242 lines
14 KiB
Diff
242 lines
14 KiB
Diff
From 21177e5d44dfd6f4fa6de79737c1e55c4b22660a Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 3 May 2022 10:49:44 +0200
|
|
Subject: [PATCH] Edited PR_8656 to apply on 0.1.60
|
|
|
|
---
|
|
.../one_sysctl_conf_one_sysctl_d.fail.sh | 11 +++
|
|
.../tests/two_sysctls_on_d.fail.sh | 11 +++
|
|
.../tests/two_sysctls_on_same_file.pass.sh | 11 +++
|
|
.../two_sysctls_on_same_file_name.fail.sh | 11 +++
|
|
shared/templates/sysctl/bash.template | 2 +-
|
|
shared/templates/sysctl/oval.template | 99 +++++++++++++------
|
|
6 files changed, 114 insertions(+), 31 deletions(-)
|
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
|
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
|
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
|
|
create mode 100644 linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
|
|
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
|
|
new file mode 100644
|
|
index 0000000..b2bc2f8
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/one_sysctl_conf_one_sysctl_d.fail.sh
|
|
@@ -0,0 +1,11 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# Clean sysctl config directories
|
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
|
+
|
|
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
|
|
+
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf
|
|
+
|
|
+sysctl -w net.ipv4.conf.default.accept_source_route=0
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
|
|
new file mode 100644
|
|
index 0000000..49a8f2e
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_d.fail.sh
|
|
@@ -0,0 +1,11 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# Clean sysctl config directories
|
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
|
+
|
|
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
|
|
+
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/first.conf
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/duplicate.conf
|
|
+
|
|
+sysctl -w net.ipv4.conf.default.accept_source_route=0
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
|
|
new file mode 100644
|
|
index 0000000..548e616
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file.pass.sh
|
|
@@ -0,0 +1,11 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# Clean sysctl config directories
|
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
|
+
|
|
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
|
|
+
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
|
|
+
|
|
+sysctl -w net.ipv4.conf.default.accept_source_route=0
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
|
|
new file mode 100644
|
|
index 0000000..487691d
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/tests/two_sysctls_on_same_file_name.fail.sh
|
|
@@ -0,0 +1,11 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# Clean sysctl config directories
|
|
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
|
|
+
|
|
+sed -i "/net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
|
|
+
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
|
|
+echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.d/sysctl.conf
|
|
+
|
|
+sysctl -w net.ipv4.conf.default.accept_source_route=0
|
|
diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template
|
|
index 6c82e6e..d68956f 100644
|
|
--- a/shared/templates/sysctl/bash.template
|
|
+++ b/shared/templates/sysctl/bash.template
|
|
@@ -6,7 +6,7 @@
|
|
|
|
# Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
|
for f in /etc/sysctl.d/*.conf ; do
|
|
- matching_list=$(grep -P '^(?!#).*[\s]+{{{ SYSCTLVAR }}}.*$' $f | uniq )
|
|
+ matching_list=$(grep -P '^(?!#).*[\s]*{{{ SYSCTLVAR }}}.*$' $f | uniq )
|
|
if ! test -z "$matching_list"; then
|
|
while IFS= read -r entry; do
|
|
# comment out "{{{ SYSCTLVAR }}}" matches to preserve user data
|
|
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
|
index 646f5f3..fd19f8b 100644
|
|
--- a/shared/templates/sysctl/oval.template
|
|
+++ b/shared/templates/sysctl/oval.template
|
|
@@ -1,3 +1,9 @@
|
|
+{{%- if SYSCTLVAL == "" %}}
|
|
+{{%- set COMMENT_VALUE="the appropriate value" %}}
|
|
+{{%- else %}}
|
|
+{{%- set COMMENT_VALUE=SYSCTLVAL %}}
|
|
+{{%- endif %}}
|
|
+
|
|
{{% macro state_static_sysctld(prefix) -%}}
|
|
<ind:object object_ref="object_static_{{{ prefix }}}_{{{ SYSCTLID }}}" />
|
|
{{%- if SYSCTLVAL == "" %}}
|
|
@@ -6,7 +12,7 @@
|
|
{{%- endmacro -%}}
|
|
{{%- macro sysctl_match() -%}}
|
|
{{%- if SYSCTLVAL == "" -%}}
|
|
- <ind:pattern operation="pattern match">(?:^|.*\n)[^#]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*\n</ind:pattern>
|
|
+ <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
{{%- else -%}}
|
|
{{% if OPERATION == "pattern match" %}}
|
|
@@ -53,20 +59,12 @@
|
|
|
|
<def-group>
|
|
<definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">
|
|
- {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system runtime.") }}}
|
|
+ {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}}
|
|
<criteria operator="AND">
|
|
-{{%- if SYSCTLVAL == "" %}}
|
|
- <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to the appropriate value" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}" />
|
|
-{{%- else %}}
|
|
- <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}}" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}" />
|
|
-{{%- endif %}}
|
|
+ <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}"/>
|
|
</criteria>
|
|
</definition>
|
|
-{{% if SYSCTLVAL == "" %}}
|
|
- <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to the appropriate value" id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
|
|
-{{%- else %}}
|
|
- <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}}" id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1">
|
|
-{{%- endif %}}
|
|
+ <unix:sysctl_test id="test_sysctl_runtime_{{{ SYSCTLID }}}" version="1" comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" check="all" check_existence="all_exist">
|
|
<unix:object object_ref="object_sysctl_runtime_{{{ SYSCTLID }}}" />
|
|
<unix:state state_ref="state_sysctl_runtime_{{{ SYSCTLID }}}" />
|
|
</unix:sysctl_test>
|
|
@@ -96,25 +94,21 @@
|
|
|
|
<def-group>
|
|
<definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">
|
|
- {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system configuration.") }}}
|
|
-{{%- if SYSCTLVAL == "" %}}
|
|
- <criteria operator="OR">
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /etc/sysctl.conf" test_ref="test_static_sysctl_{{{ SYSCTLID }}}" />
|
|
- <!-- see sysctl.d(5) -->
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}" />
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /run/sysctl.d/*.conf" test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}" />
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" />
|
|
- </criteria>
|
|
-{{%- else %}}
|
|
-
|
|
- <criteria operator="OR">
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /etc/sysctl.conf" test_ref="test_static_sysctl_{{{ SYSCTLID }}}" />
|
|
- <!-- see sysctl.d(5) -->
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /etc/sysctl.d/*.conf" test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}" />
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /run/sysctl.d/*.conf" test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}" />
|
|
- <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ SYSCTLVAL }}} in /usr/lib/sysctl.d/*.conf" test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}" />
|
|
+ {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}}
|
|
+ <criteria operator="AND">
|
|
+ <criteria operator="OR">
|
|
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.conf"
|
|
+ test_ref="test_static_sysctl_{{{ SYSCTLID }}}"/>
|
|
+ <!-- see sysctl.d(5) -->
|
|
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /etc/sysctl.d/*.conf"
|
|
+ test_ref="test_static_etc_sysctld_{{{ SYSCTLID }}}"/>
|
|
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /run/sysctl.d/*.conf"
|
|
+ test_ref="test_static_run_sysctld_{{{ SYSCTLID }}}"/>
|
|
+ <criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in /usr/lib/sysctl.d/*.conf"
|
|
+ test_ref="test_static_usr_lib_sysctld_{{{ SYSCTLID }}}"/>
|
|
+ </criteria>
|
|
+ <criterion comment="Check that {{{ SYSCTLID }}} is defined in only one file" test_ref="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
|
|
</criteria>
|
|
-{{%- endif %}}
|
|
</definition>
|
|
|
|
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="{{{ SYSCTLVAR }}} static configuration" id="test_static_sysctl_{{{ SYSCTLID }}}" version="1">
|
|
@@ -133,6 +127,51 @@
|
|
{{{ state_static_sysctld("usr_lib_sysctld") }}}
|
|
</ind:textfilecontent54_test>
|
|
|
|
+ <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains {{{ SYSCTLID }}}"
|
|
+ id="test_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
|
|
+ <ind:object object_ref="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
|
|
+ <ind:state state_ref="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" />
|
|
+ </ind:variable_test>
|
|
+
|
|
+ <ind:variable_object id="oject_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
|
|
+ <ind:var_ref>local_var_unique_sysctl_{{{ SYSCTLID }}}_counter</ind:var_ref>
|
|
+ </ind:variable_object>
|
|
+
|
|
+ <ind:variable_state id="state_sysctl_{{{ SYSCTLID }}}_defined_in_one_file" version="1">
|
|
+ <ind:value operation="equals" datatype="int">1</ind:value>
|
|
+ </ind:variable_state>
|
|
+
|
|
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_unique_sysctl_{{{ SYSCTLID }}}_counter" version="1">
|
|
+ <count>
|
|
+ <unique>
|
|
+ <object_component object_ref="object_static_set_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
|
|
+ </unique>
|
|
+ </count>
|
|
+ </local_variable>
|
|
+
|
|
+ <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
|
|
+ variable to have no value even when there are valid objects. -->
|
|
+ <ind:textfilecontent54_object id="object_static_set_sysctls_{{{ SYSCTLID }}}" version="1">
|
|
+ <set>
|
|
+ <object_reference>object_static_etc_sysctls_{{{ SYSCTLID }}}</object_reference>
|
|
+ <object_reference>object_static_run_usr_sysctls_{{{ SYSCTLID }}}</object_reference>
|
|
+ </set>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ SYSCTLID }}}" version="1">
|
|
+ <set>
|
|
+ <object_reference>object_static_sysctl_{{{ SYSCTLID }}}</object_reference>
|
|
+ <object_reference>object_static_etc_sysctld_{{{ SYSCTLID }}}</object_reference>
|
|
+ </set>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_{{{ SYSCTLID }}}" version="1">
|
|
+ <set>
|
|
+ <object_reference>object_static_run_sysctld_{{{ SYSCTLID }}}</object_reference>
|
|
+ <object_reference>object_static_usr_lib_sysctld_{{{ SYSCTLID }}}</object_reference>
|
|
+ </set>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
<ind:textfilecontent54_object id="object_static_sysctl_{{{ SYSCTLID }}}" version="1">
|
|
<ind:filepath>/etc/sysctl.conf</ind:filepath>
|
|
{{{ sysctl_match() }}}
|
|
--
|
|
2.34.1
|
|
|