rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
scap-security-guide/SOURCES/scap-security-guide-0.1.62-...

191 lines
10 KiB
Diff
Raw Blame History

From b08b310a02e022d280b76e89282c8b8dcf3b9b55 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 10:02:05 +0200
Subject: [PATCH 1/3] Filter out symlinks
Create a list of paths to symlinks to filter out from the count of
unique filpaths.
---
shared/templates/sysctl/oval.template | 29 ++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 97487d6114e..1f30ad86ceb 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -168,9 +168,36 @@
</count>
</local_variable>
+ <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+ <set>
+ <object_reference>object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}</object_reference>
+ <filter action="exclude">state_{{{ SYSCTLID }}}_filepath_is_symlink</filter>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+ </ind:textfilecontent54_state>
+
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
+ <unique>
+ <object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
+ </unique>
+ </local_variable>
+
+ <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
+ Workaround by querying for all conf files found -->
+ <unix:symlink_object comment="syctl symlinks" id="object_{{{ SYSCTLID }}}_symlinks" version="1">
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
+ </unix:symlink_object>
+
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
+ <object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
+ </local_variable>
+
<!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
variable to have no value even when there are valid objects. -->
- <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
+ <ind:textfilecontent54_object id="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" version="1">
<set>
<object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
<object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
From 29bf2a53d29624aa21fe91d5ad0ee34260514b6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 11:18:46 +0200
Subject: [PATCH 2/3] Avoid using empty variable when no symlinks exist
This avoids directly referencing a variable that may have no values.
If no symlinks are found, 'local_var_symlinks_{{{ SYSCTLID }}}' will
have "no values".
Using this variable in the state comparison will automatically cause the
definition to evaluate to "unknown".
What we do here is inject a blank string with the use of <set>, this
way, when no symlinks are found, the variable has a single blank string.
---
shared/templates/sysctl/oval.template | 32 ++++++++++++++++++++++++++-
1 file changed, 31 insertions(+), 1 deletion(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 1f30ad86ceb..0b5cde45045 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -176,9 +176,39 @@
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_{{{ SYSCTLID }}}_filepath_is_symlink" version="1">
- <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_symlinks_{{{ SYSCTLID }}}" datatype="string" />
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_safe_symlinks_{{{ SYSCTLID }}}" datatype="string" />
</ind:textfilecontent54_state>
+ <!-- <no simlink handling> -->
+ <!-- We craft a variable with blank string to combine with the symlink paths found.
+ This ultimately avoids referencing a variable with "no values",
+ we reference a variable with a blank string -->
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_safe_symlinks_{{{ SYSCTLID }}}" version="1">
+ <unique>
+ <object_component object_ref="var_object_symlink_{{{ SYSCTLID }}}" item_field="value" />
+ </unique>
+ </local_variable>
+
+ <ind:variable_object id="var_object_symlink_{{{ SYSCTLID }}}" comment="combine the blank string with symlink paths found" version="1">
+ <set>
+ <object_reference>var_obj_symlink_{{{ SYSCTLID }}}</object_reference>
+ <object_reference>var_obj_blank_{{{ SYSCTLID }}}</object_reference>
+ </set>
+ </ind:variable_object>
+
+ <ind:variable_object id="var_obj_blank_{{{ SYSCTLID }}}" comment="variable object of the blank string" version="1">
+ <ind:var_ref>local_var_blank_path_{{{ SYSCTLID }}}</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_{{{ SYSCTLID }}}" version="1">
+ <literal_component datatype="string"></literal_component>
+ </local_variable>
+
+ <ind:variable_object id="var_obj_symlink_{{{ SYSCTLID }}}" comment="variable object of the symlinks found" version="1">
+ <ind:var_ref>local_var_symlinks_{{{ SYSCTLID }}}</ind:var_ref>
+ </ind:variable_object>
+ <!-- </no simlink handling> -->
+
<local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_{{{ SYSCTLID }}}" version="1">
<unique>
<object_component object_ref="object_{{{ SYSCTLID }}}_symlinks" item_field="filepath" />
From 7e9e091517131d30c60a649795d477435017c97b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 4 May 2022 11:41:13 +0200
Subject: [PATCH 3/3] Add test scenarios for sysctl symlink
---
.../tests/symlink_different_option.pass.sh | 15 +++++++++++++++
.../tests/symlink_repeated_sysctl_conf.pass.sh | 11 +++++++++++
.../tests/symlink_same_option.fail.sh | 15 +++++++++++++++
3 files changed, 41 insertions(+)
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
new file mode 100644
index 00000000000..714a8815134
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_different_option.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Configure a different sysctl option
+echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf
+
+# Add a symlink
+ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
new file mode 100644
index 00000000000..1fbbf1b0675
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_repeated_sysctl_conf.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+ln -s /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
new file mode 100644
index 00000000000..51530f6e80c
--- /dev/null
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/symlink_same_option.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
+
+# Configure the same sysctl option
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/90-test.conf
+
+# and add a symlink
+ln -s /etc/sysctl.d/90-test.conf /etc/sysctl.d/99-sysctl.conf
+
+sysctl -w net.ipv4.conf.default.accept_source_route=0
Reference in New Issue View Git Blame Copy Permalink