scap-security-guide/SOURCES/scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch

From c4ce06ce707529c14376ca8bb6e2b03f072e81fd Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Wed, 10 Aug 2022 13:20:29 +0200
Subject: [PATCH 11/12] Merge pull request #9204 from
 matejak/applicability_var_tmp

Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
Patch-status: Introduce and apply the "partition exists" platform
---
 .../mount_option_var_tmp_nodev/rule.yml       |  3 ++-
 .../tests/notapplicable.pass.sh               |  5 +++++
 shared/applicability/general.yml              | 14 +++++++++++++
 .../checks/oval/installed_env_mounts_tmp.xml  | 10 ++++++++++
 .../oval/installed_env_mounts_var_tmp.xml     | 10 ++++++++++
 shared/macros/10-ansible.jinja                |  5 +++++
 shared/macros/10-bash.jinja                   |  5 +++++
 shared/macros/10-oval.jinja                   | 20 +++++++++++++++++++
 8 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
 create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
 create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 8ee8c8b12e..741d097328 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -38,7 +38,8 @@ references:
     stigid@ol8: OL08-00-040132
     stigid@rhel8: RHEL-08-040132
 
-platform: machine
+platforms:
+  - machine and partition-var-tmp
 
 template:
     name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
new file mode 100644
index 0000000000..241c0103d8
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+clean_up_partition /var/tmp  # Remove the partition from the system, and unmount it
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 2d23d75314..e2f5d04ce0 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -77,6 +77,20 @@ cpes:
       bash_conditional: {{{ bash_pkg_conditional("pam") }}}
       ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
 
+  - partition-var-tmp:
+      name: "cpe:/a:partition-var-tmp"
+      title: "There is a /var/tmp partition"
+      check_id: installed_env_mounts_var_tmp
+      bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
+      ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
+
+  - partition-tmp:
+      name: "cpe:/a:partition-tmp"
+      title: "There is a /tmp partition"
+      check_id: installed_env_mounts_tmp
+      bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
+      ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
+
   - polkit:
       name: "cpe:/a:polkit"
       title: "Package polkit is installed"
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
new file mode 100644
index 0000000000..edd8ad050f
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+  <definition class="inventory" id="installed_env_mounts_tmp" version="1">
+    {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
+    <criteria>
+       {{{ partition_exists_criterion("/tmp") }}}
+    </criteria>
+  </definition>
+
+  {{{ partition_exists_test_object("/tmp") }}}
+</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
new file mode 100644
index 0000000000..cf9aafbdb0
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+  <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
+    {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
+    <criteria>
+       {{{ partition_exists_criterion("/var/tmp") }}}
+    </criteria>
+  </definition>
+
+  {{{ partition_exists_test_object("/var/tmp") }}}
+</def-group>
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 20dc2020e4..5e40fe4aa2 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1432,3 +1432,8 @@ Part of the grub2_bootloader_argument_absent template.
   when:
     - result_pam_file_present.stat.exists
 {{%- endmacro -%}}
+
+
+{{%- macro ansible_partition_conditional(path) -%}}
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+{{%- endmacro -%}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 41d9e18a1e..b0f7f3cf4a 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2073,3 +2073,8 @@ else
     echo "{{{ pam_file }}} was not found" >&2
 fi
 {{%- endmacro -%}}
+
+
+{{%- macro bash_partition_conditional(path) -%}}
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
+{{%- endmacro -%}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index c8d7bbeffb..f302091f7d 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -926,3 +926,23 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
 {{%- else %}}
   {{%- set user_list="nobody" %}}
 {{%- endif %}}
+
+
+{{%- macro partition_exists_criterion(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+      <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path  }}}_exists" />
+{{%- endmacro %}}
+
+{{%- macro partition_exists_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+  <linux:partition_test check="all" check_existence="all_exist"
+      comment="Partition {{{ path }}} exists"
+      id="test_partition_{{{ escaped_path }}}_exists"
+  version="1">
+    <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+  </linux:partition_test>
+
+  <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
+    <linux:mount_point>{{{ path }}}</linux:mount_point>
+  </linux:partition_object>
+{{%- endmacro %}}
-- 
2.37.1