASS=0600
+PERMS_FAIL=0601
+
+# setup test data
+create_rsyslog_test_logs 3
+
+# setup test log files and permissions
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[0]}
+chmod $PERMS_PASS ${RSYSLOG_TEST_LOGS[1]}
+chmod $PERMS_FAIL ${RSYSLOG_TEST_LOGS[2]}
+
+# create test configuration file
+test_conf=${RSYSLOG_TEST_DIR}/test1.conf
+cat << EOF > ${test_conf}
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[1]}
+EOF
+
+# Skip creation test2 configuration file
+
+# create rsyslog.conf configuration file
+cat << EOF > $RSYSLOG_CONF
+# rsyslog configuration file
+
+#### RULES ####
+
+*.* ${RSYSLOG_TEST_LOGS[0]}
+
+#### MODULES ####
+
+include(file="${test_conf}")
+
+\$IncludeConfig ${test_conf2}
+EOF
From cf9eaf6e55405248731cb08268bcba6a58a93486 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:47:18 +0200
Subject: [PATCH 14/15] Align Ansible remediation with Bash
The remediation now expands the glob expressions and doesn't collect
hidden files or directories to check for their permissions.
---
.../rsyslog_files_permissions/ansible/shared.yml | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index 635b72f7352..c558bf46c71 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -19,19 +19,26 @@
shell: |
set -o pipefail
grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
- register: include_config_output
+ register: rsyslog_old_inc
changed_when: False
- name: "Get include files directives"
shell: |
set -o pipefail
grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
- register: include_files_output
+ register: rsyslog_new_inc
changed_when: False
+- name: "Expand glob expressions"
+ shell: |
+ set -o pipefail
+ eval printf '%s\\n' {{ item }}
+ register: include_config_output
+ loop: "{{ rsyslog_old_inc.stdout_lines + rsyslog_new_inc.stdout_lines }}"
+
- name: "List all config files"
- shell: find "$(dirname "{{ item }}" )" -maxdepth 1 -name "$(basename "{{ item }}")"
- loop: "{{ include_config_output.stdout_lines + include_files_output.stdout_lines }}"
+ shell: find {{ item }} -not -path "*/.*" -type f
+ loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
changed_when: False
From 37e98ed3a86a0e56543132752c62982ff01cd3d9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 21:56:05 +0200
Subject: [PATCH 15/15] Ignore invalid or non existing include objects
Let's not fail the task when the find doesn't find the include object.
When the include is a glob expression that doesn't evaluate to any file
the glob itself is used in find command.
The Bash remediation prints a message for each include that is not a
file is not a directory or doesn't exist.
---
.../rsyslog_files_permissions/ansible/shared.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
index c558bf46c71..3a9380cf13b 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/ansible/shared.yml
@@ -40,6 +40,7 @@
shell: find {{ item }} -not -path "*/.*" -type f
loop: "{{ include_config_output.results|map(attribute='stdout_lines')|list|flatten }}"
register: rsyslog_config_files
+ failed_when: False
changed_when: False
- name: "Extract log files"

View File

@ -1,19 +1,14 @@
From f802557b2a84b830a8a8742b535a5602925e438d Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Mon, 8 Aug 2022 15:28:37 +0200
Subject: [PATCH 09/10] Merge pull request #9298 from vojtapolasek/rhbz2114979
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:15 +0200
Subject: [PATCH 1/4] fix ospp references
Patch-name: scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch
Patch-status: Make OSPP profiles use minimal Authselect profile
---
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
products/rhel8/profiles/ospp.profile | 2 +-
products/rhel9/profiles/ospp.profile | 2 +-
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
4 files changed, 4 insertions(+), 3 deletions(-)
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
index 8d1758e8c9..3edb3642df 100644
index c151d3c4aa1..f9b46c51ddd 100644
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
@@ -34,6 +34,7 @@ references:
@ -24,21 +19,18 @@ index 8d1758e8c9..3edb3642df 100644
srg: SRG-OS-000480-GPOS-00227
ocil: |-
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 39ad1797c7..ebec8a3a6f 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -220,7 +220,7 @@ selections:
- var_accounts_max_concurrent_login_sessions=10
- accounts_max_concurrent_login_sessions
- securetty_root_login_console_only
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:42 +0200
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index f27f961a7a..b21ddcee6d 100644
index b47630c62b0..dcc41970043 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -115,7 +115,7 @@ selections:
@ -50,8 +42,41 @@ index f27f961a7a..b21ddcee6d 100644
- enable_authselect
- use_pam_wheel_for_su
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:54 +0200
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
---
products/rhel8/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 39ad1797c7a..ebec8a3a6f9 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -220,7 +220,7 @@ selections:
- var_accounts_max_concurrent_login_sessions=10
- accounts_max_concurrent_login_sessions
- securetty_root_login_console_only
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 13:55:05 +0200
Subject: [PATCH 4/4] update profile stability test
---
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5d73a8c6fe..21e93e310d 100644
index 5d73a8c6fef..21e93e310d5 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -242,7 +242,7 @@ selections:
@ -63,6 +88,3 @@ index 5d73a8c6fe..21e93e310d 100644
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted
--
2.37.1

View File

@ -1,20 +1,17 @@
From 8d36cef25fc9d890f7ec9756246513a92110b3db Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Wed, 10 Aug 2022 10:53:26 +0200
Subject: [PATCH 10/10] Merge pull request #9321 from
vojtapolasek/fix_rhel8_iboot
From b36ecf8942ce8dea0c4a2b06b4607259deaf3613 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 10 Aug 2022 09:59:57 +0200
Subject: [PATCH] switch rule grub2_disable_interactive_boot for
grub2_disable_recovery in rhel8 ospp
Patch-name: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
Patch-status: change rules protecting boot in RHEL8 OSPP
---
.../bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
.../system/bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
products/rhel8/profiles/ospp.profile | 2 +-
shared/references/cce-redhat-avail.txt | 11 -----------
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
4 files changed, 3 insertions(+), 13 deletions(-)
4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
index 4f8d4ddcfd..fb126cbe7d 100644
index 4f8d4ddcfde..fb126cbe7d8 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -17,6 +17,7 @@ rationale: |-
@ -26,7 +23,7 @@ index 4f8d4ddcfd..fb126cbe7d 100644
references:
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index ebec8a3a6f..6e3b30f64b 100644
index ebec8a3a6f9..6e3b30f64bb 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -304,7 +304,7 @@ selections:
@ -38,27 +35,8 @@ index ebec8a3a6f..6e3b30f64b 100644
- grub2_uefi_password
- no_empty_passwords
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 9480db3eae..903fc848eb 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1,14 +1,3 @@
-CCE-85985-0
-CCE-85988-4
-CCE-85997-5
-CCE-85998-3
-CCE-85999-1
-CCE-86000-7
-CCE-86001-5
-CCE-86002-3
-CCE-86003-1
-CCE-86005-6
-CCE-86006-4
CCE-86007-2
CCE-86008-0
CCE-86009-8
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 21e93e310d..267b66a4f8 100644
index 21e93e310d5..267b66a4f89 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -89,7 +89,7 @@ selections:
@ -70,6 +48,3 @@ index 21e93e310d..267b66a4f8 100644
- grub2_kernel_trust_cpu_rng
- grub2_page_poison_argument
- grub2_pti_argument
--
2.37.1

View File

@ -1,11 +1,9 @@
From 04459c1b82cc495af2bfcaac301a3805ec0addf6 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 3 Aug 2022 07:42:59 -0500
Subject: [PATCH 5/8] Merge pull request #9282 from
yuumasato/rhel_align_aide_check_tools
From 95b79ffa7e9247bd65a92311b92e37b0d83e4432 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Aug 2022 15:01:42 +0200
Subject: [PATCH] Add rsyslogd to the list of tools check by aide
Patch-name: scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch
Patch-status: Add rsyslogd to the list of tools checked by aide
RHEL products will also check for integrity of /usr/sbin/rsyslogd.
---
.../aide/aide_check_audit_tools/ansible/shared.yml | 1 +
.../aide/aide_check_audit_tools/bash/shared.sh | 3 +--
@ -16,7 +14,7 @@ Patch-status: Add rsyslogd to the list of tools checked by aide
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
index 9d1b7b675c..5905ea8d0e 100644
index 9d1b7b675c9..5905ea8d0e6 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
@@ -22,6 +22,7 @@
@ -28,7 +26,7 @@ index 9d1b7b675c..5905ea8d0e 100644
- name: Ensure existing AIDE configuration for audit tools are correct
lineinfile:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
index d0a1ba2522..a81e25c395 100644
index d0a1ba2522f..a81e25c3950 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/bash/shared.sh
@@ -18,12 +18,11 @@
@ -46,7 +44,7 @@ index d0a1ba2522..a81e25c395 100644
sed -i "s#.*{{{file}}}.*#{{{file}}} {{{ aide_string() }}}#" {{{ aide_conf_path }}}
else
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
index 6ce56c1137..ca9bf4f94d 100644
index 6ce56c1137a..ca9bf4f94d0 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml
@@ -11,7 +11,7 @@
@ -59,7 +57,7 @@ index 6ce56c1137..ca9bf4f94d 100644
{{% endif %}}
<criterion comment="augenrules is checked in {{{ aide_conf_path }}}" test_ref="test_aide_verify_augenrules" />
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
index 756b88d8a2..071dde1329 100644
index 756b88d8a23..071dde13295 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct.pass.sh
@@ -7,7 +7,7 @@ aide --init
@ -72,7 +70,7 @@ index 756b88d8a2..071dde1329 100644
for theFile in "${bins[@]}"
do
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
index f3a2a126d3..cb9bbfa735 100644
index f3a2a126d3d..cb9bbfa7350 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/correct_with_selinux.pass.sh
@@ -4,7 +4,7 @@
@ -85,7 +83,7 @@ index f3a2a126d3..cb9bbfa735 100644
for theFile in "${bins[@]}"
do
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
index 4315cef207..a22aecb000 100644
index 4315cef2073..a22aecb0000 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/tests/not_config.fail.sh
@@ -6,7 +6,7 @@ yum -y install aide
@ -97,6 +95,3 @@ index 4315cef207..a22aecb000 100644
for theFile in "${bins[@]}"
do
--
2.37.1

View File

@ -1,26 +1,21 @@
From 26ca545c89207d2ac2ba2fb68824c1c323fece79 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 3 Aug 2022 07:44:35 -0500
Subject: [PATCH 4/8] Merge pull request #9277 from
yuumasato/new_sysctl_ipv4_forwarding_rule
From 82012a2c80e0f0bed75586b7d93570db2121962e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:50:37 +0200
Subject: [PATCH 1/2] Add rule for sysctl net.ipv4.conf.all.forwarding
Patch-name: scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
Patch-status: New sysctl ipv4 forwarding rule
This is rule is similar to sysctl_net_ipv6_conf_all_forwarding and
sysctl_net_ipv4_forward.
---
.../rule.yml | 44 +++++++++++++++++++
...ctl_net_ipv4_conf_all_forwarding_value.var | 17 +++++++
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
products/rhel8/profiles/stig.profile | 2 +-
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 4 +-
.../profile_stability/rhel8/stig_gui.profile | 2 +-
7 files changed, 65 insertions(+), 6 deletions(-)
3 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
new file mode 100644
index 0000000000..7b0066f7c2
index 00000000000..7b0066f7c29
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -0,0 +1,44 @@
@ -70,7 +65,7 @@ index 0000000000..7b0066f7c2
+
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
new file mode 100644
index 0000000000..2aedd6e643
index 00000000000..2aedd6e6432
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding_value.var
@@ -0,0 +1,17 @@
@ -91,8 +86,35 @@ index 0000000000..2aedd6e643
+ disabled: "0"
+ enabled: 1
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 914233f06bf..3e14b73dd71 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -168,7 +168,6 @@ CCE-86216-9
CCE-86217-7
CCE-86218-5
CCE-86219-3
-CCE-86220-1
CCE-86221-9
CCE-86222-7
CCE-86223-5
From 0e2be2dfb7c185ac15e69e110c2e7a76f6896df7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 1 Aug 2022 17:53:32 +0200
Subject: [PATCH 2/2] Better align with RHEL-08-040259
The item is about net.ipv4.conf.all.forwarding
The update to V1R7 made brought this misalignment to light.
---
.../sysctl_net_ipv4_ip_forward/rule.yml | 1 -
products/rhel8/profiles/stig.profile | 2 +-
tests/data/profile_stability/rhel8/stig.profile | 4 ++--
tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
4 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
index 5c449db7f3..7acfc0b05b 100644
index 5c449db7f3a..7acfc0b05b6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -45,7 +45,6 @@ references:
@ -104,7 +126,7 @@ index 5c449db7f3..7acfc0b05b 100644
stigid@sle15: SLES-15-040380
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 4b480bd2c1..6b44436a2b 100644
index 4b480bd2c11..6b44436a2b1 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -1127,7 +1127,7 @@ selections:
@ -116,20 +138,8 @@ index 4b480bd2c1..6b44436a2b 100644
# RHEL-08-040260
- sysctl_net_ipv6_conf_all_forwarding
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index a613a152ae..9480db3eae 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -176,7 +176,6 @@ CCE-86216-9
CCE-86217-7
CCE-86218-5
CCE-86219-3
-CCE-86220-1
CCE-86221-9
CCE-86222-7
CCE-86223-5
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 4bee72830d..47f53a9d02 100644
index 4bee72830d0..47f53a9d023 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -1,7 +1,7 @@
@ -157,7 +167,7 @@ index 4bee72830d..47f53a9d02 100644
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index ece32d06a6..c4e60ddcde 100644
index ece32d06a6f..c4e60ddcde5 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -405,13 +405,13 @@ selections:
@ -175,6 +185,3 @@ index ece32d06a6..c4e60ddcde 100644
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_source_route
--
2.37.1

View File

@ -1,11 +1,9 @@
From 44bcccbe3a3b00ef1151089b0faacf82770bdc98 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 9 Aug 2022 13:09:07 -0500
Subject: [PATCH 8/8] Merge pull request #9318 from
ggbecker/reintroduce-sshd-timeout
From e368a515911cd09727d8cd1c7e8b46dc7bdff4fa Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 9 Aug 2022 17:28:33 +0200
Subject: [PATCH] Reintroduce back the sshd timeout rules in RHEL8 STIG
profile.
Patch-name: scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch
Patch-status: Reintroduce back the sshd timeout rules in RHEL8 STIG profile
---
.../ssh/ssh_server/sshd_set_idle_timeout/rule.yml | 1 +
.../ssh/ssh_server/sshd_set_keepalive_0/rule.yml | 1 +
@ -15,7 +13,7 @@ Patch-status: Reintroduce back the sshd timeout rules in RHEL8 STIG profile
5 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
index 46ea0558a4..1e9c617275 100644
index 46ea0558a42..1e9c6172758 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
@@ -57,6 +57,7 @@ references:
@ -27,7 +25,7 @@ index 46ea0558a4..1e9c617275 100644
stigid@sle15: SLES-15-010280
stigid@ubuntu2004: UBTU-20-010037
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
index 0f0693ddc6..f6e98a61d9 100644
index 0f0693ddc6c..f6e98a61d9a 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml
@@ -53,6 +53,7 @@ references:
@ -39,7 +37,7 @@ index 0f0693ddc6..f6e98a61d9 100644
stigid@sle15: SLES-15-010320
vmmsrg: SRG-OS-000480-VMM-002000
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6b44436a2b..124b7520d3 100644
index 6b44436a2b1..124b7520d3a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -170,13 +170,13 @@ selections:
@ -64,7 +62,7 @@ index 6b44436a2b..124b7520d3 100644
# RHEL-08-010210
- file_permissions_var_log_messages
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 47f53a9d02..6c75d0ae1b 100644
index 47f53a9d023..6c75d0ae1b1 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -369,6 +369,8 @@ selections:
@ -77,7 +75,7 @@ index 47f53a9d02..6c75d0ae1b 100644
- sshd_x11_use_localhost
- sssd_certificate_verification
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index c4e60ddcde..8a7a469b94 100644
index c4e60ddcde5..8a7a469b940 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -379,6 +379,8 @@ selections:
@ -89,6 +87,3 @@ index c4e60ddcde..8a7a469b94 100644
- sshd_use_strong_rng
- sshd_x11_use_localhost
- sssd_certificate_verification
--
2.37.1

View File

@ -1,11 +1,10 @@
From 07261c69afcdc5f9afcdd5aefc2ee9510d705f37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 3 Aug 2022 13:08:25 +0200
Subject: [PATCH 6/8] Merge pull request #9283 from
yuumasato/accept_sudoers_without_includes
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Aug 2022 15:57:52 +0200
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
Patch-name: scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch
Patch-status: Accept sudoers files without includes as compliant
Update rule sudoers_default_includedir to accept as compliant sudoers
files that don't have any #include or #includedir directive
---
.../oval/shared.xml | 24 +++++++++++++++----
.../sudo/sudoers_default_includedir/rule.yml | 8 ++++---
@ -14,7 +13,7 @@ Patch-status: Accept sudoers files without includes as compliant
rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
index 59cab0b89d..82095acc6e 100644
index 59cab0b89de..629fbe8c6d2 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -1,10 +1,16 @@
@ -32,8 +31,8 @@ index 59cab0b89d..82095acc6e 100644
+ </criteria>
+ <criteria operator="AND">
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ </criteria>
</criteria>
</definition>
@ -56,7 +55,7 @@ index 59cab0b89d..82095acc6e 100644
comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
<ind:object object_ref="object_sudoersd_without_includes" />
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
index aa2aaee19f..83bfb0183b 100644
index aa2aaee19f8..83bfb0183bd 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
@@ -8,9 +8,11 @@ description: |-
@ -78,7 +77,7 @@ diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/test
similarity index 51%
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
index 1e0ab8aea9..fe73cb2507 100644
index 1e0ab8aea92..fe73cb25076 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
@@ -1,4 +1,4 @@
@ -87,6 +86,28 @@ index 1e0ab8aea9..fe73cb2507 100644
-sed -i "/#includedir.*/d" /etc/sudoers
+sed -i "/#include(dir)?.*/d" /etc/sudoers
--
2.37.1
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 12:01:12 +0200
Subject: [PATCH 2/2] Improve definition's comments
---
.../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
index 629fbe8c6d2..82095acc6ed 100644
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -8,8 +8,8 @@
</criteria>
<criteria operator="AND">
<criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
- <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
- <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
</criteria>
</criteria>
</definition>

View File

@ -1,31 +1,276 @@
From b4f98a72871d3f8f277e3357eed843b041a248a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 4 Aug 2022 14:20:20 +0200
Subject: [PATCH 7/8] Merge pull request #9286 from
yuumasato/update_sysctl_rules_with_new_compliant_values
From f647d546d03b9296861f18673b0ac9efaa0db3ab Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 09:57:33 +0200
Subject: [PATCH 1/5] Make rule sysctl ipv4 rp_filter accept two values
Update few sysctl rules to accept multiple compliant values
Patch-name: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
Patch-status: Update few sysctl rules to accept multiple compliant values
This also removes value '0' from the list of possible configurations.
This change aligns the rule better with STIG.
---
.../rule.yml | 35 +++++++++++++++++--
.../tests/value_1.pass.sh | 11 ++++++
.../tests/value_2.pass.sh | 11 ++++++
...sctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
.../sysctl_kernel_kptr_restrict/rule.yml | 35 ++++++++++++++++++-
.../tests/value_1.pass.sh | 11 ++++++
.../tests/value_2.pass.sh | 11 ++++++
.../sysctl_kernel_kptr_restrict_value.var | 1 -
...kernel_unprivileged_bpf_disabled_value.var | 1 -
9 files changed, 112 insertions(+), 6 deletions(-)
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 4 ++++
.../tests/value_1.pass.sh | 10 ++++++++++
.../tests/value_2.pass.sh | 10 ++++++++++
.../sysctl_net_ipv4_conf_all_rp_filter_value.var | 2 +-
4 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 496a8491f32..697f79fa872 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -59,4 +59,8 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
new file mode 100644
index 00000000000..516bfaf1369
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="1"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
new file mode 100644
index 00000000000..ef1b8da0479
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="2"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
index e3fc78e3f05..1eae854f6b0 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
@@ -17,5 +17,5 @@ interactive: false
options:
default: 1
- disabled: "0"
enabled: 1
+ loose: 2
From f903b6b257659cfe79bfd17a13ae72d1a48f40d9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 10:53:40 +0200
Subject: [PATCH 2/5] Make rule for kptr_restrict accept two values
This also removes value '0' from the list of possible configurations.
This change aligns the rule better with STIG.
---
.../sysctl_kernel_kptr_restrict/rule.yml | 4 ++++
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 10 ++++++++++
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 10 ++++++++++
.../sysctl_kernel_kptr_restrict_value.var | 1 -
4 files changed, 24 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 1984b3c8691..5706eee0a0a 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -42,6 +42,10 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
datatype: int
fixtext: |-
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
new file mode 100644
index 00000000000..e6efae48b25
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="1"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
new file mode 100644
index 00000000000..be3f2b743ef
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="2"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
index 452328e3efd..268550de53d 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
@@ -12,6 +12,5 @@ interactive: false
options:
default: 1
- 0: 0
1: 1
2: 2
From 932d00c370c8dc1c964354dd4bc111fbc18b9303 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 11:08:34 +0200
Subject: [PATCH 3/5] Remove variable selector that will result in error
The rule only accepts values 1 or 2 as compliant, the XCCDF Variable
cannot have the value 0, it will never result in pass.
---
.../sysctl_kernel_unprivileged_bpf_disabled_value.var | 1 -
1 file changed, 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
index b8bf965a255..cbfd9bafa91 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
@@ -13,6 +13,5 @@ interactive: false
options:
default: 2
- 0: "0"
1: "1"
2: "2"
From 7127380e294a7e112fc427d0a46c21f15404aaa5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 11:33:03 +0200
Subject: [PATCH 4/5] Restrict sysctl multivalue compliance to rhel and ol
For now, the only STIGs I see that adopted this change were RHEL's and
OL's.
---
.../sysctl_net_ipv4_conf_all_rp_filter/rule.yml | 2 ++
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh | 1 +
.../sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh | 1 +
.../sysctl_kernel_kptr_restrict/rule.yml | 2 ++
.../sysctl_kernel_kptr_restrict/tests/value_1.pass.sh | 1 +
.../sysctl_kernel_kptr_restrict/tests/value_2.pass.sh | 1 +
6 files changed, 8 insertions(+)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index 496a8491f3..4d31c6c3eb 100644
index 697f79fa872..f04ae37c13d 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -59,8 +59,10 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ {{% if 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
index 516bfaf1369..583b70a3b97 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
index ef1b8da0479..ef545976dc6 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 5706eee0a0a..f53e035effa 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -42,10 +42,12 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ {{% if 'ol' in product or 'rhel' in product %}}
sysctlval:
- '1'
- '2'
wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
fixtext: |-
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
index e6efae48b25..70189666c16 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
index be3f2b743ef..209395fa9a1 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -1,4 +1,5 @@
#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
# Clean sysctl config directories
rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
From a159f7d62b200c79b6ec2b47ffa643ed6219f35b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Aug 2022 14:01:40 +0200
Subject: [PATCH 5/5] Update OCIL check along with the rule
The OCIL should should mention both compliant values.
---
.../rule.yml | 29 +++++++++++++++++--
.../sysctl_kernel_kptr_restrict/rule.yml | 29 ++++++++++++++++++-
2 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
index f04ae37c13d..4d31c6c3ebd 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml
@@ -47,11 +47,36 @@ references:
@ -67,64 +312,8 @@ index 496a8491f3..4d31c6c3eb 100644
srg_requirement: '{{{ full_name }}} must use reverse path filtering on all IPv4 interfaces.'
@@ -59,4 +84,10 @@ template:
name: sysctl
vars:
sysctlvar: net.ipv4.conf.all.rp_filter
+ {{% if 'ol' in product or 'rhel' in product %}}
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
new file mode 100644
index 0000000000..583b70a3b9
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_1.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="1"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
new file mode 100644
index 0000000000..ef545976dc
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/tests/value_2.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.all.rp_filter/d" /etc/sysctl.conf
+echo "net.ipv4.conf.all.rp_filter = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w net.ipv4.conf.all.rp_filter="2"
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
index e3fc78e3f0..1eae854f6b 100644
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter_value.var
@@ -17,5 +17,5 @@ interactive: false
options:
default: 1
- disabled: "0"
enabled: 1
+ loose: 2
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
index 1984b3c869..367934b567 100644
index f53e035effa..367934b5672 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -34,6 +34,33 @@ references:
@ -161,78 +350,9 @@ index 1984b3c869..367934b567 100644
srg_requirement: '{{{ full_name }}} must restrict exposed kernel pointer addresses access.'
platform: machine
@@ -42,8 +69,14 @@ template:
name: sysctl
vars:
sysctlvar: kernel.kptr_restrict
+ {{% if 'ol' in product or 'rhel' in product %}}
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
+ {{% endif %}}
datatype: int
@@ -52,4 +79,4 @@ template:
fixtext: |-
Configure {{{ full_name }}} to restrict exposed kernel pointer addresses access.
- {{{ fixtext_sysctl("kernel.kptr_restrict", "1") | indent(4) }}}
+ {{{ fixtext_sysctl("kernel.kptr_restrict", value=xccdf_value("sysctl_kernel_kptr_restrict_value")) | indent(4) }}}
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
new file mode 100644
index 0000000000..70189666c1
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_1.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="1"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
new file mode 100644
index 0000000000..209395fa9a
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/tests/value_2.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_ol,multi_platform_rhel
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.kptr_restrict/d" /etc/sysctl.conf
+echo "kernel.kptr_restrict = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.kptr_restrict="2"
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
index 452328e3ef..268550de53 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict_value.var
@@ -12,6 +12,5 @@ interactive: false
options:
default: 1
- 0: 0
1: 1
2: 2
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
index b8bf965a25..cbfd9bafa9 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
@@ -13,6 +13,5 @@ interactive: false
options:
default: 2
- 0: "0"
1: "1"
2: "2"
--
2.37.1

File diff suppressed because it is too large Load Diff

View File

@ -1,801 +0,0 @@
From 48a361a41eff571e8c0d6f8c759c56d41cec5c5a Mon Sep 17 00:00:00 2001
From: vojtapolasek <vpolasek@redhat.com>
Date: Tue, 2 Aug 2022 13:21:45 +0200
Subject: [PATCH 3/8] Merge pull request #9147 from jan-cerny/rhbz2081728
Patch-name: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
Patch-status: Refresh BPF related rules in RHEL 9 OSPP profile
---
docs/templates/template_reference.md | 24 +-
.../rule.yml | 82 +++++++
.../tests/system_default.pass.sh | 5 +
.../tests/test_config.yml | 6 +
.../tests/value_0.fail.sh | 11 +
.../tests/value_1.pass.sh | 11 +
.../tests/value_2.pass.sh | 11 +
...kernel_unprivileged_bpf_disabled_value.var | 18 ++
products/rhel9/profiles/ospp.profile | 4 +-
.../oval/sysctl_kernel_ipv6_disable.xml | 4 +-
shared/references/cce-redhat-avail.txt | 1 -
shared/templates/sysctl/ansible.template | 2 +-
shared/templates/sysctl/bash.template | 2 +-
shared/templates/sysctl/oval.template | 213 +++++++++++-------
shared/templates/sysctl/template.py | 24 +-
15 files changed, 316 insertions(+), 102 deletions(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index a439e3dca9..e73b95450f 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -815,8 +815,28 @@ The selected value can be changed in the profile (consult the actual variable fo
- **datatype** - data type of the sysctl value, eg. `int`.
- - **sysctlval** - value of the sysctl value, eg. `'1'`. If this
- parameter is not specified, XCCDF Value is used instead.
+ - **sysctlval** - value of the sysctl value. This can be either not
+ specified, or an atomic value, eg. `'1'`, or a list of values,
+ eg. `['1','2']`.
+ - If this parameter is not specified, an XCCDF Value is used instead
+ in OVAL check and remediations. The XCCDF Value should have a file
+ name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`,
+ where the `escaped_sysctlvar` is a value of the **sysctlvar**
+ parameter in which all characters that don't match the `\w` regular
+ expression are replaced by an underscore (`_`).
+ - If this parameter is set to an atomic value, this atomic value
+ will be used in OVAL check and remediations.
+ - If this parameter is set to a list of values, the list will be used
+ in the OVAL check, but won't be used in the remediations.
+ All remediations will use an XCCDF value instead.
+
+ - **wrong_sysctlval_for_testing** - the value that is always wrong. This
+ will be used in templated test scenarios when **sysctlval** is a list.
+
+ - **missing_parameter_pass** - if set to `true` the check will pass if the
+ setting for the given **sysctlvar** is not present in sysctl
+ configuration files. In other words, the check will pass if the system
+ default isn't overriden by configuration. Default value: `false`.
- **operation** - operation used for comparison of collected object
with **sysctlval**. Default value: `equals`.
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
new file mode 100644
index 0000000000..259d1f901c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml
@@ -0,0 +1,82 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes'
+
+description: |-
+ To prevent unprivileged processes from using the <code>bpf()</code> syscall
+ the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter must
+ be set to <code>1</code> or <code>2</code>.
+
+ Writing <code>1</code> to this entry will disable unprivileged calls to <code>bpf()</code>; once
+ disabled, calling <code>bpf()</code> without <code>CAP_SYS_ADMIN</code> or <code>CAP_BPF</code> will return <code>-EPERM</code>.
+ Once set to <code>1</code>, this can't be cleared from the running kernel anymore.
+
+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}}
+
+ Writing <code>2</code> to this entry will also disable unprivileged calls to <code>bpf()</code>,
+ however, an admin can still change this setting later on, if needed, by
+ writing <code>0</code> or <code>1</code> to this entry.
+
+ {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}}
+
+rationale: |-
+ Loading and accessing the packet filters programs and maps using the bpf()
+ syscall has the potential of revealing sensitive information about the kernel state.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-87712-6
+
+references:
+ disa: CCI-000366
+ nist: AC-6,SC-7(10)
+ ospp: FMT_SMF_EXT.1
+ srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227
+
+ocil: |-
+ The runtime status of the <code>kernel.unprivileged_bpf_disabled</code>
+ kernel parameter can be queried by running the following command:
+ <pre>$ sysctl kernel.unprivileged_bpf_disabled</pre>
+ The output of the command should indicate either:
+ kernel.unprivileged_bpf_disabled = 1
+ or:
+ kernel.unprivileged_bpf_disabled = 2
+ The output of the command should not indicate:
+ kernel.unprivileged_bpf_disabled = 0
+
+ The preferable way how to assure the runtime compliance is to have
+ correct persistent configuration, and rebooting the system.
+
+ The persistent kernel parameter configuration is performed by specifying the appropriate
+ assignment in any file located in the <pre>/etc/sysctl.d</pre> directory.
+ Verify that there is not any existing incorrect configuration by executing the following command:
+ <pre>$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d</pre>
+ The command should not find any assignments other than:
+ kernel.unprivileged_bpf_disabled = 1
+ or:
+ kernel.unprivileged_bpf_disabled = 2
+
+ Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2.
+
+ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0"
+
+fixtext: |-
+ Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall.
+
+srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.'
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.unprivileged_bpf_disabled
+ sysctlval:
+ - '1'
+ - '2'
+ wrong_sysctlval_for_testing: "0"
+ missing_parameter_pass: "true"
+ datatype: int
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
new file mode 100644
index 0000000000..b9776227bd
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
new file mode 100644
index 0000000000..5cf6807405
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml
@@ -0,0 +1,6 @@
+deny_templated_scenarios:
+ # this rule uses missing_parameter_pass: true which means the check should pass
+ # if the configuration is missing (or commented out) therefore we disable
+ # line_not_there.fail.sh and comment.fail.sh test scenarios
+ - line_not_there.fail.sh
+ - comment.fail.sh
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
new file mode 100644
index 0000000000..9f19e0140b
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
+echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.unprivileged_bpf_disabled="0"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
new file mode 100644
index 0000000000..e976db594c
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
+echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.unprivileged_bpf_disabled="1"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
new file mode 100644
index 0000000000..b1537175eb
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf
+echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.unprivileged_bpf_disabled="2"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
new file mode 100644
index 0000000000..b8bf965a25
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: kernel.unprivileged_bpf_disabled
+
+description: |-
+ Prevent unprivileged processes from using the bpf() syscall.
+
+type: number
+
+operator: equals
+
+interactive: false
+
+options:
+ default: 2
+ 0: "0"
+ 1: "1"
+ 2: "2"
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index feb96501a9..f27f961a7a 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -74,8 +74,8 @@ selections:
- sysctl_kernel_yama_ptrace_scope
- sysctl_kernel_perf_event_paranoid
- sysctl_user_max_user_namespaces
- - sysctl_kernel_unprivileged_bpf_disabled
- - sysctl_net_core_bpf_jit_harden
+ - sysctl_kernel_unprivileged_bpf_disabled_accept_default
+ - sysctl_kernel_unprivileged_bpf_disabled_value=2
- service_kdump_disabled
### Audit
diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
index 1195cea518..f971d28a04 100644
--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
@@ -19,8 +19,8 @@
</metadata>
<criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">
<criteria operator="AND">
- <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_static_net_ipv6_conf_all_disable_ipv6" />
- <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_runtime_net_ipv6_conf_all_disable_ipv6" />
+ <extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_static" />
+ <extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="sysctl_net_ipv6_conf_all_disable_ipv6_runtime" />
</criteria>
</criteria>
</definition>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index fb2f59fd09..a613a152ae 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1443,7 +1443,6 @@ CCE-87708-4
CCE-87709-2
CCE-87710-0
CCE-87711-8
-CCE-87712-6
CCE-87713-4
CCE-87714-2
CCE-87715-9
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index c13bb6637f..edc4d3fb66 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -21,7 +21,7 @@
replace: '#{{{ SYSCTLVAR }}}'
loop: "{{ find_sysctl_d.files }}"
-{{%- if SYSCTLVAL == "" %}}
+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}
- (xccdf-var sysctl_{{{ SYSCTLID }}}_value)
- name: Ensure sysctl {{{ SYSCTLVAR }}} is set
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index d67a59c388..cd3424b022 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
fi
done
-{{%- if SYSCTLVAL == "" %}}
+{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}
{{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}
#
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 74583dbee1..1a7c4979bb 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -1,12 +1,20 @@
{{%- if SYSCTLVAL == "" %}}
{{%- set COMMENT_VALUE="the appropriate value" %}}
+{{%- elif SYSCTLVAL is sequence %}}
+{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}}
{{%- else %}}
{{%- set COMMENT_VALUE=SYSCTLVAL %}}
{{%- endif %}}
{{% macro state_static_sysctld(prefix) -%}}
- <ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}"/>
- <ind:state state_ref="state_static_sysctld_{{{ SYSCTLID }}}"/>
+ <ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/>
+{{% if SYSCTLVAL is string %}}
+ <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/>
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+ <ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" />
+{{% endfor %}}
+{{% endif %}}
{{%- endmacro -%}}
{{%- macro sysctl_match() -%}}
{{%- if SYSCTLVAL == "" -%}}
@@ -20,13 +28,13 @@
{{%- if "P" in FLAGS -%}}
<def-group>
- <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="3">
+ <definition class="compliance" id="{{{ rule_id }}}" version="3">
{{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
<criteria operator="AND">
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
- definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>
+ definition_ref="{{{ rule_id }}}_static"/>
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
- definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>
+ definition_ref="{{{ rule_id }}}_runtime"/>
</criteria>
</definition>
</def-group>
@@ -34,7 +42,7 @@
{{%- elif "I" in FLAGS -%}}
<def-group>
- <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="4">
+ <definition class="compliance" id="{{{ rule_id }}}" version="4">
{{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
<criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">
{{% if product in ["ubuntu1604", "ubuntu1804"] %}}
@@ -46,9 +54,9 @@
{{% endif %}}
<criteria operator="AND">
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
- definition_ref="sysctl_static_{{{ SYSCTLID }}}"/>
+ definition_ref="{{{ rule_id }}}_static"/>
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
- definition_ref="sysctl_runtime_{{{ SYSCTLID }}}"/>
+ definition_ref="{{{ rule_id }}}_runtime"/>
</criteria>
</criteria>
</definition>
@@ -58,33 +66,41 @@
{{%- if "R" in FLAGS -%}}
<def-group>
- <definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">
+ <definition class="compliance" id="{{{ rule_id }}}_runtime" version="3">
{{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}
<criteria operator="AND">
<criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
- test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>
+ test_ref="test_{{{ rule_id }}}_runtime"/>
</criteria>
</definition>
- <unix:sysctl_test id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1"
+
+ <unix:sysctl_test id="test_{{{ rule_id }}}_runtime" version="1"
comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}"
- check="all" check_existence="all_exist">
- <unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}"/>
- <unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}"/>
+ check="all" check_existence="all_exist" state_operator="OR">
+ <unix:object object_ref="object_{{{ rule_id }}}_runtime"/>
+{{% if SYSCTLVAL is string %}}
+ <unix:state state_ref="state_{{{ rule_id }}}_runtime"/>
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+ <unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" />
+{{% endfor %}}
+{{% endif %}}
</unix:sysctl_test>
- <unix:sysctl_object id="object_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+ <unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1">
<unix:name>{{{ SYSCTLVAR }}}</unix:name>
</unix:sysctl_object>
+{{% if SYSCTLVAL is string %}}
{{% if SYSCTLVAL == "" %}}
- <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+ <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
<unix:value datatype="{{{ DATATYPE }}}" operation="equals"
- var_ref="sysctl_{{{ SYSCTLID }}}_value"/>
+ var_ref="{{{ rule_id }}}_value"/>
</unix:sysctl_state>
- <external_variable id="sysctl_{{{ SYSCTLID }}}_value" version="1"
+ <external_variable id="{{{ rule_id }}}_value" version="1"
comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
{{%- else %}}
- <unix:sysctl_state id="state_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
+ <unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1">
{{% if OPERATION == "pattern match" %}}
<unix:value datatype="{{{ DATATYPE }}}"
operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value>
@@ -94,133 +110,156 @@
{{% endif %}}
</unix:sysctl_state>
{{%- endif %}}
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+ <unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1">
+ <unix:value datatype="{{{ DATATYPE }}}"
+ operation="{{{ OPERATION }}}">{{{ x }}}</unix:value>
+ </unix:sysctl_state>
+{{% endfor %}}
+{{% endif %}}
</def-group>
{{%- endif -%}}
{{%- if "S" in FLAGS -%}}
<def-group>
- <definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">
+ <definition class="compliance" id="{{{ rule_id }}}_static" version="3">
{{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
+{{% if MISSING_PARAMETER_PASS == "true" %}}
+ <criteria operator="OR">
+{{% endif %}}
<criteria operator="AND">
<criteria operator="OR">
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.conf"
- test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>
+ test_ref="test_{{{ rule_id }}}_static"/>
<!-- see sysctl.d(5) -->
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.d/*.conf"
- test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
+ test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/>
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
- test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+ test_ref="test_{{{ rule_id }}}_static_run_sysctld"/>
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
- test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+ test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/>
{{% endif %}}
</criteria>
{{% if target_oval_version >= [5, 11] %}}
- <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+ <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_{{{ rule_id }}}_defined_in_one_file" />
{{% endif %}}
</criteria>
+{{% if MISSING_PARAMETER_PASS == "true" %}}
+ <criterion comment="Check that {{{ SYSCTLID }}} is not defined in any file" test_ref="test_{{{ rule_id }}}_not_defined" />
+ </criteria>
+{{% endif %}}
</definition>
- <ind:textfilecontent54_test id="test_static_sysctl_{{{ SYSCTLID }}}" version="1"
- check="all" check_existence="all_exist"
+{{% if MISSING_PARAMETER_PASS == "true" %}}
+ <ind:textfilecontent54_test id="test_{{{ rule_id }}}_not_defined" version="1"
+ check="all" check_existence="none_exist"
comment="{{{ SYSCTLVAR }}} static configuration">
+ <ind:object object_ref="object_{{{ rule_id }}}_static_set_sysctls" />
+ </ind:textfilecontent54_test>
+{{% endif %}}
+
+ <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static" version="1"
+ check="all" check_existence="all_exist"
+ comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR">
{{{ state_static_sysctld("sysctl") }}}
</ind:textfilecontent54_test>
- <ind:textfilecontent54_test id="test_static_etc_sysctld_{{{ SYSCTLID }}}" version="1" check="all"
- comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf">
+ <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_etc_sysctld" version="1" check="all"
+ comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
{{{ state_static_sysctld("etc_sysctld") }}}
</ind:textfilecontent54_test>
- <ind:textfilecontent54_test id="test_static_run_sysctld_{{{ SYSCTLID }}}" version="1" check="all"
- comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf">
+ <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_run_sysctld" version="1" check="all"
+ comment="{{{ SYSCTLVAR }}} static configuration in /run/sysctl.d/*.conf" state_operator="OR">
{{{ state_static_sysctld("run_sysctld") }}}
</ind:textfilecontent54_test>
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
- <ind:textfilecontent54_test id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1"
+ <ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_usr_lib_sysctld" version="1"
check="all"
- comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf">
+ comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR">
{{{ state_static_sysctld("usr_lib_sysctld") }}}
</ind:textfilecontent54_test>
{{% endif %}}
{{% if target_oval_version >= [5, 11] %}}
<ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
- id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
- <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
- <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+ id="test_{{{ rule_id }}}_defined_in_one_file" version="1">
+ <ind:object object_ref="object_{{{ rule_id }}}_defined_in_one_file" />
+ <ind:state state_ref="state_{{{ rule_id }}}_defined_in_one_file" />
</ind:variable_test>
- <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
- <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>
+ <ind:variable_object id="object_{{{ rule_id }}}_defined_in_one_file" version="1">
+ <ind:var_ref>local_var_{{{ rule_id }}}_counter</ind:var_ref>
</ind:variable_object>
- <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+ <ind:variable_state id="state_{{{ rule_id }}}_defined_in_one_file" version="1">
<ind:value operation="equals" datatype="int">1</ind:value>
</ind:variable_state>
- <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_{{{ rule_id }}}_counter" version="1">
<count>
<unique>
- <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+ <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls" item_field="filepath" />
</unique>
</count>
</local_variable>
- <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls" version="1">
<set>
- <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>
- <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>
+ <object_reference>object_{{{ rule_id }}}_static_set_sysctls_unfiltered</object_reference>
+ <filter action="exclude">state_{{{ rule_id }}}_filepath_is_symlink</filter>
</set>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
- <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+ <ind:textfilecontent54_state id="state_{{{ rule_id }}}_filepath_is_symlink" version="1">
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_{{{ rule_id }}}_safe_symlinks" datatype="string" />
</ind:textfilecontent54_state>
- <!-- <no simlink handling> -->
+ <!-- <no symlink handling> -->
<!-- We craft a variable with blank string to combine with the symlink paths found.
This ultimately avoids referencing a variable with "no values",
we reference a variable with a blank string -->
- <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_{{{ rule_id }}}_safe_symlinks" version="1">
<unique>
- <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />
+ <object_component object_ref="var_object_symlink_{{{ rule_id }}}" item_field="value" />
</unique>
</local_variable>
- <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">
+ <ind:variable_object id="var_object_symlink_{{{ rule_id }}}" comment="combine the blank string with symlink paths found" version="1">
<set>
- <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>
- <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>var_obj_symlink_{{{ rule_id }}}</object_reference>
+ <object_reference>var_obj_blank_{{{ rule_id }}}</object_reference>
</set>
</ind:variable_object>
- <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">
- <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>
+ <ind:variable_object id="var_obj_blank_{{{ rule_id }}}" comment="variable object of the blank string" version="1">
+ <ind:var_ref>local_var_blank_path_{{{ rule_id }}}</ind:var_ref>
</ind:variable_object>
- <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ rule_id }}}" version="1">
<literal_component datatype="string"></literal_component>
</local_variable>
- <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">
- <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>
+ <ind:variable_object id="var_obj_symlink_{{{ rule_id }}}" comment="variable object of the symlinks found" version="1">
+ <ind:var_ref>local_var_symlinks_{{{ rule_id }}}</ind:var_ref>
</ind:variable_object>
- <!-- </no simlink handling> -->
+ <!-- </no symlink handling> -->
- <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ rule_id }}}" version="1">
<unique>
- <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
+ <object_component object_ref="object_{{{ rule_id }}}_symlinks" item_field="filepath" />
</unique>
</local_variable>
<!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
Workaround by querying for all conf files found -->
- <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
- <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
- <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ rule_id }}}_symlinks" version="1">
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ rule_id }}}" />
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ rule_id }}}</filter>
</unix:symlink_object>
<!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
@@ -228,75 +267,76 @@
^/etc/sysctl.d/.*$
^/run/sysctl.d/.*$
^/usr/lib/sysctl.d/.*$ -->
- <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ rule_id }}}" version="1">
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
</unix:symlink_state>
{{% endif %}}
- <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
- <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ rule_id }}}" version="1">
+ <object_component object_ref="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" item_field="filepath" />
</local_variable>
<!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
variable to have no value even when there are valid objects. -->
- <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}_static_set_sysctls_unfiltered" version="1">
<set>
- <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
- <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference>
+ <object_reference>object_static_run_usr_sysctls_{{{ rule_id }}}</object_reference>
</set>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1">
<set>
- <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>
- <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference>
+ <object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference>
</set>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ rule_id }}}" version="1">
<set>
- <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference>
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
- <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>object_static_usr_lib_sysctld_{{{ rule_id }}}</object_reference>
{{% endif %}}
</set>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1">
<ind:filepath>/etc/sysctl.conf</ind:filepath>
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
- <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1">
<ind:path>/etc/sysctl.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
- <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1">
<ind:path>/run/sysctl.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}}
- <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1">
<ind:path>/usr/lib/sysctl.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
{{% endif %}}
+{{% if SYSCTLVAL is string %}}
{{% if SYSCTLVAL == "" %}}
- <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
- <ind:subexpression operation="{{{ OPERATION }}}" var_ref="sysctl_{{{ SYSCTLID }}}_value"
+ <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
+ <ind:subexpression operation="{{{ OPERATION }}}" var_ref="{{{ rule_id }}}_value"
datatype="{{{ DATATYPE }}}" />
</ind:textfilecontent54_state>
- <external_variable id="sysctl_{{{ SYSCTLID }}}_value" version="1"
+ <external_variable id="{{{ rule_id }}}_value" version="1"
comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/>
{{% else %}}
- <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1">
{{% if OPERATION == "pattern match" %}}
<ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>
{{% else %}}
@@ -304,5 +344,12 @@
{{% endif %}}
</ind:textfilecontent54_state>
{{% endif %}}
+{{% elif SYSCTLVAL is sequence %}}
+{{% for x in SYSCTLVAL %}}
+ <ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" version="1">
+ <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ x }}}</ind:subexpression>
+ </ind:textfilecontent54_state>
+{{% endfor %}}
+{{% endif %}}
</def-group>
{{%- endif -%}}
diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py
index fa981a9dce..9083a6a418 100644
--- a/shared/templates/sysctl/template.py
+++ b/shared/templates/sysctl/template.py
@@ -11,8 +11,19 @@ def preprocess(data, lang):
data["flags"] = "SR" + ipv6_flag
if "operation" not in data:
data["operation"] = "equals"
+ if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0:
+ raise ValueError(
+ "The sysctlval parameter of {0} is an empty list".format(
+ data["_rule_id"]))
# Configure data for test scenarios
+ if data["datatype"] not in ["string", "int"]:
+ raise ValueError(
+ "Test scenarios for data type '{0}' are not implemented yet.\n"
+ "Please check if rule '{1}' has correct data type and edit "
+ "{2} to add tests for it.".format(
+ data["datatype"], data["_rule_id"], __file__))
+
if data["sysctlval"] == "":
if data["datatype"] == "int":
data["sysctl_correct_value"] = "0"
@@ -20,20 +31,13 @@ def preprocess(data, lang):
elif data["datatype"] == "string":
data["sysctl_correct_value"] = "correct_value"
data["sysctl_wrong_value"] = "wrong_value"
- else:
- raise ValueError(
- "Test scenarios for data type '{0}' are not implemented yet.\n"
- "Please check if rule '{1}' has correct data type and edit "
- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))
+ elif isinstance(data["sysctlval"], list):
+ data["sysctl_correct_value"] = data["sysctlval"][0]
+ data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"]
else:
data["sysctl_correct_value"] = data["sysctlval"]
if data["datatype"] == "int":
data["sysctl_wrong_value"] = "1" + data["sysctlval"]
elif data["datatype"] == "string":
data["sysctl_wrong_value"] = "wrong_value"
- else:
- raise ValueError(
- "Test scenarios for data type '{0}' are not implemented yet.\n"
- "Please check if rule '{1}' has correct data type and edit "
- "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__))
return data
--
2.37.1

View File

@ -0,0 +1,92 @@
From 245d4e04318bcac20f15e680cf1b33a35b94067a Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 8 Aug 2022 14:34:34 +0200
Subject: [PATCH 1/3] add warning to the rsyslog_remote_loghost rule about
configuring queues
---
.../rsyslog_remote_loghost/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 4ce56d2e6a5..c73d9ec95a6 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -90,3 +90,20 @@ fixtext: |-
*.* @@[remoteloggingserver]:[port]"
srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a different system or storage media from the system being audited.'
+
+warnings:
+ - functionality: |-
+ It is important to configure queues in case the client is sending log
+ messages to a remote server. If queues are not configured, there is a
+ danger that the system will stop functioning in case that the connection
+ to the remote server is not available. Please consult Rsyslog
+ documentation for more information about configuration of queues. The
+ example configuration which should go into <tt>/etc/rsyslog.conf</tt>
+ can look like the following lines:
+ <pre>
+ $ActionQueueType LinkedList
+ $ActionQueueFileName somenameforprefix
+ $ActionQueueMaxDiskSpace 1g
+ $ActionQueueSaveOnShutdown on
+ $ActionResumeRetryCount -1
+ </pre>
From 10fbd1665513284fbb82cf1af96b92774301f8e5 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Tue, 9 Aug 2022 09:41:00 +0200
Subject: [PATCH 2/3] Apply suggestions from code review
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index c73d9ec95a6..706d3265a08 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -95,14 +95,14 @@ warnings:
- functionality: |-
It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured, there is a
- danger that the system will stop functioning in case that the connection
+ the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into <tt>/etc/rsyslog.conf</tt>
can look like the following lines:
<pre>
$ActionQueueType LinkedList
- $ActionQueueFileName somenameforprefix
+ $ActionQueueFileName queuefilename
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionResumeRetryCount -1
From e2abf4f8a1bcc0dd02ad4af6f9575797abdd332e Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Tue, 9 Aug 2022 10:55:04 +0200
Subject: [PATCH 3/3] Update
linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
---
.../rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
index 706d3265a08..cce4d5cac1d 100644
--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
@@ -94,7 +94,7 @@ srg_requirement: 'The {{{ full_name }}} audit records must be off-loaded onto a
warnings:
- functionality: |-
It is important to configure queues in case the client is sending log
- messages to a remote server. If queues are not configured, there is a
+ messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The

View File

@ -2,11 +2,11 @@
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
%global _default_patch_fuzz 2
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.63
Release: 1%{?dist}
Release: 4%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -14,35 +14,28 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Disable profiles that are not in good shape for products/rhel8
Patch0: disable-not-in-good-shape-profiles.patch
# Update RHEL8 STIG to V1R7
Patch1: scap-security-guide-0.1.64-update-rhel8-stig-to-v1r7-PR_9276.patch
# Refresh BPF related rules in RHEL 9 OSPP profile
Patch2: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch
# New sysctl ipv4 forwarding rule
Patch3: scap-security-guide-0.1.64-add_new_rule_sysctl_ipv4_forwarding-PR_9277.patch
# Add rsyslogd to the list of tools checked by aide
Patch4: scap-security-guide-0.1.64-aide_check_rsyslogd-PR_9282.patch
# Accept sudoers files without includes as compliant
Patch5: scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch
# Update few sysctl rules to accept multiple compliant values
Patch6: scap-security-guide-0.1.64-add_multivalue_compliance_kptr_rp_filter-PR_9286.patch
# Reintroduce back the sshd timeout rules in RHEL8 STIG profile
Patch7: scap-security-guide-0.1.64-readd-sshd_timeout-rules-PR_9318.patch
# Make OSPP profiles use minimal Authselect profile
Patch8: scap-security-guide-0.1.64-authselect_minimal_in_ospp-PR_9298.patch
# change rules protecting boot in RHEL8 OSPP
Patch9: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
# Introduce and apply the "partition exists" platform
Patch10: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
# Add the platform applicability to relevant rules
Patch11: scap-security-guide-0.1.64-add_partition_platform_to_relevant_rules-PR_9324.path
# Fix ansible partition conditionals
Patch12: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
BuildArch: noarch
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
Patch2: scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
Patch3: scap-security-guide-0.1.64-stig_aide-PR_9282.patch
Patch4: scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
Patch5: scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
Patch6: scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
Patch7: scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
Patch8: scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
Patch9: scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
Patch10: scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
Patch11: scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
Patch12: scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
Patch13: scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
Patch14: scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
Patch15: scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
Patch16: scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
@ -146,20 +139,34 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%endif
%changelog
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-1
- Update to the latest upstream release (RHBZ#2116347)
- Update RHEL8 STIG profile to V1R7 (RHBZ#2116408)
- Select grub2_disable_recovery in OSPP Profile (RHBZ#2117308)
- Use authselect minimal profile in OSPP Profile (RHBZ#2117306)
- Improve rules for CIS level1 partition options (RHBZ#2117510)
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
- Fix Ansible partition conditional (RHBZ#2032403)
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
- aligning with the latest STIG update (RHBZ#2112937)
- OSPP: use Authselect minimal profile (RHBZ#2117192)
- OSPP: change rules for protecting of boot (RHBZ#2116440)
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
- fix handling of Rsyslog include directives (RHBZ#2075384)
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070564)
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
- Fix validation of OVAL 5.10 content (RHBZ#2082556)
- Fix Ansible sysctl remediation (RHBZ#2082556)
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
- Fix Ansible sysctl remediation (RHBZ#2079241)
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556)
- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556)
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)