|
 |
28bffe |
From 3cba3a59a004582c787cba725fee033c104bfe43 Mon Sep 17 00:00:00 2001
|
|
|
28bffe |
From: Watson Sato <wsato@redhat.com>
|
|
|
28bffe |
Date: Wed, 25 Jul 2018 18:02:01 +0200
|
|
|
28bffe |
Subject: [PATCH 1/4] Drop restrictions to build remediations for some sysctl
|
|
|
28bffe |
rules
|
|
|
28bffe |
|
|
|
28bffe |
Templated generation of remediations for these rules were restricted.
|
|
|
28bffe |
I don't see the motivation to restrict them, besides to easy comparison
|
|
|
28bffe |
of generated datastream in 9aa2184d8d0f866df3fb6f1ea1beeafb076b3be5.
|
|
|
28bffe |
|
|
|
28bffe |
RHEL7 content build the OVAL just fine.
|
|
|
28bffe |
---
|
|
|
28bffe |
rhel6/templates/csv/sysctl_values.csv | 10 +++++-----
|
|
|
28bffe |
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
|
28bffe |
|
|
|
28bffe |
diff --git a/rhel6/templates/csv/sysctl_values.csv b/rhel6/templates/csv/sysctl_values.csv
|
|
|
28bffe |
index ad0507a2f4..af321acde0 100644
|
|
|
28bffe |
--- a/rhel6/templates/csv/sysctl_values.csv
|
|
|
28bffe |
+++ b/rhel6/templates/csv/sysctl_values.csv
|
|
|
28bffe |
@@ -21,8 +21,8 @@ net.ipv4.ip_forward,0
|
|
|
28bffe |
net.ipv4.tcp_syncookies,
|
|
|
28bffe |
net.ipv6.conf.default.accept_ra,
|
|
|
28bffe |
net.ipv6.conf.default.accept_redirects,
|
|
|
28bffe |
-net.ipv6.conf.all.accept_ra,#only-for:oval
|
|
|
28bffe |
-net.ipv6.conf.all.accept_redirects,#only-for:oval
|
|
|
28bffe |
-net.ipv6.conf.default.accept_source_route,#only-for:oval
|
|
|
28bffe |
-net.ipv6.conf.all.accept_source_route,#only-for:oval
|
|
|
28bffe |
-net.ipv6.conf.all.forwarding,#only-for:oval
|
|
|
28bffe |
+net.ipv6.conf.all.accept_ra,
|
|
|
28bffe |
+net.ipv6.conf.all.accept_redirects,
|
|
|
28bffe |
+net.ipv6.conf.default.accept_source_route,
|
|
|
28bffe |
+net.ipv6.conf.all.accept_source_route,
|
|
|
28bffe |
+net.ipv6.conf.all.forwarding,
|
|
|
28bffe |
|
|
|
28bffe |
From 574defca3e1559bb5b954e65763b5df542bfeb99 Mon Sep 17 00:00:00 2001
|
|
|
28bffe |
From: Watson Sato <wsato@redhat.com>
|
|
|
28bffe |
Date: Wed, 25 Jul 2018 18:08:12 +0200
|
|
|
28bffe |
Subject: [PATCH 2/4] Drop generation of kernel_dmesg_restrict
|
|
|
28bffe |
|
|
|
28bffe |
Rule kernel_dmest_restrict is not selected by any sle12 Profile.
|
|
|
28bffe |
And currently the rule is applicable for rhel6, rhel7 and fedora.
|
|
|
28bffe |
I see this as a copy pasta legacy.
|
|
|
28bffe |
---
|
|
|
28bffe |
sle12/templates/csv/sysctl_values.csv | 1 -
|
|
|
28bffe |
1 file changed, 1 deletion(-)
|
|
|
28bffe |
|
|
|
28bffe |
diff --git a/sle12/templates/csv/sysctl_values.csv b/sle12/templates/csv/sysctl_values.csv
|
|
|
28bffe |
index 9428bc8a9f..d9b34c9aad 100644
|
|
|
28bffe |
--- a/sle12/templates/csv/sysctl_values.csv
|
|
|
28bffe |
+++ b/sle12/templates/csv/sysctl_values.csv
|
|
|
28bffe |
@@ -1,7 +1,6 @@
|
|
|
28bffe |
# Add <sysctl_parameter_name, desired_value> to generate hard-coded OVAL and remediation content.
|
|
|
28bffe |
# Add <sysctl_parameter_name,> to generate OVAL and remediation content that use the XCCDF value.
|
|
|
28bffe |
fs.suid_dumpable,0
|
|
|
28bffe |
-kernel.dmesg_restrict,1#only-for:bash,ansible
|
|
|
28bffe |
#kernel.exec-shield,1
|
|
|
28bffe |
kernel.randomize_va_space,2
|
|
|
28bffe |
net.ipv4.conf.all.accept_redirects,
|
|
|
28bffe |
|
|
|
28bffe |
From 79166dab27c8f23e6918b675e126f473395bc70b Mon Sep 17 00:00:00 2001
|
|
|
28bffe |
From: Watson Sato <wsato@redhat.com>
|
|
|
28bffe |
Date: Wed, 25 Jul 2018 18:27:08 +0200
|
|
|
28bffe |
Subject: [PATCH 3/4] Flip template restriction to exclude target languages
|
|
|
28bffe |
|
|
|
28bffe |
It is more likely and easier that we want to generate content for
|
|
|
28bffe |
all supported languages, and filter out the exceptions.
|
|
|
28bffe |
---
|
|
|
28bffe |
shared/templates/template_common.py | 14 +++++++-------
|
|
|
28bffe |
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
28bffe |
|
|
|
28bffe |
diff --git a/shared/templates/template_common.py b/shared/templates/template_common.py
|
|
|
28bffe |
index da746e0323..b0fdf5fcc9 100644
|
|
|
28bffe |
--- a/shared/templates/template_common.py
|
|
|
28bffe |
+++ b/shared/templates/template_common.py
|
|
|
28bffe |
@@ -36,7 +36,7 @@ def __init__(self, template, paths):
|
|
|
28bffe |
|
|
|
28bffe |
|
|
|
28bffe |
TEMPLATED_LANGUAGES = ["bash", "ansible", "oval", "anaconda", "puppet"]
|
|
|
28bffe |
-TARGET_REGEX = re.compile(r"#\s*only-for:([\s\w,]*)")
|
|
|
28bffe |
+TARGET_EXCLUDE_REGEX = re.compile(r"#\s*except-for:([\s\w,]*)")
|
|
|
28bffe |
|
|
|
28bffe |
|
|
|
28bffe |
class FilesGenerator(object):
|
|
|
28bffe |
@@ -113,13 +113,13 @@ def process_csv_line(self, line, target):
|
|
|
28bffe |
"""
|
|
|
28bffe |
|
|
|
28bffe |
if target is not None:
|
|
|
28bffe |
- match = TARGET_REGEX.search(line)
|
|
|
28bffe |
+ exclude_match = TARGET_EXCLUDE_REGEX.search(line)
|
|
|
28bffe |
|
|
|
28bffe |
- if match:
|
|
|
28bffe |
- # if line contains restriction to target, check it
|
|
|
28bffe |
- supported_targets = \
|
|
|
28bffe |
- [x.strip() for x in match.group(1).split(",")]
|
|
|
28bffe |
- if target not in supported_targets:
|
|
|
28bffe |
+ if exclude_match:
|
|
|
28bffe |
+ # Check if line contains restriction to target
|
|
|
28bffe |
+ unsupported_targets = \
|
|
|
28bffe |
+ [x.strip() for x in exclude_match.group(1).split(",")]
|
|
|
28bffe |
+ if target in unsupported_targets:
|
|
|
28bffe |
return None
|
|
|
28bffe |
|
|
|
28bffe |
# get part before comment
|
|
|
28bffe |
|
|
|
28bffe |
From 89a059d096641d8f971c9f2d9af903742d251083 Mon Sep 17 00:00:00 2001
|
|
|
28bffe |
From: Watson Sato <wsato@redhat.com>
|
|
|
28bffe |
Date: Wed, 25 Jul 2018 18:44:11 +0200
|
|
|
28bffe |
Subject: [PATCH 4/4] Dont generate fix for unavailable mount points
|
|
|
28bffe |
|
|
|
28bffe |
Do not generate anaconda remediation for mount options of /dev/shm.
|
|
|
28bffe |
These mount points are not there at install time.
|
|
|
28bffe |
---
|
|
|
28bffe |
rhel7/templates/csv/mount_options.csv | 8 +++++---
|
|
|
28bffe |
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
28bffe |
|
|
|
28bffe |
diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv
|
|
|
28bffe |
index 759e51b0fe..f5d9ed8cea 100644
|
|
|
28bffe |
--- a/rhel7/templates/csv/mount_options.csv
|
|
|
28bffe |
+++ b/rhel7/templates/csv/mount_options.csv
|
|
|
28bffe |
@@ -6,9 +6,11 @@
|
|
|
28bffe |
# '$' to reference a variable, e.g. var_removable_partition,nodev)
|
|
|
28bffe |
# If the remediation can create (i.e. not just modify) an /etc/fstab line,
|
|
|
28bffe |
# add the 'create_fstab_entry_if_needed' literal string as the third argument.
|
|
|
28bffe |
-/dev/shm,nodev
|
|
|
28bffe |
-/dev/shm,noexec
|
|
|
28bffe |
-/dev/shm,nosuid
|
|
|
28bffe |
+
|
|
|
28bffe |
+# /dev/shm is created by systemd and is not available at install time
|
|
|
28bffe |
+/dev/shm,nodev #except-for:anaconda
|
|
|
28bffe |
+/dev/shm,noexec #except-for:anaconda
|
|
|
28bffe |
+/dev/shm,nosuid #except-for:anaconda
|
|
|
28bffe |
/home,nosuid
|
|
|
28bffe |
/home,nodev
|
|
|
28bffe |
/tmp,nodev
|