From 3cba3a59a004582c787cba725fee033c104bfe43 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 25 Jul 2018 18:02:01 +0200

Subject: [PATCH 1/4] Drop restrictions to build remediations for some sysctl

 rules

Templated generation of remediations for these rules were restricted.

I don't see the motivation to restrict them, besides to easy comparison

of generated datastream in 9aa2184d8d0f866df3fb6f1ea1beeafb076b3be5.

RHEL7 content build the OVAL just fine.

---

 rhel6/templates/csv/sysctl_values.csv | 10 +++++-----

 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rhel6/templates/csv/sysctl_values.csv b/rhel6/templates/csv/sysctl_values.csv

index ad0507a2f4..af321acde0 100644

--- a/rhel6/templates/csv/sysctl_values.csv

+++ b/rhel6/templates/csv/sysctl_values.csv

@@ -21,8 +21,8 @@ net.ipv4.ip_forward,0

 net.ipv4.tcp_syncookies,

 net.ipv6.conf.default.accept_ra,

 net.ipv6.conf.default.accept_redirects,

-net.ipv6.conf.all.accept_ra,#only-for:oval

-net.ipv6.conf.all.accept_redirects,#only-for:oval

-net.ipv6.conf.default.accept_source_route,#only-for:oval

-net.ipv6.conf.all.accept_source_route,#only-for:oval

-net.ipv6.conf.all.forwarding,#only-for:oval

+net.ipv6.conf.all.accept_ra,

+net.ipv6.conf.all.accept_redirects,

+net.ipv6.conf.default.accept_source_route,

+net.ipv6.conf.all.accept_source_route,

+net.ipv6.conf.all.forwarding,

From 574defca3e1559bb5b954e65763b5df542bfeb99 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 25 Jul 2018 18:08:12 +0200

Subject: [PATCH 2/4] Drop generation of kernel_dmesg_restrict

Rule kernel_dmest_restrict is not selected by any sle12 Profile.

And currently the rule is applicable for rhel6, rhel7 and fedora.

I see this as a copy pasta legacy.

---

 sle12/templates/csv/sysctl_values.csv | 1 -

 1 file changed, 1 deletion(-)

diff --git a/sle12/templates/csv/sysctl_values.csv b/sle12/templates/csv/sysctl_values.csv

index 9428bc8a9f..d9b34c9aad 100644

--- a/sle12/templates/csv/sysctl_values.csv

+++ b/sle12/templates/csv/sysctl_values.csv

@@ -1,7 +1,6 @@

 # Add <sysctl_parameter_name, desired_value> to generate hard-coded OVAL and remediation content.

 # Add <sysctl_parameter_name,> to generate OVAL and remediation content that use the XCCDF value.

 fs.suid_dumpable,0

-kernel.dmesg_restrict,1#only-for:bash,ansible

 #kernel.exec-shield,1

 kernel.randomize_va_space,2

 net.ipv4.conf.all.accept_redirects,

From 79166dab27c8f23e6918b675e126f473395bc70b Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 25 Jul 2018 18:27:08 +0200

Subject: [PATCH 3/4] Flip template restriction to exclude target languages

It is more likely and easier that we want to generate content for

all supported languages, and filter out the exceptions.

---

 shared/templates/template_common.py | 14 +++++++-------

 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/shared/templates/template_common.py b/shared/templates/template_common.py

index da746e0323..b0fdf5fcc9 100644

--- a/shared/templates/template_common.py

+++ b/shared/templates/template_common.py

@@ -36,7 +36,7 @@ def __init__(self, template, paths):

 TEMPLATED_LANGUAGES = ["bash", "ansible", "oval", "anaconda", "puppet"]

-TARGET_REGEX = re.compile(r"#\s*only-for:([\s\w,]*)")

+TARGET_EXCLUDE_REGEX = re.compile(r"#\s*except-for:([\s\w,]*)")

 class FilesGenerator(object):

@@ -113,13 +113,13 @@ def process_csv_line(self, line, target):

         """

         if target is not None:

-            match = TARGET_REGEX.search(line)

+            exclude_match = TARGET_EXCLUDE_REGEX.search(line)

-            if match:

-                # if line contains restriction to target, check it

-                supported_targets = \

-                    [x.strip() for x in match.group(1).split(",")]

-                if target not in supported_targets:

+            if exclude_match:

+                # Check if line contains restriction to target

+                unsupported_targets = \

+                    [x.strip() for x in exclude_match.group(1).split(",")]

+                if target in unsupported_targets:

                     return None

         # get part before comment

From 89a059d096641d8f971c9f2d9af903742d251083 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 25 Jul 2018 18:44:11 +0200

Subject: [PATCH 4/4] Dont generate fix for unavailable mount points

Do not generate anaconda remediation for mount options of /dev/shm.

These mount points are not there at install time.

---

 rhel7/templates/csv/mount_options.csv | 8 +++++---

 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv

index 759e51b0fe..f5d9ed8cea 100644

--- a/rhel7/templates/csv/mount_options.csv

+++ b/rhel7/templates/csv/mount_options.csv

@@ -6,9 +6,11 @@

 #     '$' to reference a variable, e.g. var_removable_partition,nodev)

 #  If the remediation can create (i.e. not just modify) an /etc/fstab line,

 #  add the 'create_fstab_entry_if_needed' literal string as the third argument.

-/dev/shm,nodev

-/dev/shm,noexec

-/dev/shm,nosuid

+

+# /dev/shm is created by systemd and is not available at install time

+/dev/shm,nodev #except-for:anaconda

+/dev/shm,noexec #except-for:anaconda

+/dev/shm,nosuid #except-for:anaconda

 /home,nosuid

 /home,nodev

 /tmp,nodev