OSPP: fix rule related to coredump.
Resolves: RHBZ#2081688
This commit is contained in:
parent
3453b75d6f
commit
fabf824399
@ -0,0 +1,826 @@
|
|||||||
|
From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 18 Aug 2022 13:06:49 +0200
|
||||||
|
Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string
|
||||||
|
content.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../ansible/shared.yml | 32 +++
|
||||||
|
.../bash/shared.sh | 60 +++++
|
||||||
|
.../oval/shared.xml | 221 ++++++++++++++++++
|
||||||
|
.../rule.yml | 23 +-
|
||||||
|
.../tests/correct_value.pass.sh | 10 +
|
||||||
|
.../tests/wrong_value.fail.sh | 10 +
|
||||||
|
.../tests/wrong_value_three_entries.fail.sh | 11 +
|
||||||
|
.../tests/wrong_value_two_entries.fail.sh | 10 +
|
||||||
|
products/rhel9/profiles/ospp.profile | 2 +-
|
||||||
|
9 files changed, 366 insertions(+), 13 deletions(-)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..a6e7bf54b56
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
+# reboot = true
|
||||||
|
+# strategy = disable
|
||||||
|
+# complexity = low
|
||||||
|
+# disruption = medium
|
||||||
|
+- name: List /etc/sysctl.d/*.conf files
|
||||||
|
+ find:
|
||||||
|
+ paths:
|
||||||
|
+ - /etc/sysctl.d/
|
||||||
|
+ - /run/sysctl.d/
|
||||||
|
+ contains: ^[\s]*kernel.core_pattern.*$
|
||||||
|
+ patterns: '*.conf'
|
||||||
|
+ file_type: any
|
||||||
|
+ register: find_sysctl_d
|
||||||
|
+- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
|
||||||
|
+ files
|
||||||
|
+ replace:
|
||||||
|
+ path: '{{ item.path }}'
|
||||||
|
+ regexp: ^[\s]*kernel.core_pattern
|
||||||
|
+ replace: '#kernel.core_pattern'
|
||||||
|
+ loop: '{{ find_sysctl_d.files }}'
|
||||||
|
+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||||
|
+ replace:
|
||||||
|
+ path: /etc/sysctl.conf
|
||||||
|
+ regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||||
|
+ replace: '#kernel.core_pattern'
|
||||||
|
+- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||||
|
+ sysctl:
|
||||||
|
+ name: kernel.core_pattern
|
||||||
|
+ value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
|
||||||
|
+ state: present
|
||||||
|
+ reload: true
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..989987250bc
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
@@ -0,0 +1,60 @@
|
||||||
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||||
|
+# reboot = true
|
||||||
|
+# strategy = disable
|
||||||
|
+# complexity = low
|
||||||
|
+# disruption = medium
|
||||||
|
+# Remediation is applicable only in certain platforms
|
||||||
|
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
|
||||||
|
+
|
||||||
|
+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
|
||||||
|
+
|
||||||
|
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
|
||||||
|
+
|
||||||
|
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
|
||||||
|
+ if ! test -z "$matching_list"; then
|
||||||
|
+ while IFS= read -r entry; do
|
||||||
|
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
|
||||||
|
+ # comment out "kernel.core_pattern" matches to preserve user data
|
||||||
|
+ sed -i "s/^${escaped_entry}$/# &/g" $f
|
||||||
|
+ done <<< "$matching_list"
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Set runtime for kernel.core_pattern
|
||||||
|
+#
|
||||||
|
+/sbin/sysctl -q -n -w kernel.core_pattern=""
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
|
||||||
|
+# else, add "kernel.core_pattern =" to /etc/sysctl.conf
|
||||||
|
+#
|
||||||
|
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
|
||||||
|
+# Otherwise, regular sed command will do.
|
||||||
|
+sed_command=('sed' '-i')
|
||||||
|
+if test -L "/etc/sysctl.conf"; then
|
||||||
|
+ sed_command+=('--follow-symlinks')
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Strip any search characters in the key arg so that the key can be replaced without
|
||||||
|
+# adding any search characters to the config file.
|
||||||
|
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
|
||||||
|
+
|
||||||
|
+# shellcheck disable=SC2059
|
||||||
|
+printf -v formatted_output "%s=" "$stripped_key"
|
||||||
|
+
|
||||||
|
+# If the key exists, change it. Otherwise, add it to the config_file.
|
||||||
|
+# We search for the key string followed by a word boundary (matched by \>),
|
||||||
|
+# so if we search for 'setting', 'setting2' won't match.
|
||||||
|
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then
|
||||||
|
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
|
||||||
|
+ "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
|
||||||
|
+else
|
||||||
|
+ # \n is precaution for case where file ends without trailing newline
|
||||||
|
+
|
||||||
|
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+else
|
||||||
|
+ >&2 echo 'Remediation is not applicable, nothing was done'
|
||||||
|
+fi
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..39654259dcb
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
@@ -0,0 +1,221 @@
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string" version="3">
|
||||||
|
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <extend_definition comment="kernel.core_pattern configuration setting check"
|
||||||
|
+ definition_ref="sysctl_kernel_core_pattern_empty_string_static"/>
|
||||||
|
+ <extend_definition comment="kernel.core_pattern runtime setting check"
|
||||||
|
+ definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+</def-group><def-group>
|
||||||
|
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
|
||||||
|
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <criterion comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+
|
||||||
|
+ <unix:sysctl_test id="test_sysctl_kernel_core_pattern_empty_string_runtime" version="1"
|
||||||
|
+ comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||||
|
+ check="all" check_existence="all_exist" state_operator="OR">
|
||||||
|
+ <unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+
|
||||||
|
+ <unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
+
|
||||||
|
+ </unix:sysctl_test>
|
||||||
|
+
|
||||||
|
+ <unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
+ <unix:name>kernel.core_pattern</unix:name>
|
||||||
|
+ </unix:sysctl_object>
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ <unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
+
|
||||||
|
+ <unix:value datatype="string"
|
||||||
|
+ operation="equals"></unix:value>
|
||||||
|
+
|
||||||
|
+ </unix:sysctl_state>
|
||||||
|
+
|
||||||
|
+</def-group>
|
||||||
|
+<def-group>
|
||||||
|
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_static" version="3">
|
||||||
|
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}}
|
||||||
|
+ <criteria operator="AND">
|
||||||
|
+ <criteria operator="OR">
|
||||||
|
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.conf"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static"/>
|
||||||
|
+ <!-- see sysctl.d(5) -->
|
||||||
|
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.d/*.conf"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
|
||||||
|
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
|
||||||
|
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
|
||||||
|
+
|
||||||
|
+ </criteria>
|
||||||
|
+
|
||||||
|
+ <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
+ </criteria>
|
||||||
|
+ </definition>
|
||||||
|
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
|
||||||
|
+ check="all" check_existence="all_exist"
|
||||||
|
+ comment="kernel.core_pattern static configuration" state_operator="OR">
|
||||||
|
+ <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
|
||||||
|
+ comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
|
||||||
|
+ <ind:object object_ref="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld" version="1" check="all"
|
||||||
|
+ comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
|
||||||
|
+ <ind:object object_ref="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_test>
|
||||||
|
+ <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern"
|
||||||
|
+ id="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||||
|
+ <ind:object object_ref="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
+ <ind:state state_ref="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
+ </ind:variable_test>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||||
|
+ <ind:var_ref>local_var_sysctl_kernel_core_pattern_empty_string_counter</ind:var_ref>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+
|
||||||
|
+ <ind:variable_state id="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
|
||||||
|
+ <ind:value operation="equals" datatype="int">1</ind:value>
|
||||||
|
+ </ind:variable_state>
|
||||||
|
+
|
||||||
|
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_sysctl_kernel_core_pattern_empty_string_counter" version="1">
|
||||||
|
+ <count>
|
||||||
|
+ <unique>
|
||||||
|
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" item_field="filepath" />
|
||||||
|
+ </unique>
|
||||||
|
+ </count>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered</object_reference>
|
||||||
|
+ <filter action="exclude">state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink</filter>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_state id="state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink" version="1">
|
||||||
|
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" datatype="string" />
|
||||||
|
+ </ind:textfilecontent54_state>
|
||||||
|
+
|
||||||
|
+ <!-- <no symlink handling> -->
|
||||||
|
+ <!-- We craft a variable with blank string to combine with the symlink paths found.
|
||||||
|
+ This ultimately avoids referencing a variable with "no values",
|
||||||
|
+ we reference a variable with a blank string -->
|
||||||
|
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" version="1">
|
||||||
|
+ <unique>
|
||||||
|
+ <object_component object_ref="var_object_symlink_sysctl_kernel_core_pattern_empty_string" item_field="value" />
|
||||||
|
+ </unique>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="var_object_symlink_sysctl_kernel_core_pattern_empty_string" comment="combine the blank string with symlink paths found" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>var_obj_symlink_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ <object_reference>var_obj_blank_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="var_obj_blank_sysctl_kernel_core_pattern_empty_string" comment="variable object of the blank string" version="1">
|
||||||
|
+ <ind:var_ref>local_var_blank_path_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+
|
||||||
|
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <literal_component datatype="string"></literal_component>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <ind:variable_object id="var_obj_symlink_sysctl_kernel_core_pattern_empty_string" comment="variable object of the symlinks found" version="1">
|
||||||
|
+ <ind:var_ref>local_var_symlinks_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
|
||||||
|
+ </ind:variable_object>
|
||||||
|
+ <!-- </no symlink handling> -->
|
||||||
|
+
|
||||||
|
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <unique>
|
||||||
|
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_symlinks" item_field="filepath" />
|
||||||
|
+ </unique>
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
|
||||||
|
+ Workaround by querying for all conf files found -->
|
||||||
|
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_sysctl_kernel_core_pattern_empty_string_symlinks" version="1">
|
||||||
|
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" />
|
||||||
|
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string</filter>
|
||||||
|
+ </unix:symlink_object>
|
||||||
|
+
|
||||||
|
+ <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
|
||||||
|
+ ^/etc/sysctl.conf$
|
||||||
|
+ ^/etc/sysctl.d/.*$
|
||||||
|
+ ^/run/sysctl.d/.*$
|
||||||
|
+ ^/usr/lib/sysctl.d/.*$ -->
|
||||||
|
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
|
||||||
|
+ </unix:symlink_state>
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
|
||||||
|
+ </local_variable>
|
||||||
|
+
|
||||||
|
+ <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
|
||||||
|
+ variable to have no value even when there are valid objects. -->
|
||||||
|
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ <object_reference>object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_static_sysctl_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ <object_reference>object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <set>
|
||||||
|
+ <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
+
|
||||||
|
+ </set>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_sysctl_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <ind:filepath>/etc/sysctl.conf</ind:filepath>
|
||||||
|
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||||
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <ind:path>/etc/sysctl.d</ind:path>
|
||||||
|
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||||
|
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||||
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+
|
||||||
|
+ <ind:textfilecontent54_object id="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+ <ind:path>/run/sysctl.d</ind:path>
|
||||||
|
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
||||||
|
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
|
||||||
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
+ </ind:textfilecontent54_object>
|
||||||
|
+ <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
+
|
||||||
|
+ <ind:subexpression operation="equals" datatype="string"></ind:subexpression>
|
||||||
|
+
|
||||||
|
+ </ind:textfilecontent54_state>
|
||||||
|
+
|
||||||
|
+</def-group>
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
index dc21f53c98c..2babb28e361 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
|
||||||
|
@@ -1,18 +1,18 @@
|
||||||
|
documentation_complete: true
|
||||||
|
|
||||||
|
-prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
|
||||||
|
+prodtype: rhel9
|
||||||
|
|
||||||
|
title: 'Disable storing core dumps'
|
||||||
|
|
||||||
|
description: |-
|
||||||
|
The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
|
||||||
|
- name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
|
||||||
|
+ name. It can be set to an empty string. In this case, the kernel
|
||||||
|
behaves differently based on another related option. If
|
||||||
|
<tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
|
||||||
|
<tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
|
||||||
|
created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
|
||||||
|
<tt>0</tt>, no coredump is saved.
|
||||||
|
- {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
|
||||||
|
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}}
|
||||||
|
|
||||||
|
rationale: |-
|
||||||
|
A core dump includes a memory image taken at the time the operating system
|
||||||
|
@@ -30,17 +30,16 @@ conflicts:
|
||||||
|
identifiers:
|
||||||
|
cce@rhel9: CCE-86005-6
|
||||||
|
|
||||||
|
+references:
|
||||||
|
+ ospp: FMT_SMF_EXT.1
|
||||||
|
+
|
||||||
|
ocil_clause: |-
|
||||||
|
- the returned line does not have a value of ''.
|
||||||
|
+ the returned line does not have an empty string
|
||||||
|
|
||||||
|
ocil: |
|
||||||
|
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
|
||||||
|
+ The runtime status of the <code>kernel.core_pattern</code> kernel parameter can be queried
|
||||||
|
+ by running the following command:
|
||||||
|
+ <pre>$ sysctl kernel.core_pattern | cat -A</pre>
|
||||||
|
+ <code>kernel.core_pattern = $</code>
|
||||||
|
|
||||||
|
platform: machine
|
||||||
|
-
|
||||||
|
-template:
|
||||||
|
- name: sysctl
|
||||||
|
- vars:
|
||||||
|
- sysctlvar: kernel.core_pattern
|
||||||
|
- sysctlval: "''"
|
||||||
|
- datatype: string
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..71f0f5db142
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..1c5fabcc136
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern="|/bin/false"
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..e56e927ec56
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
|
||||||
|
@@ -0,0 +1,11 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..6c065b1e038
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
|
||||||
|
index 9fdd1354e38..b1b18261d48 100644
|
||||||
|
--- a/products/rhel9/profiles/ospp.profile
|
||||||
|
+++ b/products/rhel9/profiles/ospp.profile
|
||||||
|
@@ -110,7 +110,7 @@ selections:
|
||||||
|
- package_gnutls-utils_installed
|
||||||
|
|
||||||
|
### Login
|
||||||
|
- - sysctl_kernel_core_pattern
|
||||||
|
+ - sysctl_kernel_core_pattern_empty_string
|
||||||
|
- sysctl_kernel_core_uses_pid
|
||||||
|
- service_systemd-coredump_disabled
|
||||||
|
- var_authselect_profile=minimal
|
||||||
|
|
||||||
|
From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 11:13:04 +0200
|
||||||
|
Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9.
|
||||||
|
|
||||||
|
The new rule empty is applicable only to RHEL9 and if there would not be
|
||||||
|
the restriction, then dangling references would be produced.
|
||||||
|
---
|
||||||
|
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
index 1a540ce20b3..e369854060b 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
|
||||||
|
@@ -13,8 +13,10 @@ rationale: |-
|
||||||
|
|
||||||
|
severity: medium
|
||||||
|
|
||||||
|
+{{% if product in ["rhel9"] %}}
|
||||||
|
conflicts:
|
||||||
|
- sysctl_kernel_core_pattern_empty_string
|
||||||
|
+{{% endif %}}
|
||||||
|
|
||||||
|
identifiers:
|
||||||
|
cce@rhcos4: CCE-82527-3
|
||||||
|
|
||||||
|
From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 11:16:41 +0200
|
||||||
|
Subject: [PATCH 3/8] Switch bash remediation applicable to all products in
|
||||||
|
sysctl_kernel_core_pattern_empty_string.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../sysctl_kernel_core_pattern_empty_string/bash/shared.sh | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
index 989987250bc..9e84d41056d 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
||||||
|
+# platform = multi_platform_all
|
||||||
|
# reboot = true
|
||||||
|
# strategy = disable
|
||||||
|
# complexity = low
|
||||||
|
|
||||||
|
From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 11:23:04 +0200
|
||||||
|
Subject: [PATCH 4/8] Address feedback.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../ansible/shared.yml | 3 +++
|
||||||
|
.../oval/shared.xml | 19 +++++--------------
|
||||||
|
2 files changed, 8 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
index a6e7bf54b56..22a8d99dae8 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
patterns: '*.conf'
|
||||||
|
file_type: any
|
||||||
|
register: find_sysctl_d
|
||||||
|
+
|
||||||
|
- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
|
||||||
|
files
|
||||||
|
replace:
|
||||||
|
@@ -19,11 +20,13 @@
|
||||||
|
regexp: ^[\s]*kernel.core_pattern
|
||||||
|
replace: '#kernel.core_pattern'
|
||||||
|
loop: '{{ find_sysctl_d.files }}'
|
||||||
|
+
|
||||||
|
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||||
|
replace:
|
||||||
|
path: /etc/sysctl.conf
|
||||||
|
regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||||
|
replace: '#kernel.core_pattern'
|
||||||
|
+
|
||||||
|
- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||||
|
sysctl:
|
||||||
|
name: kernel.core_pattern
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
index 39654259dcb..1c3bbfd9a3e 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
|
||||||
|
@@ -10,7 +10,9 @@
|
||||||
|
definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
-</def-group><def-group>
|
||||||
|
+</def-group>
|
||||||
|
+
|
||||||
|
+<def-group>
|
||||||
|
<definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
|
||||||
|
{{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
|
||||||
|
<criteria operator="AND">
|
||||||
|
@@ -23,21 +25,15 @@
|
||||||
|
comment="kernel runtime parameter kernel.core_pattern set to an empty string"
|
||||||
|
check="all" check_existence="all_exist" state_operator="OR">
|
||||||
|
<unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
-
|
||||||
|
<unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
|
||||||
|
-
|
||||||
|
</unix:sysctl_test>
|
||||||
|
|
||||||
|
<unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
<unix:name>kernel.core_pattern</unix:name>
|
||||||
|
</unix:sysctl_object>
|
||||||
|
|
||||||
|
-
|
||||||
|
<unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
|
||||||
|
-
|
||||||
|
- <unix:value datatype="string"
|
||||||
|
- operation="equals"></unix:value>
|
||||||
|
-
|
||||||
|
+ <unix:value datatype="string" operation="equals"></unix:value>
|
||||||
|
</unix:sysctl_state>
|
||||||
|
|
||||||
|
</def-group>
|
||||||
|
@@ -53,18 +49,17 @@
|
||||||
|
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
|
||||||
|
<criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
|
||||||
|
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
|
||||||
|
-
|
||||||
|
</criteria>
|
||||||
|
|
||||||
|
<criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
|
||||||
|
</criteria>
|
||||||
|
</definition>
|
||||||
|
+
|
||||||
|
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
|
||||||
|
check="all" check_existence="all_exist"
|
||||||
|
comment="kernel.core_pattern static configuration" state_operator="OR">
|
||||||
|
<ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
<ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
|
||||||
|
-
|
||||||
|
</ind:textfilecontent54_test>
|
||||||
|
|
||||||
|
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
|
||||||
|
@@ -165,7 +160,6 @@
|
||||||
|
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
|
||||||
|
</unix:symlink_state>
|
||||||
|
|
||||||
|
-
|
||||||
|
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
<object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
|
||||||
|
</local_variable>
|
||||||
|
@@ -189,7 +183,6 @@
|
||||||
|
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
<set>
|
||||||
|
<object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
|
||||||
|
-
|
||||||
|
</set>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
|
||||||
|
@@ -213,9 +206,7 @@
|
||||||
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||||
|
</ind:textfilecontent54_object>
|
||||||
|
<ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
|
||||||
|
-
|
||||||
|
<ind:subexpression operation="equals" datatype="string"></ind:subexpression>
|
||||||
|
-
|
||||||
|
</ind:textfilecontent54_state>
|
||||||
|
|
||||||
|
</def-group>
|
||||||
|
|
||||||
|
From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 14:46:15 +0200
|
||||||
|
Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple
|
||||||
|
def-group tags.
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/test_parse_affected.py | 26 ++++++++++++++++----------
|
||||||
|
1 file changed, 16 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
|
||||||
|
index 8407794b972..947b56636c0 100755
|
||||||
|
--- a/tests/test_parse_affected.py
|
||||||
|
+++ b/tests/test_parse_affected.py
|
||||||
|
@@ -3,6 +3,7 @@
|
||||||
|
from __future__ import print_function
|
||||||
|
|
||||||
|
import os
|
||||||
|
+import re
|
||||||
|
import sys
|
||||||
|
|
||||||
|
import ssg.constants
|
||||||
|
@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml):
|
||||||
|
if not xml_content:
|
||||||
|
continue
|
||||||
|
|
||||||
|
- oval_contents = ssg.utils.split_string_content(xml_content)
|
||||||
|
+ # split multiple def group into a list so multiple definitions in one OVAL also work
|
||||||
|
+ # this findall does not preserv the <def-group> tag but it's not necessary for the
|
||||||
|
+ # purpose of the test
|
||||||
|
+ xml_content_list = re.findall(r'<def-group>(.+?)</def-group>', xml_content, re.DOTALL)
|
||||||
|
+ for item in xml_content_list:
|
||||||
|
+ oval_contents = ssg.utils.split_string_content(item)
|
||||||
|
|
||||||
|
- try:
|
||||||
|
- results = ssg.oval.parse_affected(oval_contents)
|
||||||
|
+ try:
|
||||||
|
+ results = ssg.oval.parse_affected(oval_contents)
|
||||||
|
|
||||||
|
- assert len(results) == 3
|
||||||
|
- assert isinstance(results[0], int)
|
||||||
|
- assert isinstance(results[1], int)
|
||||||
|
+ assert len(results) == 3
|
||||||
|
+ assert isinstance(results[0], int)
|
||||||
|
+ assert isinstance(results[1], int)
|
||||||
|
|
||||||
|
- except ValueError as e:
|
||||||
|
- print("No <affected> element found in file {}. "
|
||||||
|
- " Parsed XML was:\n{}".format(oval, xml_content))
|
||||||
|
- raise e
|
||||||
|
+ except ValueError as e:
|
||||||
|
+ print("No <affected> element found in file {}. "
|
||||||
|
+ " Parsed XML was:\n{}".format(oval, item))
|
||||||
|
+ raise e
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 15:14:57 +0200
|
||||||
|
Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant
|
||||||
|
values.
|
||||||
|
|
||||||
|
Comment out any offending line.
|
||||||
|
---
|
||||||
|
.../ansible/shared.yml | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
index 22a8d99dae8..f4dc5110fee 100644
|
||||||
|
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
|
||||||
|
@@ -24,8 +24,8 @@
|
||||||
|
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
|
||||||
|
replace:
|
||||||
|
path: /etc/sysctl.conf
|
||||||
|
- regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
|
||||||
|
- replace: '#kernel.core_pattern'
|
||||||
|
+ regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)'
|
||||||
|
+ replace: '#kernel.core_pattern\1'
|
||||||
|
|
||||||
|
- name: Ensure sysctl kernel.core_pattern is set to empty
|
||||||
|
sysctl:
|
||||||
|
|
||||||
|
From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 15:20:41 +0200
|
||||||
|
Subject: [PATCH 7/8] Fix PEP8 issue.
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/test_parse_affected.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
|
||||||
|
index 947b56636c0..53690df5ce1 100755
|
||||||
|
--- a/tests/test_parse_affected.py
|
||||||
|
+++ b/tests/test_parse_affected.py
|
||||||
|
@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml):
|
||||||
|
|
||||||
|
except ValueError as e:
|
||||||
|
print("No <affected> element found in file {}. "
|
||||||
|
- " Parsed XML was:\n{}".format(oval, item))
|
||||||
|
+ " Parsed XML was:\n{}".format(oval, item))
|
||||||
|
raise e
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Thu, 25 Aug 2022 16:31:31 +0200
|
||||||
|
Subject: [PATCH 8/8] Add more test scenarios for
|
||||||
|
sysctl_kernel_core_pattern_empty_string.
|
||||||
|
|
||||||
|
---
|
||||||
|
.../tests/correct_value_with_spaces.pass.sh | 10 ++++++++++
|
||||||
|
.../tests/wrong_value_d_directory.fail.sh | 9 +++++++++
|
||||||
|
.../tests/wrong_value_runtime.fail.sh | 10 ++++++++++
|
||||||
|
3 files changed, 29 insertions(+)
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||||
|
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||||
|
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..b6688e6ca91
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern= " >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..6c574b92762
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern=""
|
||||||
|
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..8c729677b86
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+#!/bin/bash
|
||||||
|
+
|
||||||
|
+# Clean sysctl config directories
|
||||||
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
||||||
|
+
|
||||||
|
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
|
||||||
|
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
|
||||||
|
+
|
||||||
|
+# set correct runtime value to check if the filesystem configuration is evaluated properly
|
||||||
|
+sysctl -w kernel.core_pattern="|/bin/false"
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.63
|
Version: 0.1.63
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
URL: https://github.com/ComplianceAsCode/content/
|
URL: https://github.com/ComplianceAsCode/content/
|
||||||
@ -21,6 +21,7 @@ Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
|
|||||||
Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
|
Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
|
||||||
Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch
|
Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch
|
||||||
Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
|
Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
|
||||||
|
Patch8: scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
|
||||||
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: expat
|
BuildRequires: expat
|
||||||
@ -107,6 +108,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
|
||||||
|
- OSPP: fix rule related to coredump (RHBZ#2081688)
|
||||||
|
|
||||||
* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
|
* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
|
||||||
- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
|
- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user