rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
scap-security-guide/SOURCES/scap-security-guide-0.1.64-...

162 lines
6.5 KiB
Diff
Raw Blame History

From c4ce06ce707529c14376ca8bb6e2b03f072e81fd Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Wed, 10 Aug 2022 13:20:29 +0200
Subject: [PATCH 11/12] Merge pull request #9204 from
matejak/applicability_var_tmp
Patch-name: scap-security-guide-0.1.64-add_platform_partition_exists-PR_9204.patch
Patch-status: Introduce and apply the "partition exists" platform
---
.../mount_option_var_tmp_nodev/rule.yml | 3 ++-
.../tests/notapplicable.pass.sh | 5 +++++
shared/applicability/general.yml | 14 +++++++++++++
.../checks/oval/installed_env_mounts_tmp.xml | 10 ++++++++++
.../oval/installed_env_mounts_var_tmp.xml | 10 ++++++++++
shared/macros/10-ansible.jinja | 5 +++++
shared/macros/10-bash.jinja | 5 +++++
shared/macros/10-oval.jinja | 20 +++++++++++++++++++
8 files changed, 71 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml
create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
index 8ee8c8b12e..741d097328 100644
--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml
@@ -38,7 +38,8 @@ references:
stigid@ol8: OL08-00-040132
stigid@rhel8: RHEL-08-040132
-platform: machine
+platforms:
+ - machine and partition-var-tmp
template:
name: mount_option
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
new file mode 100644
index 0000000000..241c0103d8
--- /dev/null
+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+. $SHARED/partition.sh
+
+clean_up_partition /var/tmp # Remove the partition from the system, and unmount it
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
index 2d23d75314..e2f5d04ce0 100644
--- a/shared/applicability/general.yml
+++ b/shared/applicability/general.yml
@@ -77,6 +77,20 @@ cpes:
bash_conditional: {{{ bash_pkg_conditional("pam") }}}
ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}
+ - partition-var-tmp:
+ name: "cpe:/a:partition-var-tmp"
+ title: "There is a /var/tmp partition"
+ check_id: installed_env_mounts_var_tmp
+ bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}
+ ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}
+
+ - partition-tmp:
+ name: "cpe:/a:partition-tmp"
+ title: "There is a /tmp partition"
+ check_id: installed_env_mounts_tmp
+ bash_conditional: {{{ bash_partition_conditional("/tmp") }}}
+ ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}
+
- polkit:
name: "cpe:/a:polkit"
title: "Package polkit is installed"
diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml
new file mode 100644
index 0000000000..edd8ad050f
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+ <definition class="inventory" id="installed_env_mounts_tmp" version="1">
+ {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}
+ <criteria>
+ {{{ partition_exists_criterion("/tmp") }}}
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_test_object("/tmp") }}}
+</def-group>
diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml
new file mode 100644
index 0000000000..cf9aafbdb0
--- /dev/null
+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml
@@ -0,0 +1,10 @@
+<def-group>
+ <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">
+ {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}
+ <criteria>
+ {{{ partition_exists_criterion("/var/tmp") }}}
+ </criteria>
+ </definition>
+
+ {{{ partition_exists_test_object("/var/tmp") }}}
+</def-group>
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 20dc2020e4..5e40fe4aa2 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -1432,3 +1432,8 @@ Part of the grub2_bootloader_argument_absent template.
when:
- result_pam_file_present.stat.exists
{{%- endmacro -%}}
+
+
+{{%- macro ansible_partition_conditional(path) -%}}
+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"
+{{%- endmacro -%}}
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 41d9e18a1e..b0f7f3cf4a 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2073,3 +2073,8 @@ else
echo "{{{ pam_file }}} was not found" >&2
fi
{{%- endmacro -%}}
+
+
+{{%- macro bash_partition_conditional(path) -%}}
+'findmnt --mountpoint "{{{ path }}}" > /dev/null'
+{{%- endmacro -%}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
index c8d7bbeffb..f302091f7d 100644
--- a/shared/macros/10-oval.jinja
+++ b/shared/macros/10-oval.jinja
@@ -926,3 +926,23 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo
{{%- else %}}
{{%- set user_list="nobody" %}}
{{%- endif %}}
+
+
+{{%- macro partition_exists_criterion(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+ <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path }}}_exists" />
+{{%- endmacro %}}
+
+{{%- macro partition_exists_test_object(path) %}}
+{{%- set escaped_path = path | escape_id %}}
+ <linux:partition_test check="all" check_existence="all_exist"
+ comment="Partition {{{ path }}} exists"
+ id="test_partition_{{{ escaped_path }}}_exists"
+ version="1">
+ <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />
+ </linux:partition_test>
+
+ <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">
+ <linux:mount_point>{{{ path }}}</linux:mount_point>
+ </linux:partition_object>
+{{%- endmacro %}}
--
2.37.1
Reference in New Issue View Git Blame Copy Permalink