import scap-security-guide-0.1.60-9.el8_6

This commit is contained in:
CentOS Sources 2022-06-28 06:57:31 -04:00 committed by root
parent c7b3389e28
commit 78369b4189
10 changed files with 7317 additions and 1 deletions

View File

@ -0,0 +1,24 @@
From 4385fd471749b21fd2e7e5febe7ba273592a0633 Mon Sep 17 00:00:00 2001
From: Andrew Becker <A-Beck@users.noreply.github.com>
Date: Wed, 30 Mar 2022 16:58:04 -0400
Subject: [PATCH] Fix variable path access issue
Reference the path in the item dictionary, instead of the item dictionary itself
Addresses Issue #8275
---
shared/templates/sysctl/ansible.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index 3837b313e13..f525cf873f7 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -13,7 +13,7 @@
- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
replace:
- path: "{{ item }}"
+ path: "{{ item.path }}"
regexp: '^[\s]*{{{ SYSCTLVAR }}}'
replace: '#{{{ SYSCTLVAR }}}'
loop: "{{ find_sysctl_d.files }}"

View File

@ -0,0 +1,32 @@
From 2a7e57d7714e9931ec4d43a0d25269258dd4af2a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 17 May 2022 10:24:26 +0200
Subject: [PATCH] Do not include symlink_state in 5.10 content
The symlink_test, object and state were added in OVAL 5.11. These
elements should not be included in OVAL 5.10 content because they break
validation.
---
shared/templates/sysctl/oval.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index e21b0344cb6..207052664a4 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -222,7 +222,6 @@
<unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
<filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
</unix:symlink_object>
-{{% endif %}}
<!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
^/etc/sysctl.conf$
@@ -232,6 +231,7 @@
<unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
</unix:symlink_state>
+{{% endif %}}
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
<object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />

View File

@ -0,0 +1,42 @@
From 484ceb5641f53a8f3b505099a3bebb8d5e481f1a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 May 2022 11:31:31 +0200
Subject: [PATCH] Restrict the symlink test to OVAL 5.11
The symlink_test was added in OVAL 5.11 and is not availble in 5.10.
The 5.10 version of the sysctl template will not check for sysctl
options defined in more than on file.
---
shared/templates/sysctl/oval.template | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index ba4e65cbaef..53456a90a01 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -114,7 +114,9 @@
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
</criteria>
+{{% if target_oval_version >= [5, 11] %}}
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+{{% endif %}}
</criteria>
</definition>
@@ -140,6 +142,7 @@
{{{ state_static_sysctld("usr_lib_sysctld") }}}
</ind:textfilecontent54_test>
+{{% if target_oval_version >= [5, 11] %}}
<ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
<ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
@@ -214,6 +217,7 @@
<unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
<unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
</unix:symlink_object>
+{{% endif %}}
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
<object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />

View File

@ -0,0 +1,145 @@
From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 19:21:04 +0200
Subject: [PATCH 1/3] Add tests to ensure valid symlinks are checked
These sysctl tests help check cases when:
- A symlink points to a file out of the default default dirs
- Multile symlinks point to the same file in the default dirs
Symlinks are a valid use case how to configure sysctls.
---
.../tests/symlink_root_duplicate.fail.sh | 15 +++++++++++++++
.../tests/symlink_root_incompliant.fail.sh | 15 +++++++++++++++
.../tests/symlinks_to_same_file.pass.sh | 14 ++++++++++++++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
new file mode 100644
index 00000000000..c4f756a110f
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_duplicate.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Put a config file out of the default dirs
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /root/root-sysctl.conf
+
+# Add a symlink
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
new file mode 100644
index 00000000000..3b67676ac69
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_root_incompliant.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Put a config file out of the default dirs
+echo "net.ipv4.conf.default.accept_source_route = 1" >> /root/root-sysctl.conf
+
+# Add a symlink
+ln -s /root/root-sysctl.conf /etc/sysctl.d/90-root.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
new file mode 100644
index 00000000000..6164d0b1ca9
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlinks_to_same_file.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Multiple symliks to the same file should be ignored
+ln -s /etc/sysctl.conf /etc/sysctl.d/90-sysctl.conf
+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
+
From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 19:23:41 +0200
Subject: [PATCH 2/3] Filter out symlinks referencing default dirs
Apply a filter on the collected symlinks and exclude the ones that
don't point to the default dirs.
In other words, only remove ignore options in symlinks if the files they
reference will be scanned anyway, because they are in the one of the
default dirs.
---
shared/templates/sysctl/oval.template | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 0b5cde45045..ac395d545c3 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -217,10 +217,20 @@
<!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
Workaround by querying for all conf files found -->
- <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
<unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
</unix:symlink_object>
+ <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
+ ^/etc/sysctl.conf$
+ ^/etc/sysctl.d/.*$
+ ^/run/sysctl.d/.*$
+ ^/usr/lib/sysctl.d/.*$ -->
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
+ <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
+ </unix:symlink_state>
+
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
<object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
</local_variable>
From 156291af3ae48fc0dff668b05e9e0bbdd42868b2 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 6 May 2022 11:49:00 +0200
Subject: [PATCH 3/3] Consider file/link/dir while applying ansible remediation
on sysctl template.
---
shared/templates/sysctl/ansible.template | 1 +
1 file changed, 1 insertion(+)
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
index f525cf873f7..5a178fa7f49 100644
--- a/shared/templates/sysctl/ansible.template
+++ b/shared/templates/sysctl/ansible.template
@@ -9,6 +9,7 @@
paths: "/etc/sysctl.d/"
contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
patterns: "*.conf"
+ file_type: any
register: find_sysctl_d
- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files

View File

@ -0,0 +1,115 @@
From e1c1930d252dee6ba7ef21b856ed1651e82f57ab Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 6 May 2022 13:32:34 +0200
Subject: [PATCH] Don't scan dir with preconfigured sysctls in RHEL
With the introduction of checks for options defined in multiple
files
the pre-configured sysctls became prominent and started to cause
rules
to fail.
In /usr/lib/sysctl.d there are sysctl options defined by systemd and
other packages. The files in witch these options are defined are not
meant to be edited, these options should be overriden by options in
dirs of higher priorrity, like /etc/sysctl.d, or /etc/sysctl.conf.
Remediating these files will cause problems with rule
rpm_verify_hashes,
as these files are not RPM config files.
As the sysctl remediations don't edit the pre-configured files the
rule will always result in error.
This commit removes the checks for the pre-configured directory,
i.e. /usr/lib/sysctl.d/.
The end result is that any sysctl option that is pre-configured in
/usr/lib/sysctl.d will be defined in two files, the pre-configured
one
ane /etc/sysctl.conf.
The sysctl option in effect should be the one configured in
/etc/sysctl.conf as this file has the highest priority for sysctl.
---
docs/templates/template_reference.md | 12 +++++++++++-
shared/templates/sysctl/oval.template | 8 ++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
index fef4679..d49511a 100644
--- a/docs/templates/template_reference.md
+++ b/docs/templates/template_reference.md
@@ -717,10 +717,20 @@ The selected value can be changed in the profile (consult the actual variable fo
```
#### sysctl
-- Checks sysctl parameters. The OVAL definition checks both
+- Checks sysctl parameters. The OVAL definition checks both static
configuration and runtime settings and require both of them to be
set to the desired value to return true.
+ The following file and directories are checked for static
+ sysctl configurations:
+ - /etc/sysct.conf
+ - /etc/sysct.d/\*.conf
+ - /run/sysct.d/\*.conf
+ - /usr/lib/sysct.d/\*.conf (does not apply to RHEL)
+
+ A sysctl option defined in more then one file within the scanned directories
+ will result in `fail`.
+
- Parameters:
- **sysctlvar** - name of the sysctl value, eg.
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 2794638..b692ee3 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -98,8 +98,10 @@
test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+{{% if "rhel" not in product %}}
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+{{% endif %}}
</criteria>
<criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
</criteria>
@@ -117,9 +119,11 @@
{{{ state_static_sysctld("run_sysctld") }}}
</ind:textfilecontent54_test>
+{{% if "rhel" not in product %}}
<ind:textfilecontent54_test check="all" comment="{{{ SYSCTLVAR }}} static configuration in /etc/sysctl.d/*.conf" id="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
{{{ state_static_sysctld("usr_lib_sysctld") }}}
</ind:textfilecontent54_test>
+{{% endif %}}
<ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
@@ -229,7 +233,9 @@
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
<set>
<object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% if "rhel" not in product %}}
<object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+{{% endif %}}
</set>
</ind:textfilecontent54_object>
@@ -250,11 +256,13 @@
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
+{{% if "rhel" not in product %}}
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ SYSCTLID }}}" version="1">
<ind:path>/usr/lib/sysctl.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
{{{ sysctl_match() }}}
</ind:textfilecontent54_object>
+{{% endif %}}
{{% if SYSCTLVAL == "" %}}
<ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
--
2.34.1

View File

@ -0,0 +1,190 @@
From b08b310a02e022d280b76e89282c8b8dcf3b9b55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 10:02:05 +0200
Subject: [PATCH 1/3] Filter out symlinks
Create a list of paths to symlinks to filter out from the count of
unique filpaths.
---
shared/templates/sysctl/oval.template | 29 ++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 97487d6114e..1f30ad86ceb 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -168,9 +168,36 @@
</count>
</local_variable>
+ <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+ <set>
+ <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>
+ <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+ </ind:textfilecontent54_state>
+
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
+ <unique>
+ <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
+ </unique>
+ </local_variable>
+
+ <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
+ Workaround by querying for all conf files found -->
+ <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
+ </unix:symlink_object>
+
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
+ <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+ </local_variable>
+
<!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
variable to have no value even when there are valid objects. -->
- <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">
<set>
<object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
<object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
From 29bf2a53d29624aa21fe91d5ad0ee34260514b6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 11:18:46 +0200
Subject: [PATCH 2/3] Avoid using empty variable when no symlinks exist
This avoids directly referencing a variable that may have no values.
If no symlinks are found, 'local_var_symlinks_{{{ SYSCTLID }}}' will
have "no values".
Using this variable in the state comparison will automatically cause the
definition to evaluate to "unknown".
What we do here is inject a blank string with the use of <set>, this
way, when no symlinks are found, the variable has a single blank string.
---
shared/templates/sysctl/oval.template | 32 ++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 1f30ad86ceb..0b5cde45045 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -176,9 +176,39 @@
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
- <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />
</ind:textfilecontent54_state>
+ <!-- <no simlink handling> -->
+ <!-- We craft a variable with blank string to combine with the symlink paths found.
+ This ultimately avoids referencing a variable with "no values",
+ we reference a variable with a blank string -->
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">
+ <unique>
+ <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />
+ </unique>
+ </local_variable>
+
+ <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">
+ <set>
+ <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>
+ </set>
+ </ind:variable_object>
+
+ <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">
+ <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">
+ <literal_component datatype="string"></literal_component>
+ </local_variable>
+
+ <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">
+ <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>
+ </ind:variable_object>
+ <!-- </no simlink handling> -->
+
<local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
<unique>
<object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
From 7e9e091517131d30c60a649795d477435017c97b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 11:41:13 +0200
Subject: [PATCH 3/3] Add test scenarios for sysctl symlink
---
.../tests/symlink_different_option.pass.sh | 15 +++++++++++++++
.../tests/symlink_repeated_sysctl_conf.pass.sh | 11 +++++++++++
.../tests/symlink_same_option.fail.sh | 15 +++++++++++++++
3 files changed, 41 insertions(+)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
new file mode 100644
index 00000000000..714a8815134
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Configure a different sysctl option
+echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf
+
+# Add a symlink
+ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
new file mode 100644
index 00000000000..1fbbf1b0675
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
new file mode 100644
index 00000000000..51530f6e80c
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Configure the same sysctl option
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf
+
+# and add a symlink
+ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0

View File

@ -0,0 +1,241 @@
From 21177e5d44dfd6f4fa6de79737c1e55c4b22660a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 3 May 2022 10:49:44 +0200
Subject: [PATCH] Edited PR_8656 to apply on 0.1.60
---
.../one_sysctl_conf_one_sysctl_d.fail.sh | 11 +++
.../tests/two_sysctls_on_d.fail.sh | 11 +++
.../tests/two_sysctls_on_same_file.pass.sh | 11 +++
.../two_sysctls_on_same_file_name.fail.sh | 11 +++
shared/templates/sysctl/bash.template | 2 +-
shared/templates/sysctl/oval.template | 99 +++++++++++++------
6 files changed, 114 insertions(+), 31 deletions(-)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
new file mode 100644
index 0000000..b2bc2f8
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
new file mode 100644
index 0000000..49a8f2e
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/first.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
new file mode 100644
index 0000000..548e616
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
new file mode 100644
index 0000000..487691d
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
index 6c82e6e..d68956f 100644
--- a/shared/templates/sysctl/bash.template
+++ b/shared/templates/sysctl/bash.template
@@ -6,7 +6,7 @@
# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf ; do
- matching_list=$(grep -P '^(?!#).*[\s]+{{{ SYSCTLVAR }}}.*$' $f | uniq )
+ matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
# comment out "{{{ SYSCTLVAR }}}" matches to preserve user data
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 646f5f3..fd19f8b 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -1,3 +1,9 @@
+{{%- if SYSCTLVAL == "" %}}
+{{%- set COMMENT_VALUE="the appropriate value" %}}
+{{%- else %}}
+{{%- set COMMENT_VALUE=SYSCTLVAL %}}
+{{%- endif %}}
+
{{% macro state_static_sysctld(prefix) -%}}
<ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}" />
{{%- if SYSCTLVAL == "" %}}
@@ -6,7 +12,7 @@
{{%- endmacro -%}}
{{%- macro sysctl_match() -%}}
{{%- if SYSCTLVAL == "" -%}}
- <ind:pattern operation="pattern match">(?:^|.*\n)[^#]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*\n</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
{{%- else -%}}
{{% if OPERATION == "pattern match" %}}
@@ -53,20 +59,12 @@
<def-group>
<definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">
- {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system runtime.") }}}
+ {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}
<criteria operator="AND">
-{{%- if SYSCTLVAL == "" %}}
- <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to the appropriate value" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}" />
-{{%- else %}}
- <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}}" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}" />
-{{%- endif %}}
+ <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>
</criteria>
</definition>
-{{% if SYSCTLVAL == "" %}}
- <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to the appropriate value" id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
-{{%- else %}}
- <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}}" id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
-{{%- endif %}}
+ <unix:sysctl_test id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" check="all" check_existence="all_exist">
<unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}" />
<unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}" />
</unix:sysctl_test>
@@ -96,25 +94,21 @@
<def-group>
<definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">
- {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system configuration.") }}}
-{{%- if SYSCTLVAL == "" %}}
- <criteria operator="OR">
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /etc/sysctl.conf" test_ref="test_static_sysctl_{{{ SYSCTLID }}}" />
- <!-- see sysctl.d(5) -->
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}" />
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /run/sysctl.d/*.conf" test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}" />
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" />
- </criteria>
-{{%- else %}}
-
- <criteria operator="OR">
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /etc/sysctl.conf" test_ref="test_static_sysctl_{{{ SYSCTLID }}}" />
- <!-- see sysctl.d(5) -->
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /etc/sysctl.d/*.conf" test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}" />
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /run/sysctl.d/*.conf" test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}" />
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /usr/lib/sysctl.d/*.conf" test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" />
+ {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
+ <criteria operator="AND">
+ <criteria operator="OR">
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.conf"
+ test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>
+ <!-- see sysctl.d(5) -->
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.d/*.conf"
+ test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
+ test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
+ test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
+ </criteria>
+ <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
</criteria>
-{{%- endif %}}
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="{{{ SYSCTLVAR }}} static configuration" id="test_static_sysctl_{{{ SYSCTLID }}}" version="1">
@@ -133,6 +127,51 @@
{{{ state_static_sysctld("usr_lib_sysctld") }}}
</ind:textfilecontent54_test>
+ <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
+ id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+ <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+ <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
+ </ind:variable_test>
+
+ <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+ <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>
+ </ind:variable_object>
+
+ <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
+ <ind:value operation="equals" datatype="int">1</ind:value>
+ </ind:variable_state>
+
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">
+ <count>
+ <unique>
+ <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+ </unique>
+ </count>
+ </local_variable>
+
+ <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
+ variable to have no value even when there are valid objects. -->
+ <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+ <set>
+ <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">
+ <set>
+ <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
+ <set>
+ <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
<ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">
<ind:filepath>/etc/sysctl.conf</ind:filepath>
{{{ sysctl_match() }}}
--
2.34.1

View File

@ -0,0 +1,88 @@
From 1c403af00f39fcfa3c7cf898b1e832d4580cfb59 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 5 May 2022 10:28:34 +0200
Subject: [PATCH] PR #8704 edited manually
- Restrict test to sysctl.conf and /usr/sysctl.d
- Separate the state from the object and check it
---
.../tests/wrong_value_d_directory.fail.sh | 12 ++++++------
shared/templates/sysctl/oval.template | 18 ++++++++++--------
2 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
index 48a2665..5fb8ddc 100644
--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/tests/wrong_value_d_directory.fail.sh
@@ -5,19 +5,19 @@
setting_name="kernel.randomize_va_space"
setting_value="2"
# sysctl -w "$setting_name=$setting_value"
-if grep -q "^$setting_name" /usr/lib/sysctl.d/50-sysctl.conf; then
- sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /usr/lib/sysctl.d/50-sysctl.conf
+if grep -q "^$setting_name" /etc/sysctl.conf; then
+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.conf
else
- echo "$setting_name = $setting_value" >> /usr/lib/sysctl.d/50-sysctl.conf
+ echo "$setting_name = $setting_value" >> /etc/sysctl.conf
fi
setting_name="kernel.randomize_va_space"
setting_value="0"
# sysctl -w "$setting_name=$setting_value"
-if grep -q "^$setting_name" /etc/sysctl.d/99-sysctl.conf; then
- sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/99-sysctl.conf
+if grep -q "^$setting_name" /etc/sysctl.d/98-sysctl.conf; then
+ sed -i "s/^$setting_name.*/$setting_name = $setting_value/" /etc/sysctl.d/98-sysctl.conf
else
- echo "$setting_name = $setting_value" >> /etc/sysctl.d/99-sysctl.conf
+ echo "$setting_name = $setting_value" >> /etc/sysctl.d/98-sysctl.conf
fi
sysctl --system
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 564cc33..97f1e05 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -6,21 +6,15 @@
{{% macro state_static_sysctld(prefix) -%}}
<ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}" />
-{{%- if SYSCTLVAL == "" %}}
<ind:state state_ref="state_static_sysctld_{{{ SYSCTLID }}}" />
-{{%- endif -%}}
{{%- endmacro -%}}
{{%- macro sysctl_match() -%}}
{{%- if SYSCTLVAL == "" -%}}
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
{{%- else -%}}
-{{% if OPERATION == "pattern match" %}}
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*{{{ SYSCTLVAL_REGEX }}}[\s]*$</ind:pattern>
-{{% else %}}
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*{{{ SYSCTLVAL }}}[\s]*$</ind:pattern>
-{{% endif %}}
- <ind:instance datatype="int">1</ind:instance>
+ <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
{{%- endif -%}}
{{%- endmacro -%}}
{{%- if "P" in FLAGS -%}}
@@ -258,6 +252,14 @@
</ind:textfilecontent54_state>
<external_variable comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}" id="sysctl_{{{ SYSCTLID }}}_value" version="1" />
+{{% else %}}
+ <ind:textfilecontent54_state id="state_static_sysctld_{{{ SYSCTLID }}}" version="1">
+{{% if OPERATION == "pattern match" %}}
+ <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression>
+{{% else %}}
+ <ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL }}}</ind:subexpression>
+{{% endif %}}
+ </ind:textfilecontent54_state>
{{% endif %}}
</def-group>
{{%- endif -%}}
--
2.34.1

File diff suppressed because one or more lines are too long

View File

@ -6,7 +6,7 @@
Name: scap-security-guide
Version: 0.1.60
Release: 7%{?dist}
Release: 9%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -65,6 +65,15 @@ Patch43: scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.p
Patch44: scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch
Patch45: scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch
Patch46: scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch
Patch47: scap-security-guide-0.1.62-sysctl_parameter_on_single_file-PR_8656.patch
Patch48: scap-security-guide-0.1.62-sysctl_filter_symlinks_out-PR_8698.patch
Patch49: scap-security-guide-0.1.62-sysctl_separate_object_from_state-PR_8704.patch
Patch50: scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.patch
Patch51: scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch
Patch52: scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch
Patch53: scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch
Patch54: scap-security-guide-0.1.62-fix_oval_5_10_validation-PR_8782.patch
Patch55: scap-security-guide-0.1.62-fix_loop_variable_path-PR_8462.patch
BuildRequires: libxslt
BuildRequires: expat
@ -169,6 +178,14 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%endif
%changelog
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
- Fix validation of OVAL 5.10 content (RHBZ#2082556)
- Fix Ansible sysctl remediation (RHBZ#2082556)
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556)
- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556)
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)