From 77a21063367337b874e9396547b3d1439eef2754 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 6 Sep 2019 11:44:49 -0400
Subject: [PATCH] Rename disable_prelink -> bash_disable_prelink
Per conversation in #4746, we should probably prefix bash remediation
helpers with the bash_ prefix. This lets us quickly identify which
language a particular macro is for, especially when macros with similar
functionality behave differently across languages.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
.../system/software/integrity/disable_prelink/bash/shared.sh | 2 +-
.../integrity/fips/grub2_enable_fips_mode/bash/shared.sh | 2 +-
shared/macros-bash.jinja | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh
index a79bd71ab0..ed6a388d0a 100644
--- a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh
@@ -1,2 +1,2 @@
# platform = multi_platform_all
-{{{ disable_prelink() }}}
+{{{ bash_disable_prelink() }}}
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
index 2b99be11a7..18b57e6f87 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
@@ -3,7 +3,7 @@
# include remediation functions library
. /usr/share/scap-security-guide/remediation_functions
-{{{ disable_prelink() }}}
+{{{ bash_disable_prelink() }}}
if grep -q -m1 -o aes /proc/cpuinfo; then
{{{ bash_package_install("dracut-fips-aesni") }}}
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 1af0143805..8a6b9b5099 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -87,7 +87,7 @@ apt-get remove -y "{{{ package }}}"
{{%- endif -%}}
{{%- endmacro -%}}
-{{%- macro disable_prelink() -%}}
+{{%- macro bash_disable_prelink() -%}}
# prelink not installed
if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then
return 0
From 747a407d54a4c3549795fbf2a484092d175a39a4 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 6 Nov 2019 15:45:47 +0100
Subject: [PATCH 1/2] Invert logic when testing for prelink package presence.
Since this piece of code is not a bash function anymore, it is not
possible to use the return statement, so inverting the logic of the test
did the trick.
---
shared/macros-bash.jinja | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
index 49ef874f0b..62b1b165a8 100644
--- a/shared/macros-bash.jinja
+++ b/shared/macros-bash.jinja
@@ -89,21 +89,19 @@ apt-get remove -y "{{{ package }}}"
{{%- macro bash_disable_prelink() -%}}
# prelink not installed
-if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then
- return 0
-fi
-
-if grep -q ^PRELINKING /etc/sysconfig/prelink
-then
- sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
-else
- printf '\n' >> /etc/sysconfig/prelink
- printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
-fi
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
+ if grep -q ^PRELINKING /etc/sysconfig/prelink
+ then
+ sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
+ else
+ printf '\n' >> /etc/sysconfig/prelink
+ printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
+ fi
-# Undo previous prelink changes to binaries if prelink is available.
-if test -x /usr/sbin/prelink; then
- /usr/sbin/prelink -ua
+ # Undo previous prelink changes to binaries if prelink is available.
+ if test -x /usr/sbin/prelink; then
+ /usr/sbin/prelink -ua
+ fi
fi
{{%- endmacro -%}}
From 6c7182016b956d53ac5cf306da6d1b4efda953ab Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 6 Nov 2019 17:15:47 +0100
Subject: [PATCH 2/2] Add dracut-fips-aesni package to grub2_enable_fips_mode
anaconda remediation.
---
.../fips/grub2_enable_fips_mode/anaconda/shared.anaconda | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda
index 4a329df8f4..2dd06202b3 100644
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda
@@ -1,3 +1,3 @@
# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
-package --add=dracut-fips
+package --add=dracut-fips --add=dracut-fips-aesni