rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
scap-security-guide/SOURCES/scap-security-guide-0.1.65-...

473 lines
22 KiB
Diff
Raw Blame History

From 3fba5ec874f0269d81af9bca90e524703980345d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Mon, 14 Nov 2022 15:46:12 +0100
Subject: [PATCH 1/5] Update ocil and fixtext in fapolicy_default_deny
Rules are stored in different places depending on the system version.
These changes are now explicit in ocil and fixtext. In RHEL8.6 it was
introduced the rules.d feature and together the fagenrules script which
reads and concatenate the rules from rules.d to finally save the result
in the /etc/fapolicyd/compiled.rules file.
---
.../services/fapolicyd/fapolicy_default_deny/rule.yml | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
index 5b9a1649571..eeecd34e69a 100644
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
@@ -39,10 +39,14 @@ ocil: |-
permissive = 0
- Check that fapolicyd employs a deny-all policy on system mounts with the following command:
+ Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
+ For RHEL 8.5 systems and older:
$ sudo tail /etc/fapolicyd/fapolicyd.rules
+ For RHEL 8.6 systems and newer:
+ $ sudo tail /etc/fapolicyd/compiled.rules
+
allow exe=/usr/bin/python3.7 : ftype=text/x-python
deny_audit perm=any pattern=ld_so : all
deny perm=any all : all
@@ -54,8 +58,12 @@ fixtext: |-
permissive = 1
+ For RHEL 8.5 systems and older:
Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
+ For RHEL 8.6 systems and newer:
+ Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
+
Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
permissive = 0
From 0b4eaa7e7d96600eef42ad45524e0b4c6e003990 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 17 Nov 2022 09:40:20 +0100
Subject: [PATCH 2/5] Refactored the OVAL assessment for fapolicy_default_deny
Firsly the existing checks were aligned to the style guides and the
comments were reviewed. The regex used to identify the expected policy
was also fixed since it wasn't ensuring the deny policy if defined in a
wrong position. Finally, it was extended the assessment to consider the
/etc/fapolicyd/compiled.rules file.
---
.../fapolicy_default_deny/oval/shared.xml | 64 +++++++++++++------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
index 9989459ad22..40bdcf870ca 100644
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/oval/shared.xml
@@ -4,36 +4,58 @@
oval_metadata("Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy")
}}}
<criteria>
- <criterion comment="fapolicyd employs a deny-all policy"
- test_ref="test_fapolicy_default_deny_policy" />
- <criterion comment="fapolicyd is in enforcement mode"
- test_ref="test_fapolicy_default_deny_enforcement" />
+ <criteria operator="OR">
+ <criterion comment="fapolicyd employs a deny-all policy in compiled.rules file"
+ test_ref="test_fapolicy_default_deny_policy_with_rulesd"/>
+ <criterion comment="fapolicyd employs a deny-all policy fapolicyd.rules file"
+ test_ref="test_fapolicy_default_deny_policy_without_rulesd"/>
+ </criteria>
+ <criterion comment="fapolicyd is in enforcement mode"
+ test_ref="test_fapolicy_default_deny_enforcement"/>
</criteria>
</definition>
- <ind:textfilecontent54_test check_existence="only_one_exists" check="all"
- comment="fapolicyd employs a deny-all policy"
- id="test_fapolicy_default_deny_policy" version="1">
- <ind:object object_ref="obj_fapolicy_default_deny_policy" />
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_with_rulesd" version="1"
+ check_existence="only_one_exists" check="all"
+ comment="fapolicyd employs a deny-all policy in compiled.rules file">
+ <ind:object object_ref="object_fapolicy_default_deny_policy_compiled_rules"/>
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_fapolicy_default_deny_policy" version="1">
- <ind:behaviors multiline="false" />
+
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_compiled_rules"
+ version="1">
+ <ind:filepath>/etc/fapolicyd/compiled.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_policy_without_rulesd" version="2"
+ check_existence="only_one_exists" check="all"
+ comment="fapolicyd employs a deny-all policy in fapolicyd.rules file">
+ <ind:object object_ref="object_fapolicy_default_deny_policy_fapolicyd_rules"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_policy_fapolicyd_rules"
+ version="2">
<ind:filepath>/etc/fapolicyd/fapolicyd.rules</ind:filepath>
- <ind:pattern operation="pattern match">(^|\n)\s*deny\s*perm=any\s*all\s*:\s*all\s*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*deny\s*perm=any\s*all\s*:\s*all\s*\z</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_test check_existence="all_exist" check="all"
- comment="fapolicyd is in enforcement mode"
- id="test_fapolicy_default_deny_enforcement" version="1">
- <ind:object object_ref="obj_fapolicy_default_deny_enforcement" />
- <ind:state state_ref="state_fapolicy_default_deny_enforcement" />
+
+ <ind:textfilecontent54_test id="test_fapolicy_default_deny_enforcement" version="2"
+ check_existence="all_exist" check="all"
+ comment="permissive mode is disabled in fapolicyd settings">
+ <ind:object object_ref="object_fapolicy_default_deny_permissive_mode" />
+ <ind:state state_ref="state_fapolicy_default_deny_permissive_mode_off" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_fapolicy_default_deny_enforcement" version="1">
+
+ <ind:textfilecontent54_object id="object_fapolicy_default_deny_permissive_mode" version="2">
<ind:filepath>/etc/fapolicyd/fapolicyd.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*permissive\s*=\s*(\d+)</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ <ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_fapolicy_default_deny_enforcement" version="1" comment="root email alias">
- <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
- </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_state id="state_fapolicy_default_deny_permissive_mode_off" version="2"
+ comment="permissive mode value is set to 0 (off) in fapolicyd settings file">
+ <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
+ </ind:textfilecontent54_state>
</def-group>
From a0fc2ee0b58404ca642804a8977eca6b77fb6807 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 17 Nov 2022 10:32:51 +0100
Subject: [PATCH 3/5] Refactored the test scenario scripts
The scripts were invalid and wrongly reporting results. The main issue
was in scripts which intended to create two lines in a file but were
overwriting the entire file in the second command instead of append the
second line. The scripts were also refactored to consider systems using
the rules.d feature and also older systems which doesn't have the
rules.d feature. Another issue was that "no_quotes" was false by default
in the bash_shell_file_set macro, but the fapolicyd.conf doesn't expect
quotes and this was causing inconsistency in the file, so the no_quotes
was set to true when calling the macro from test scenarios. Finally the
scripts names were better aligned to their respective scenarios.
---
.../tests/allow_policy.fail.sh | 18 ++++++++++++++++++
.../tests/commented_value.fail.sh | 12 ------------
.../tests/correct_value.pass.sh | 12 ------------
.../tests/deny_not_last.fail.sh | 12 ------------
.../tests/deny_policy.pass.sh | 18 ++++++++++++++++++
.../tests/deny_policy_but_permissive.fail.sh | 16 ++++++++++++++++
.../tests/deny_policy_commented.fail.sh | 18 ++++++++++++++++++
.../tests/deny_policy_not_ensured.fail.sh | 18 ++++++++++++++++++
.../tests/fapolicy_permissive.fail.sh | 5 -----
.../tests/wrong_value.fail.sh | 11 -----------
10 files changed, 88 insertions(+), 52 deletions(-)
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
create mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
delete mode 100644 linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
new file mode 100644
index 00000000000..23d7e699056
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/allow_policy.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "allow perm=any all : all" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
deleted file mode 100644
index a8df835af76..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/commented_value.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-echo "# deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
deleted file mode 100644
index c88406b0be4..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/correct_value.pass.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-echo "deny perm=any all : all" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
deleted file mode 100644
index 59b16308563..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_not_last.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "deny perm=any all : all" >> /etc/fapolicyd/fapolicyd.rules
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
new file mode 100644
index 00000000000..f3ff83ca602
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy.pass.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "deny perm=any all : all" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
new file mode 100644
index 00000000000..caa401ca174
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_but_permissive.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "deny perm=any all : all" >> $active_rules_file
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
new file mode 100644
index 00000000000..4e4bc430cec
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_commented.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+echo "# deny perm=any all : all" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
new file mode 100644
index 00000000000..b52e5446afc
--- /dev/null
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/deny_policy_not_ensured.fail.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# packages = fapolicyd
+# remediation = none
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "1", "true") }}}
+
+if [ -f /etc/fapolicyd/compiled.rules ]; then
+ active_rules_file="/etc/fapolicyd/compiled.rules"
+else
+ active_rules_file="/etc/fapolicyd/fapolicyd.rules"
+fi
+
+truncate -s 0 $active_rules_file
+
+echo "deny perm=any all : all" >> $active_rules_file
+echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" >> $active_rules_file
+
+{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf", "permissive", "0", "true") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
deleted file mode 100644
index 50756a0e7a3..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/fapolicy_permissive.fail.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
deleted file mode 100644
index da3e33f57fd..00000000000
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/tests/wrong_value.fail.sh
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/bin/bash
-# packages = fapolicyd
-# remediation = none
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","1") }}}
-
-truncate -s 0 /etc/fapolicyd/fapolicyd.rules
-
-echo "allow exe=/usr/bin/python3.7 : ftype=text/x-python" > /etc/fapolicyd/fapolicyd.rules
-
-{{{ bash_shell_file_set("/etc/fapolicyd/fapolicyd.conf","permissive","0") }}}
From 0b731cf7a0433111311ab5e427a54d2f6c1b9d14 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 17 Nov 2022 11:02:34 +0100
Subject: [PATCH 4/5] Fixed bash_shell_file_set macro to consider spaces
Once the test scenario scripts were fixed, an issue was revelead in
bash_shell_file_set macro. The macro was not considering config files
which have spaces before and after the separator carachter. Since the
separator_regex parameter already expects regex format, it was easily
extended.
---
shared/macros/10-bash.jinja | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index ae0f0e5e6ad..0e369314645 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -122,13 +122,13 @@ fi
{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
{{% if no_quotes -%}}
{{% if "$" in value %}}
- {{% set value = '%s' % value.replace("$", "\\$") %}}
+ {{% set value = '%s' % value.replace("$", "\\$") %}}
{{% endif %}}
{{%- else -%}}
{{% if "$" in value %}}
- {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
{{% else %}}
- {{% set value = "'%s'" % value %}}
+ {{% set value = "'%s'" % value %}}
{{% endif %}}
{{%- endif -%}}
{{{ set_config_file(
@@ -140,7 +140,7 @@ fi
insert_before="^#\s*" ~ parameter,
insensitive=false,
separator="=",
- separator_regex="=",
+ separator_regex="\s*=\s*",
prefix_regex="^\s*")
}}}
{{%- endmacro -%}}
From 3a8101e921f7b0b5e261fdbf4b42bf210fcccf78 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 18 Nov 2022 09:58:47 +0100
Subject: [PATCH 5/5] Use jinja to limit the RHEL 8 minor version text
The change is intended to avoid that RHEL 9 and OL get RHEL 8 minor
version text.
---
.../guide/services/fapolicyd/fapolicy_default_deny/rule.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
index eeecd34e69a..220801bc471 100644
--- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
+++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml
@@ -41,10 +41,12 @@ ocil: |-
Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
+ {{%- if product in ["rhel8"] %}}
For RHEL 8.5 systems and older:
$ sudo tail /etc/fapolicyd/fapolicyd.rules
For RHEL 8.6 systems and newer:
+ {{%- endif %}}
$ sudo tail /etc/fapolicyd/compiled.rules
allow exe=/usr/bin/python3.7 : ftype=text/x-python
@@ -58,10 +60,12 @@ fixtext: |-
permissive = 1
+ {{%- if product in ["rhel8"] %}}
For RHEL 8.5 systems and older:
Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
For RHEL 8.6 systems and newer:
+ {{%- endif %}}
Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file.
Reference in New Issue View Git Blame Copy Permalink