From 47cbe417900d38f1ad98d9adee4b3382cdc80311 Mon Sep 17 00:00:00 2001
From: Nathan Peters <petna01@ca.com>
Date: Fri, 5 Jan 2018 17:39:42 -0800
Subject: [PATCH 1/2] updated kernel module loading init and delete to use b32
and b64
---
shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 2 +-
shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
index 97cdfae457..76a29eedc4 100644
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
@@ -9,7 +9,7 @@
# it's not required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule. Therefore for
# each system it's enought to check presence of system's native rule form.
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
index 83f904bab7..ec275c91f8 100644
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
@@ -9,7 +9,7 @@
# it's not required on a 64-bit system to check also for the presence
# of 32-bit's equivalent of the corresponding rule. Therefore for
# each system it's enought to check presence of system's native rule form.
-[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64")
+[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
From 23d66767a7f6100481f985d4282ffe19ab5bc26c Mon Sep 17 00:00:00 2001
From: Nathan Peters <petna01@ca.com>
Date: Fri, 12 Jan 2018 10:31:51 -0800
Subject: [PATCH 2/2] updated comments to not contradict the remediation code
---
shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh | 8 ++++----
shared/fixes/bash/audit_rules_kernel_module_loading_init.sh | 8 ++++----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
index 76a29eedc4..59aadeeef8 100644
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh
@@ -5,10 +5,10 @@
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
-# it's not required on a 64-bit system to check also for the presence
-# of 32-bit's equivalent of the corresponding rule. Therefore for
-# each system it's enought to check presence of system's native rule form.
+# If the system has a 32-bit processor, only the 32-bit rule is needed.
+# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
+# the audit file because it is not possible to know if the computer will be booted
+# in 64 or 32 bit mode or for which architecture a binary is compiled.
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
diff --git a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
index ec275c91f8..04b06f9dee 100644
--- a/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
+++ b/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh
@@ -5,10 +5,10 @@
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
-# Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel =>
-# it's not required on a 64-bit system to check also for the presence
-# of 32-bit's equivalent of the corresponding rule. Therefore for
-# each system it's enought to check presence of system's native rule form.
+# If the system has a 32-bit processor, only the 32-bit rule is needed.
+# If the system has a 64-bit processor, both arch 32 and 64 need to be included in
+# the audit file because it is not possible to know if the computer will be booted
+# in 64 or 32 bit mode or for which architecture a binary is compiled.
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
From 27363bc92905f8b7a5271480c64051869f2565d8 Mon Sep 17 00:00:00 2001
From: Nathan Peters <petna01@ca.com>
Date: Thu, 18 Jan 2018 17:18:07 -0800
Subject: [PATCH] fixed syntax issue with sed expression in
auditd_data_retention_space_left.sh
---
shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh
index 1c13cd4e34..f4ae92b044 100644
--- a/shared/fixes/bash/auditd_data_retention_space_left.sh
+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh
@@ -3,7 +3,7 @@
populate var_auditd_space_left
grep -q ^space_left /etc/audit/auditd.conf && \
- sed -i "s/space_left.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf
+ sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf
fi
From 0aca8aa12b070625f138e4e1f90622e89e8b6f21 Mon Sep 17 00:00:00 2001
From: OnceUponALoop <firas.alshafei@gmail.com>
Date: Mon, 26 Feb 2018 20:58:06 -0600
Subject: [PATCH] Fixes #2607 - audit_rules_login_events
---
shared/templates/create_audit_rules_login_events.py | 2 +-
shared/templates/csv/audit_rules_login_events.csv | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/shared/templates/create_audit_rules_login_events.py b/shared/templates/create_audit_rules_login_events.py
index 111a27a130..3dc1f5cb0d 100644
--- a/shared/templates/create_audit_rules_login_events.py
+++ b/shared/templates/create_audit_rules_login_events.py
@@ -14,7 +14,7 @@
class AuditRulesLoginEventsGenerator(FilesGenerator):
def generate(self, target, args):
path = args[0]
- name = re.sub('[-\./]', '_', os.path.basename(path))
+ name = re.sub('[-\./]', '_', os.path.basename(os.path.normpath(path)))
if target == "oval":
self.file_from_template(
"./template_OVAL_audit_rules_login_events",
diff --git a/shared/templates/csv/audit_rules_login_events.csv b/shared/templates/csv/audit_rules_login_events.csv
index cdec8d6b8e..5c9793afbe 100644
--- a/shared/templates/csv/audit_rules_login_events.csv
+++ b/shared/templates/csv/audit_rules_login_events.csv
@@ -1,3 +1,3 @@
-/var/run/faillock
+/var/run/faillock/
/var/log/lastlog
/var/log/tallylog
From 318cc38b11f8b7fc6d4a30dd7db20f5bc57a4c8d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 12 Mar 2018 18:37:34 +0100
Subject: [PATCH 1/4] Add tests for ensure_logrotate_activated
---
.../rule_ensure_logrotate_activated/cron_daily_configured.pass.sh | 7 +++++++
.../logrotate_conf_configured.pass.sh | 8 ++++++++
.../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 6 ++++++
.../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 6 ++++++
4 files changed, 27 insertions(+)
create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh
create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh
create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
create mode 100644 tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh
new file mode 100644
index 0000000000..2debba3186
--- /dev/null
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+
+# make sure config in logrotate conf is misconfigured
+sed -i "s/daily/weekly/" /etc/logrotate.conf
+
+# default for cron.daily for RHEL7 is already correct
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh
new file mode 100644
index 0000000000..0521eac274
--- /dev/null
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+
+# fix logrotate config
+sed -i "s/weekly/daily/" /etc/logrotate.conf
+
+# remove default for cron.daily
+rm /etc/cron.daily/logrotate
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
new file mode 100644
index 0000000000..671da30c0b
--- /dev/null
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = none
+
+sed -i "s/daily/weekly/" /etc/logrotate.conf
+rm /etc/cron.daily/logrotate
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh
new file mode 100644
index 0000000000..69c0ca7ee5
--- /dev/null
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = none
+
+sed -i "/^daily/d" /etc/logrotate.conf
+rm /etc/cron.daily/logrotate
From 4301c45fffa27dfc03eee6b8b88301d888fb011b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 12 Mar 2018 19:00:03 +0100
Subject: [PATCH 2/4] Update OVAL check for ensure_logrotate_activated
Other parameters can be passed to logrotate besides the config file.
And according to logrotate man page, there can be multiple configuration
files, and the later ones override configuration done on earlier files.
So we allow other parameters between logrotate command and config file,
and ensure that /etc/logrotate.conf is the last file.
---
shared/checks/oval/ensure_logrotate_activated.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml
index 641e4516ae..9feb9b7fdc 100644
--- a/shared/checks/oval/ensure_logrotate_activated.xml
+++ b/shared/checks/oval/ensure_logrotate_activated.xml
@@ -65,7 +65,7 @@
<ind:textfilecontent54_object id="object_cron_daily_logrotate_existence" version="1">
<ind:filepath>/etc/cron.daily/logrotate</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*/usr/sbin/logrotate[\s]*/etc/logrotate.conf(?:.*)$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
From ef15dd31ede1b96aa9b04feece43cc8d6c609ab8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 12 Mar 2018 19:51:54 +0100
Subject: [PATCH 3/4] Add remediation for ensure_logrotate_activate
---
shared/fixes/bash/ensure_logrotate_activated.sh | 7 +++++++
.../rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh | 1 -
.../rule_ensure_logrotate_activated/logrotate_no_config.fail.sh | 1 -
3 files changed, 7 insertions(+), 2 deletions(-)
create mode 100644 shared/fixes/bash/ensure_logrotate_activated.sh
diff --git a/shared/fixes/bash/ensure_logrotate_activated.sh b/shared/fixes/bash/ensure_logrotate_activated.sh
new file mode 100644
index 0000000000..2d22e0df8b
--- /dev/null
+++ b/shared/fixes/bash/ensure_logrotate_activated.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_rhel
+
+# daily rotation is configured
+grep -q "^daily$" /etc/logrotate.conf || echo "daily" >> /etc/logrotate.conf
+
+# remove any line configuring weekly, monthly or yearly rotation
+sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
index 671da30c0b..8c93377e76 100644
--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
-# remediation = none
sed -i "s/daily/weekly/" /etc/logrotate.conf
rm /etc/cron.daily/logrotate
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh
index 69c0ca7ee5..88679f329f 100644
--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_config.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
-# remediation = none
sed -i "/^daily/d" /etc/logrotate.conf
rm /etc/cron.daily/logrotate
From 44dc057232f17467597ed03416cd7417fde5430f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 13 Mar 2018 16:45:01 +0100
Subject: [PATCH 4/4] logrotate needs conf and crontab configured
- Update OVAL definition to check for both logrotate.conf and cron.daily
- Update remediation to add logrotate to cron.daily
- Update test scenrios accordingly
---
shared/checks/oval/ensure_logrotate_activated.xml | 2 +-
shared/fixes/bash/ensure_logrotate_activated.sh | 13 +++++++++++--
.../logrotate_conf_weekly.fail.sh | 1 -
...aily_configured.pass.sh => logrotate_configured.pass.sh} | 4 ++--
...f_configured.pass.sh => logrotate_no_cron_daily.fail.sh} | 0
5 files changed, 14 insertions(+), 6 deletions(-)
rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{cron_daily_configured.pass.sh => logrotate_configured.pass.sh} (56%)
rename tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/{logrotate_conf_configured.pass.sh => logrotate_no_cron_daily.fail.sh} (100%)
diff --git a/shared/checks/oval/ensure_logrotate_activated.xml b/shared/checks/oval/ensure_logrotate_activated.xml
index 9feb9b7fdc..a34caaab5c 100644
--- a/shared/checks/oval/ensure_logrotate_activated.xml
+++ b/shared/checks/oval/ensure_logrotate_activated.xml
@@ -11,7 +11,7 @@
The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily
</description>
</metadata>
- <criteria comment="/etc/logrotate.conf contains daily setting or /etc/cron.daily/logrotate file exists" operator="OR">
+ <criteria comment="/etc/logrotate.conf contains daily setting and /etc/cron.daily/logrotate file exists" operator="AND">
<criterion comment="Check if daily is set in /etc/logrotate.conf"
test_ref="test_logrotate_conf_daily_setting" />
<criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)"
diff --git a/shared/fixes/bash/ensure_logrotate_activated.sh b/shared/fixes/bash/ensure_logrotate_activated.sh
index 2d22e0df8b..b1dbbe8755 100644
--- a/shared/fixes/bash/ensure_logrotate_activated.sh
+++ b/shared/fixes/bash/ensure_logrotate_activated.sh
@@ -1,7 +1,16 @@
# platform = multi_platform_rhel
+LOGROTATE_CONF_FILE="/etc/logrotate.conf"
+CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate"
+
# daily rotation is configured
-grep -q "^daily$" /etc/logrotate.conf || echo "daily" >> /etc/logrotate.conf
+grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE
# remove any line configuring weekly, monthly or yearly rotation
-sed -i -r "/^(weekly|monthly|yearly)$/d" /etc/logrotate.conf
+sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE
+
+# configure cron.daily if not already
+if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then
+ echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE
+ echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE
+fi
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
index 8c93377e76..30d1e29008 100644
--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_weekly.fail.sh
@@ -2,4 +2,3 @@
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
sed -i "s/daily/weekly/" /etc/logrotate.conf
-rm /etc/cron.daily/logrotate
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh
similarity index 56%
rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh
rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh
index 2debba3186..170b8e9ed8 100644
--- a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/cron_daily_configured.pass.sh
+++ b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_configured.pass.sh
@@ -1,7 +1,7 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_pci-dss
-# make sure config in logrotate conf is misconfigured
-sed -i "s/daily/weekly/" /etc/logrotate.conf
+# fix logrotate config
+sed -i "s/weekly/daily/" /etc/logrotate.conf
# default for cron.daily for RHEL7 is already correct
diff --git a/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh b/tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh
similarity index 100%
rename from tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_conf_configured.pass.sh
rename to tests/data/group_system/group_logging/group_log_rotation/rule_ensure_logrotate_activated/logrotate_no_cron_daily.fail.sh
From 9b32280bb07c28281f7bd97663e783e1846d4dc9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 13 Mar 2018 19:54:13 +0100
Subject: [PATCH 1/8] Add test scenarios for audit_rules_login_events
- default fail - no rules at all
- default pass - default watch rules for tallylog, faillock and lastlog
---
.../rule_audit_rules_login_events/default.fail.sh | 7 +++++++
.../rule_audit_rules_login_events/default.pass.sh | 9 +++++++++
2 files changed, 16 insertions(+)
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh
new file mode 100644
index 0000000000..ab4dc70c93
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh
new file mode 100644
index 0000000000..4f81075d4b
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_login_events/rule_audit_rules_login_events/default.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = bash
+
+echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/rules.d/logins.rules
+echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/logins.rules
+echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/logins.rules
+
+cat /etc/audit/rules.d/logins.rules
From 3743d6b1fdc6cfd7b2cdb2d4d934e47d9c456441 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 13 Mar 2018 20:16:20 +0100
Subject: [PATCH 2/8] Add test scenarios for
auditd_data_retention_space_left_action
- action_email - configures action to email
- action_not_there - removes any configuration of space_left_action
---
.../action_email.pass.sh | 5 +++++
.../action_not_there.fail.sh | 5 +++++
2 files changed, 10 insertions(+)
create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh
create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh
diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh
new file mode 100644
index 0000000000..e340fef316
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_email.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = bash
+
+sed -i "s/^space_left_action = .*$/space_left_action = email/" /etc/audit/auditd.conf
diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh
new file mode 100644
index 0000000000..13707b20da
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left_action/action_not_there.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = bash
+
+sed -i "/^space_left_action = /d" /etc/audit/auditd.conf
From 580f2d489741e293ceeb4e3863298351d0ac5c29 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 14 Mar 2018 15:47:28 +0100
Subject: [PATCH 3/8] Add test scenarios for audit_data_retention_space_left
- space_left pass - auditd.conf configured with enough space
- space_left_not_enough fail - auditd.conf configured with low space
- space_left_not_there fail - auditd.conf without space_left parameter
---
.../rule_auditd_data_retention_space_left/space_left.pass.sh | 9 +++++++++
.../space_left_not_enough.fail.sh | 5 +++++
.../space_left_not_there.fail.sh | 5 +++++
3 files changed, 19 insertions(+)
create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh
create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh
create mode 100644 tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh
diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh
new file mode 100644
index 0000000000..2e24c0ab86
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = bash
+
+if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then
+ sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf
+else
+ echo "space_left = 100" >> /etc/audit/auditd.conf
+fi
diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh
new file mode 100644
index 0000000000..637d9a0b3f
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = bash
+
+sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf
diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh
new file mode 100644
index 0000000000..71d459fdec
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_there.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = bash
+
+sed -i "/^space_left = /d" /etc/audit/auditd.conf
From 269ab3e0422b97e6c3593850e4fe93020436047b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 14 Mar 2018 16:30:20 +0100
Subject: [PATCH 4/8] Fix append scenario in remediation for
audit_data_retention_space_left
Remediation for auditd_data_retention_space_left could not add
configuration line when it was missing.
grep command would return 0, sed command would not find the
configuration line to replace and return 0.
Subsequent if would consume $? equal 0 and not append config.
Use of function replace_or_append is not easy here, [[:space:]] is not
handled correctly.
---
shared/fixes/bash/auditd_data_retention_space_left.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh
index f4ae92b044..2ed771b2d2 100644
--- a/shared/fixes/bash/auditd_data_retention_space_left.sh
+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh
@@ -2,7 +2,7 @@
. /usr/share/scap-security-guide/remediation_functions
populate var_auditd_space_left
-grep -q ^space_left /etc/audit/auditd.conf && \
+grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \
sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf
From 3afa2f4dad4de2c3d98bf9f1bdf554778f6bc33a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 14 Mar 2018 18:49:36 +0100
Subject: [PATCH 5/8] Add test scenarios for audit_rules_privileged_commands
- rules_configure pass - tests audit rules for default installation
- own_key pass - tests audit rules with custom key
- default fail - tests default installation without any configuration
- removes all rules.d fail - tests remediation when rules.d is empty
---
.../default.fail.sh | 5 ++++
.../own_key.rules | 30 ++++++++++++++++++++++
.../privileged.rules | 30 ++++++++++++++++++++++
.../remove_all_rules.d.fail.sh | 7 +++++
.../rules_configured.pass.sh | 5 ++++
.../rules_with_own_key.pass.sh | 5 ++++
6 files changed, 82 insertions(+)
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh
create mode 100644 tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh
new file mode 100644
index 0000000000..96e9f70a89
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/default.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = bash
+
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules
new file mode 100644
index 0000000000..4df6d4ec8b
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/own_key.rules
@@ -0,0 +1,30 @@
+-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
+-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k own_key
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules
new file mode 100644
index 0000000000..4eb644acbc
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/privileged.rules
@@ -0,0 +1,30 @@
+-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/bin/locate -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
+-a always,exit -F path=/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh
new file mode 100644
index 0000000000..ab4dc70c93
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/remove_all_rules.d.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = bash
+
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
+true
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh
new file mode 100644
index 0000000000..1aca5a0c00
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_configured.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = bash
+
+cp privileged.rules /etc/audit/rules.d/
diff --git a/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh
new file mode 100644
index 0000000000..4fecb12817
--- /dev/null
+++ b/tests/data/group_system/group_auditing/group_auditd_configure_rules/group_audit_privileged_commands/rule_audit_rules_privileged_commands/rules_with_own_key.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_pci-dss
+# remediation = bash
+
+cp own_key.rules /etc/audit/rules.d/privileged.rules
From b00609abc38092461e9ab034ed74476772c71761 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 14 Mar 2018 18:55:56 +0100
Subject: [PATCH 6/8] Enable function perform_audit_rules to handle empty rules
directory
When /etc/audit/rules.d was empty, the remediation function would not
add any rule into output rules file.
---
.../perform_audit_rules_privileged_commands_remediation.sh | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
index 5fac50ef07..3f48afabe3 100644
--- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
@@ -78,6 +78,15 @@ do
# presence of existing audit rule for new sbinary
local count_of_inspected_files=0
+ # Define expected rule form for this binary
+ expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged"
+
+ # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
+ if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
+ echo "$expected_rule" >> "$output_audit_file"
+ continue
+ fi
+
# For each audit rules file from the list of files to be inspected
for afile in "${files_to_inspect[@]}"
do
@@ -96,9 +105,6 @@ do
# Increase the count of inspected files for this sbinary
count_of_inspected_files=$((count_of_inspected_files + 1))
- # Define expected rule form for this binary
- expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged"
-
# Require execute access type to be set for existing audit rule
exec_access='x'
@@ -155,6 +161,7 @@ do
# Current audit rules file's content doesn't contain expected rule for this
# SUID/SGID binary yet => append it
echo $expected_rule >> $output_audit_file
+ continue
fi
done
From bbdbd508e3c2d60100abe533f50929748f375a2d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Mar 2018 18:20:05 +0100
Subject: [PATCH 7/8] Make regexes for space_left tests consistent
---
shared/fixes/bash/auditd_data_retention_space_left.sh | 4 ++--
.../rule_auditd_data_retention_space_left/space_left.pass.sh | 5 +++--
.../space_left_not_enough.fail.sh | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh
index 2ed771b2d2..3cd4306aa8 100644
--- a/shared/fixes/bash/auditd_data_retention_space_left.sh
+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh
@@ -2,8 +2,8 @@
. /usr/share/scap-security-guide/remediation_functions
populate var_auditd_space_left
-grep -q "^space_left[[:space:]]*=" /etc/audit/auditd.conf && \
- sed -i "s/^space_left[[:space:]]*=.*/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf
+grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
+ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf
if ! [ $? -eq 0 ]; then
echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf
fi
diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh
index 2e24c0ab86..dde1f2be94 100644
--- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left.pass.sh
@@ -2,8 +2,9 @@
# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
# remediation = bash
-if grep -q "^space_left[[:space:]]*= " /etc/audit/auditd.conf; then
- sed -i "s/^space_left = .*$/space_left = 100/" /etc/audit/auditd.conf
+SPACE_LEFT_REGEX="^space_left[[:space:]]*=.*$"
+if grep -q "$SPACE_LEFT_REGEX" /etc/audit/auditd.conf; then
+ sed -i "s/$SPACE_LEFT_REGEX/space_left = 100/" /etc/audit/auditd.conf
else
echo "space_left = 100" >> /etc/audit/auditd.conf
fi
diff --git a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh
index 637d9a0b3f..0d1b1a3911 100644
--- a/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh
+++ b/tests/data/group_system/group_auditing/group_auditd_data_retention/rule_auditd_data_retention_space_left/space_left_not_enough.fail.sh
@@ -2,4 +2,4 @@
# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
# remediation = bash
-sed -i "s/^space_left = .*$/space_left = 15/" /etc/audit/auditd.conf
+sed -i "s/^space_left[[:space:]]*=.*$/space_left = 15/" /etc/audit/auditd.conf
From 9f1569a0a572ae4ac2fa002c622cebbc23ff5a45 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 19 Mar 2018 18:22:24 +0100
Subject: [PATCH 8/8] Chain echo command with OR
The remediation will sed or echo the config file.
---
shared/fixes/bash/auditd_data_retention_space_left.sh | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/shared/fixes/bash/auditd_data_retention_space_left.sh b/shared/fixes/bash/auditd_data_retention_space_left.sh
index 3cd4306aa8..67ab813d48 100644
--- a/shared/fixes/bash/auditd_data_retention_space_left.sh
+++ b/shared/fixes/bash/auditd_data_retention_space_left.sh
@@ -3,7 +3,5 @@
populate var_auditd_space_left
grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
- sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf
-if ! [ $? -eq 0 ]; then
- echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf
-fi
+ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \
+ echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf
From 155b606d318d0995d094183e7278707c310172de Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 15 Mar 2018 17:23:00 +0100
Subject: [PATCH 1/7] Add tests for network_ipv6_disable_rpc
- rpc_disabled pass - correct configuration in /etc/netconfig
- default fail - default installation configuration
---
.../rule_network_ipv6_disable_rpc/default.fail.sh | 7 +++++++
.../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 7 +++++++
2 files changed, 14 insertions(+)
create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh
create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh
new file mode 100644
index 0000000000..ff0a92e368
--- /dev/null
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7
+# remediation = bash
+
+# default config has rpc enabled
+true
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
new file mode 100644
index 0000000000..0349191dfb
--- /dev/null
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7
+# remediation = bash
+
+sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
+sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
From ab07272905bfb111c7c10dae630e04019d1135b2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 15 Mar 2018 17:24:50 +0100
Subject: [PATCH 2/7] Add remediation for network_ipv6_disable_rpc
This fix script was sourced from RHEL6 product.
---
shared/fixes/bash/network_ipv6_disable_rpc.sh | 10 ++++++++++
1 file changed, 10 insertions(+)
create mode 100644 shared/fixes/bash/network_ipv6_disable_rpc.sh
diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh
new file mode 100644
index 0000000000..e4f738780d
--- /dev/null
+++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_rhel
+
+# Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC
+# services for NFSv4 from attempting to start IPv6 network listeners
+declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6")
+
+for rpc_entry in ${IPV6_RPC_ENTRIES[@]}
+do
+ sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
+done
From f9677408a17154278b65ec9d0b4271b8399aa12a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 15 Mar 2018 19:17:15 +0100
Subject: [PATCH 3/7] Add tests for network_ipv6_privacy_extensions
- default fail - remove IPV6_PRIVACY from any ifcfg file
- ipv6_privacy_enabled pass - add IPV6_PRIVACY to all ifcfg files
---
.../rule_network_ipv6_privacy_extensions/default.fail.sh | 5 +++++
.../ipv6_privacy_enabled.pass.sh | 8 ++++++++
2 files changed, 13 insertions(+)
create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh
create mode 100644 tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh
new file mode 100644
index 0000000000..4f6cbaca7f
--- /dev/null
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/default.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+
+sed -i "/^IPV6_PRIVACY=rfc3041$/d" /etc/sysconfig/network-scripts/ifcfg-*
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh
new file mode 100644
index 0000000000..90eb082745
--- /dev/null
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+
+for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*)
+do
+ echo "IPV6_PRIVACY=rfc3041" >> $file
+done
From cfccf1711de2ffa9b94019ee96ff63740967ee18 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 15 Mar 2018 19:18:53 +0100
Subject: [PATCH 4/7] Add remediation for network_ipv6_privacy_extensions
- adding only bash remediation
---
shared/fixes/bash/network_ipv6_privacy_extensions.sh | 7 +++++++
1 file changed, 7 insertions(+)
create mode 100644 shared/fixes/bash/network_ipv6_privacy_extensions.sh
diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh
new file mode 100644
index 0000000000..b719fb471f
--- /dev/null
+++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_rhel
+
+# enable randomness in ipv6 address generation
+for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*)
+do
+ echo "IPV6_PRIVACY=rfc3041" >> $interface
+done
From c09b5a38d62c733260c1c29227ec3032ea26e9b1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 20 Mar 2018 16:52:12 +0100
Subject: [PATCH 5/7] Bash improvements for remdiation and tests
---
shared/fixes/bash/network_ipv6_disable_rpc.sh | 3 +--
shared/fixes/bash/network_ipv6_privacy_extensions.sh | 2 +-
.../rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh
index e4f738780d..5246e14109 100644
--- a/shared/fixes/bash/network_ipv6_disable_rpc.sh
+++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh
@@ -2,9 +2,8 @@
# Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC
# services for NFSv4 from attempting to start IPv6 network listeners
-declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6")
-for rpc_entry in ${IPV6_RPC_ENTRIES[@]}
+for rpc_entry in "tcp6" "udp6"
do
sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
done
diff --git a/shared/fixes/bash/network_ipv6_privacy_extensions.sh b/shared/fixes/bash/network_ipv6_privacy_extensions.sh
index b719fb471f..134bb3f1f9 100644
--- a/shared/fixes/bash/network_ipv6_privacy_extensions.sh
+++ b/shared/fixes/bash/network_ipv6_privacy_extensions.sh
@@ -1,7 +1,7 @@
# platform = multi_platform_rhel
# enable randomness in ipv6 address generation
-for interface in $(ls /etc/sysconfig/network-scripts/ifcfg-*)
+for interface in /etc/sysconfig/network-scripts/ifcfg-*
do
echo "IPV6_PRIVACY=rfc3041" >> $interface
done
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh
index 90eb082745..0982f003c8 100644
--- a/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_configuring_ipv6/rule_network_ipv6_privacy_extensions/ipv6_privacy_enabled.pass.sh
@@ -2,7 +2,7 @@
#
# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
-for file in $(ls /etc/sysconfig/network-scripts/ifcfg-*)
+for interface in /etc/sysconfig/network-scripts/ifcfg-*
do
- echo "IPV6_PRIVACY=rfc3041" >> $file
+ echo "IPV6_PRIVACY=rfc3041" >> $interface
done
From 77890cd398db61a30f6e20add1067f77f5c0c283 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 20 Mar 2018 16:58:03 +0100
Subject: [PATCH 6/7] Remove escaped underscore
No flavor of regular expression needs to escape underscores.
---
shared/fixes/bash/network_ipv6_disable_rpc.sh | 2 +-
.../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/shared/fixes/bash/network_ipv6_disable_rpc.sh b/shared/fixes/bash/network_ipv6_disable_rpc.sh
index 5246e14109..decd74e0cc 100644
--- a/shared/fixes/bash/network_ipv6_disable_rpc.sh
+++ b/shared/fixes/bash/network_ipv6_disable_rpc.sh
@@ -5,5 +5,5 @@
for rpc_entry in "tcp6" "udp6"
do
- sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
+ sed -i "/^$rpc_entry[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig
done
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
index 0349191dfb..5ba5a77784 100644
--- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
@@ -3,5 +3,5 @@
# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7
# remediation = bash
-sed -i "/^tcp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
-sed -i "/^udp6[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig
+sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig
+sed -i "/^udp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig
From 09eeaa1bff9c6203a5dbab18ccec89cc3458c22f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 20 Mar 2018 17:27:19 +0100
Subject: [PATCH 7/7] Remove redundant profiles in tests for ipv6_disable_rpc
---
.../group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh | 2 +-
.../rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh
index ff0a92e368..f834e3f726 100644
--- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/default.fail.sh
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
# remediation = bash
# default config has rpc enabled
diff --git a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
index 5ba5a77784..c4bdf0a7c6 100644
--- a/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
+++ b/tests/data/group_system/group_network/group_network-ipv6/group_disabling_ipv6/rule_network_ipv6_disable_rpc/rpc_disabled.pass.sh
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7, xccdf_org.ssgproject.content_profile_ospp-rhel7
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
# remediation = bash
sed -i "/^tcp6[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig
From 5f3ceba27b33c3f8c39ff15d894bb9c58fb1b9fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 16 Mar 2018 17:38:07 +0100
Subject: [PATCH] Change id of rule that checks for IPV6 disabled
The Rule is not following expected pattern. The sysctl in question is
net.ipv6.conf.all.disable_ipv6, so exptected Rule id is
syctl_net_ipv6_conf_all_disable_ipv6.
This is causing template generated remediation to not be picked up by
build system.
The used pattern would be for sysctl with name kernel_ipv6_disabled, witch
doesn't exist.
---
rhel7/profiles/C2S.xml | 2 +-
rhel7/profiles/ospp-rhel7.xml | 2 +-
rhel7/profiles/rht-ccp.xml | 2 +-
shared/xccdf/system/network/ipv6.xml | 6 +++---
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/rhel7/profiles/C2S.xml b/rhel7/profiles/C2S.xml
index f1798271f9..39dcf9b192 100644
--- a/rhel7/profiles/C2S.xml
+++ b/rhel7/profiles/C2S.xml
@@ -341,7 +341,7 @@ baseline.
<select idref="sysctl_net_ipv6_conf_default_accept_redirects" selected="true" />
<!-- 3.3.3 Ensure IPv6 is disabled (Not Scored) -->
-<select idref="sysctl_kernel_ipv6_disable" selected="true" />
+<select idref="sysctl_net_ipv6_conf_all_disable_ipv6" selected="true" />
<!-- 3.4 TCP Wrappers -->
<!-- 3.4.1 Ensure TCP Wrappers is installed (Scored) -->
diff --git a/rhel7/profiles/ospp-rhel7.xml b/rhel7/profiles/ospp-rhel7.xml
index 3877c57ebd..6b8a4c7f37 100644
--- a/rhel7/profiles/ospp-rhel7.xml
+++ b/rhel7/profiles/ospp-rhel7.xml
@@ -115,7 +115,7 @@ the consensus process.
<select idref="service_firewalld_enabled" selected="true" />
<select idref="set_firewalld_default_zone" selected="true" />
<select idref="firewalld_sshd_port_enabled" selected="true"/>
-<select idref="sysctl_kernel_ipv6_disable" selected="true" />
+<select idref="sysctl_net_ipv6_conf_all_disable_ipv6" selected="true" />
<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true" />
<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true" />
<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true" />
diff --git a/rhel7/profiles/rht-ccp.xml b/rhel7/profiles/rht-ccp.xml
index 4489c4eb96..724b5245ee 100644
--- a/rhel7/profiles/rht-ccp.xml
+++ b/rhel7/profiles/rht-ccp.xml
@@ -95,7 +95,7 @@
<!-- <select idref="sysctl_kernel_randomize_va_space" selected="true"/>
<select idref="enable_execshield" selected="true"/>
-<select idref="sysctl_kernel_ipv6_disable" selected="true"/>
+<select idref="sysctl_net_ipv6_conf_all_disable_ipv6" selected="true"/>
<select idref="service_ip6tables_enabled" selected="true"/>
This requirement does not apply against Red Hat Enterprise Linux 7:
diff --git a/shared/xccdf/system/network/ipv6.xml b/shared/xccdf/system/network/ipv6.xml
index ee3e299c8d..184ee2702c 100644
--- a/shared/xccdf/system/network/ipv6.xml
+++ b/shared/xccdf/system/network/ipv6.xml
@@ -16,7 +16,7 @@ effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.
</description>
-<Rule id="sysctl_kernel_ipv6_disable" severity="medium" prodtype="rhel7">
+<Rule id="sysctl_net_ipv6_conf_all_disable_ipv6" prodtype="rhel7,fedora" severity="medium">
<title>Disable IPv6 Networking Support Automatic Loading</title>
<description>To disable support for (<tt>ipv6</tt>) add the following line to
<tt>/etc/sysctl.d/ipv6.conf</tt> (or another file in
@@ -46,7 +46,7 @@ the vulnerability to exploitation.
</rationale>
<platform idref="cpe:/a:machine" />
<ident prodtype="rhel7" cce="80175-3" />
-<oval id="sysctl_kernel_ipv6_disable" />
+<oval id="sysctl_net_ipv6_conf_all_disable_ipv6" />
<ref nist="CM-7" disa="1551" cui="3.1.20" cis="3.3.3" />
</Rule>
From 9aa43188d90478ecc3a76a2595515e77d85324a1 Mon Sep 17 00:00:00 2001
From: Marek Haicman <mhaicman@redhat.com>
Date: Mon, 19 Mar 2018 19:50:41 +0100
Subject: [PATCH] Created template for partition checks.
Also as part of the change is update of documentation, removing
mount_option examples, replacing them with package_installed as in the
hopefully near future, mounts and mount_options will be merged
together, and we would need to update the documentation anyway.
---
debian8/checks/oval/partition_for_home.xml | 25 ---
debian8/checks/oval/partition_for_srv.xml | 24 ---
debian8/checks/oval/partition_for_tmp.xml | 23 ---
debian8/checks/oval/partition_for_var.xml | 25 ---
debian8/checks/oval/partition_for_var_log.xml | 22 ---
.../checks/oval/partition_for_var_log_audit.xml | 26 ---
debian8/templates/csv/mount_options.csv | 5 +-
debian8/templates/csv/mounts.csv | 8 +
docs/manual/developer_guide.adoc | 188 +++++++++------------
rhel6/templates/csv/mount_options.csv | 4 +
rhel7/templates/csv/mount_options.csv | 4 +
rhel7/templates/csv/mounts.csv | 8 +
shared/checks/oval/partition_for_home.xml | 25 ---
shared/checks/oval/partition_for_tmp.xml | 23 ---
shared/checks/oval/partition_for_var.xml | 25 ---
shared/checks/oval/partition_for_var_log.xml | 22 ---
shared/checks/oval/partition_for_var_log_audit.xml | 26 ---
shared/checks/oval/partition_for_var_tmp.xml | 23 ---
shared/templates/create_mount_options.py | 5 +-
shared/templates/create_mounts.py | 40 +++++
shared/templates/template_ANACONDA_mount | 7 +
shared/templates/template_OVAL_mount | 25 +++
shared/utils/generate-from-templates.py | 2 +
sle12/templates/csv/mount_options.csv | 4 +
ubuntu14/checks/oval/partition_for_home.xml | 25 ---
ubuntu14/checks/oval/partition_for_srv.xml | 24 ---
ubuntu14/checks/oval/partition_for_tmp.xml | 23 ---
ubuntu14/checks/oval/partition_for_var.xml | 25 ---
ubuntu14/checks/oval/partition_for_var_log.xml | 22 ---
.../checks/oval/partition_for_var_log_audit.xml | 26 ---
ubuntu14/templates/csv/mount_options.csv | 17 ++
ubuntu14/templates/csv/mounts.csv | 8 +
ubuntu16/checks/oval/partition_for_home.xml | 25 ---
ubuntu16/checks/oval/partition_for_srv.xml | 24 ---
ubuntu16/checks/oval/partition_for_tmp.xml | 23 ---
ubuntu16/checks/oval/partition_for_var.xml | 25 ---
ubuntu16/checks/oval/partition_for_var_log.xml | 22 ---
.../checks/oval/partition_for_var_log_audit.xml | 26 ---
ubuntu16/templates/csv/mount_options.csv | 17 ++
ubuntu16/templates/csv/mounts.csv | 8 +
40 files changed, 242 insertions(+), 687 deletions(-)
delete mode 100644 debian8/checks/oval/partition_for_home.xml
delete mode 100644 debian8/checks/oval/partition_for_srv.xml
delete mode 100644 debian8/checks/oval/partition_for_tmp.xml
delete mode 100644 debian8/checks/oval/partition_for_var.xml
delete mode 100644 debian8/checks/oval/partition_for_var_log.xml
delete mode 100644 debian8/checks/oval/partition_for_var_log_audit.xml
create mode 100644 debian8/templates/csv/mounts.csv
create mode 100644 rhel7/templates/csv/mounts.csv
delete mode 100644 shared/checks/oval/partition_for_home.xml
delete mode 100644 shared/checks/oval/partition_for_tmp.xml
delete mode 100644 shared/checks/oval/partition_for_var.xml
delete mode 100644 shared/checks/oval/partition_for_var_log.xml
delete mode 100644 shared/checks/oval/partition_for_var_log_audit.xml
delete mode 100644 shared/checks/oval/partition_for_var_tmp.xml
create mode 100644 shared/templates/create_mounts.py
create mode 100644 shared/templates/template_ANACONDA_mount
create mode 100644 shared/templates/template_OVAL_mount
delete mode 100644 ubuntu14/checks/oval/partition_for_home.xml
delete mode 100644 ubuntu14/checks/oval/partition_for_srv.xml
delete mode 100644 ubuntu14/checks/oval/partition_for_tmp.xml
delete mode 100644 ubuntu14/checks/oval/partition_for_var.xml
delete mode 100644 ubuntu14/checks/oval/partition_for_var_log.xml
delete mode 100644 ubuntu14/checks/oval/partition_for_var_log_audit.xml
create mode 100644 ubuntu14/templates/csv/mount_options.csv
create mode 100644 ubuntu14/templates/csv/mounts.csv
delete mode 100644 ubuntu16/checks/oval/partition_for_home.xml
delete mode 100644 ubuntu16/checks/oval/partition_for_srv.xml
delete mode 100644 ubuntu16/checks/oval/partition_for_tmp.xml
delete mode 100644 ubuntu16/checks/oval/partition_for_var.xml
delete mode 100644 ubuntu16/checks/oval/partition_for_var_log.xml
delete mode 100644 ubuntu16/checks/oval/partition_for_var_log_audit.xml
create mode 100644 ubuntu16/templates/csv/mount_options.csv
create mode 100644 ubuntu16/templates/csv/mounts.csv
diff --git a/debian8/checks/oval/partition_for_home.xml b/debian8/checks/oval/partition_for_home.xml
deleted file mode 100644
index 604e807e5e..0000000000
--- a/debian8/checks/oval/partition_for_home.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_home" version="1">
- <metadata>
- <title>Ensure /home Located On Separate Partition</title>
- <affected family="unix">
- <platform>Debian 8</platform>
- </affected>
- <description>If user home directories will be stored locally, create a
- separate partition for /home. If /home will be mounted from another
- system such as an NFS server, then creating a separate partition is not
- necessary at this time, and the mountpoint can instead be configured
- later.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_home_partition" comment="/home on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_home_partition" version="1" comment="/home on own partition">
- <linux:object object_ref="object_mount_home_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_home_own_partition" version="1">
- <linux:mount_point>/home</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/debian8/checks/oval/partition_for_srv.xml b/debian8/checks/oval/partition_for_srv.xml
deleted file mode 100644
index ffb8290575..0000000000
--- a/debian8/checks/oval/partition_for_srv.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_srv" version="1">
- <metadata>
- <title>Ensure /srv Located On Separate Partition</title>
- <affected family="unix">
- <platform>Debian 8</platform>
- </affected>
- <description>If a file server (FTP, TFTP...) is hosted locally, create a separate partition
- for /srv at installation time (or migrate it later using LVM). If
- /srv will be mounted from another system such as an NFS server, then
- creating a separate partition is not necessary at installation time, and the
- mountpoint can instead be configured later.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_srv_partition" comment="/srv on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_srv_partition" version="1" comment="/srv on own partition">
- <linux:object object_ref="object_mount_srv_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_srv_own_partition" version="1">
- <linux:mount_point>/srv</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/debian8/checks/oval/partition_for_tmp.xml b/debian8/checks/oval/partition_for_tmp.xml
deleted file mode 100644
index 04d9dff83b..0000000000
--- a/debian8/checks/oval/partition_for_tmp.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_tmp" version="1">
- <metadata>
- <title>Ensure /tmp Located On Separate Partition</title>
- <affected family="unix">
- <platform>Debian 8</platform>
- </affected>
- <description>The /tmp directory is a world-writable directory used for
- temporary file storage. Verify that it has its own partition or logical
- volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_tmp_partition" comment="/tmp on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_tmp_partition" version="1" comment="/tmp on own partition">
- <linux:object object_ref="object_own_tmp_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_own_tmp_partition" version="1">
- <linux:mount_point>/tmp</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/debian8/checks/oval/partition_for_var.xml b/debian8/checks/oval/partition_for_var.xml
deleted file mode 100644
index 58bb6f1d18..0000000000
--- a/debian8/checks/oval/partition_for_var.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var" version="1">
- <metadata>
- <title>Ensure /var Located On Separate Partition</title>
- <affected family="unix">
- <platform>Debian 8</platform>
- </affected>
- <description>Ensuring that /var is mounted on its own partition enables
- the setting of more restrictive mount options, which is used as temporary
- storage by many program, particularly system services such as daemons. It
- is not uncommon for the /var directory to contain world-writable
- directories, installed by other software packages.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_partition" comment="/var on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_partition" version="1" comment="/var on own partition">
- <linux:object object_ref="object_mount_var_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_own_partition" version="1">
- <linux:mount_point>/var</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/debian8/checks/oval/partition_for_var_log.xml b/debian8/checks/oval/partition_for_var_log.xml
deleted file mode 100644
index df5d586e99..0000000000
--- a/debian8/checks/oval/partition_for_var_log.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log" version="1">
- <metadata>
- <title>Ensure /var/log Located On Separate Partition</title>
- <affected family="unix">
- <platform>Debian 8</platform>
- </affected>
- <description>System logs are stored in the /var/log directory. Ensure
- that it has its own partition or logical volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_partition" comment="/var/log on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_partition" version="1" comment="/var/log on own partition">
- <linux:object object_ref="object_mount_var_log_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_own_partition" version="1">
- <linux:mount_point>/var/log</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/debian8/checks/oval/partition_for_var_log_audit.xml b/debian8/checks/oval/partition_for_var_log_audit.xml
deleted file mode 100644
index 7d7785ad2a..0000000000
--- a/debian8/checks/oval/partition_for_var_log_audit.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log_audit" version="1">
- <metadata>
- <title>Ensure /var/log/audit Located On Separate Partition</title>
- <affected family="unix">
- <platform>Debian 8</platform>
- </affected>
- <description>Audit logs are stored in the /var/log/audit directory.
- Ensure that it has its own partition or logical volume. Make absolutely
- certain that it is large enough to store all audit logs that will be
- created by the auditing daemon.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_audit_partition" comment="/var/log/audit on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_audit_partition" version="1"
- comment="check for /var/log/audit partition">
- <linux:object object_ref="object_mount_var_log_audit_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_audit_own_partition"
- version="1">
- <linux:mount_point>/var/log/audit</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/debian8/templates/csv/mount_options.csv b/debian8/templates/csv/mount_options.csv
index 41864bc172..543d0aa96a 100644
--- a/debian8/templates/csv/mount_options.csv
+++ b/debian8/templates/csv/mount_options.csv
@@ -1,4 +1,7 @@
-# mountpoint options that should be set
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
/home,nosuid
/home,nodev
/var/log,nosuid
diff --git a/debian8/templates/csv/mounts.csv b/debian8/templates/csv/mounts.csv
new file mode 100644
index 0000000000..0fbb4af649
--- /dev/null
+++ b/debian8/templates/csv/mounts.csv
@@ -0,0 +1,8 @@
+# format:
+# <mount_point> - this means <mount_point> on separate partition
+/home
+/srv
+/tmp
+/var
+/var/log
+/var/log/audit
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index ed29baff26..51fe330029 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -750,92 +750,70 @@ In order to use this mechanism, you have to:
1) Create the template files, one for each type of file. Each one should be named `template_<TYPE>_<NAME>`. Where `<TYPE>` should be OVAL, ANSIBLE, BASH, ANACONDA or PUPPET and `<NAME>` is the what we will call hereafter the template name.
Use variables where appropriate. Variables must be surrounded by the symbol % and be uppercase, like `%NAME%` or `%PATH_TO_FILE%`.
-This is an example of an OVAL template file called _template_OVAL_mount_options_
+This is an example of an OVAL template file called _template_OVAL_package_installed_
[source,xml]
----
<def-group>
- <definition class="compliance" id="mount_option%POINTID%_%MOUNTOPTION%" version="1">
+ <definition class="compliance" id="package_%PKGNAME%_installed"
+ version="1">
<metadata>
- <title>Add %MOUNTOPTION% Option to %MOUNTPOINT%</title>
+ <title>Package %PKGNAME% Installed</title>
<affected family="unix">
- <platform>multi_platform_all</platform>
+ <platform>Red Hat Enterprise Linux 7</platform>
</affected>
- <description>%MOUNTPOINT% should be mounted with mount option %MOUNTOPTION%.</description>
+ <description>The RPM package %PKGNAME% should be installed.</description>
</metadata>
<criteria>
- <criterion comment="%MOUNTOPTION% on %MOUNTPOINT%" test_ref="test%POINTID%_partition_%MOUNTOPTION%" />
+ <criterion comment="package %PKGNAME% is installed"
+ test_ref="test_package_%PKGNAME%_installed" />
</criteria>
</definition>
-
- <linux:partition_test check="all" check_existence="all_exist"
- id="test%POINTID%_partition_%MOUNTOPTION%" version="1" comment="%MOUNTOPTION% on %MOUNTPOINT%">
- <linux:object object_ref="object%POINTID%_partition_%MOUNTOPTION%" />
- <linux:state state_ref="state%POINTID%_partition_%MOUNTOPTION%" />
- </linux:partition_test>
- <linux:partition_object id="object%POINTID%_partition_%MOUNTOPTION%" version="1">
- <linux:mount_point>%MOUNTPOINT%</linux:mount_point>
- </linux:partition_object>
- <linux:partition_state id="state%POINTID%_partition_%MOUNTOPTION%" version="1">
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">%MOUNTOPTION%</linux:mount_options>
- </linux:partition_state>
+ <linux:rpminfo_test check="all" check_existence="all_exist"
+ id="test_package_%PKGNAME%_installed" version="1"
+ comment="package %PKGNAME% is installed">
+ <linux:object object_ref="obj_package_%PKGNAME%_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_package_%PKGNAME%_installed" version="1">
+ <linux:name>%PKGNAME%</linux:name>
+ </linux:rpminfo_object>
</def-group>
----
-And here is the Ansible template file called template_ANSIBLE_mount_options:
+And here is the Ansible template file called _template_ANSIBLE_package_installed_:
[source,yml]
----
# platform = multi_platform_all
# reboot = false
-# strategy = configure
+# strategy = enable
# complexity = low
-# disruption = high
-- name: "get back device associated to mountpoint"
- shell: mount | grep ' %MOUNTPOINT% ' |cut -d ' ' -f 1
- register: device_name
- check_mode: no
- tags:
- @ANSIBLE_TAGS@
-
-- name: "get back device previous mount option"
- shell: mount | grep ' %MOUNTPOINT% ' | sed -re 's:.*\((.*)\):\1:'
- register: device_cur_mountoption
- check_mode: no
- tags:
- @ANSIBLE_TAGS@
-
-- name: "get back device fstype"
- shell: mount | grep ' %MOUNTPOINT% ' | cut -d ' ' -f 5
- register: device_fstype
- check_mode: no
- tags:
- @ANSIBLE_TAGS@
-
-- name: "Ensure permission %MOUNTOPTION% are set on %MOUNTPOINT%"
- mount:
- path: "%MOUNTPOINT%"
- src: "{{device_name.stdout}}"
- opts: "{{device_cur_mountoption.stdout}},%MOUNTOPTION%"
- state: "mounted"
- fstype: "{{device_fstype.stdout}}"
+# disruption = low
+- name: Ensure %PKGNAME% is installed
+ package:
+ name="{{item}}"
+ state=present
+ with_items:
+ - %PKGNAME%
tags:
@ANSIBLE_TAGS@
----
2) Create a csv (comma-separated-values) file in the _/template/csv_ directory with the same name of the template followed by the extension _.csv_. It should contain all the instances you want to generate from the template, one per line. Use the line to supply values to the variables.
-This is the file mount_options.csv
+This is the file packages_installed.csv
[source,csv]
----
-/dev/shm,nodev
-/dev/shm,noexec
-/dev/shm,nosuid
-/home,nosuid
-/tmp,nodev
-/tmp,noexec
-/tmp,nosuid
+aide
+audit
+chrony
+cronie
+dconf
+firewalld
+esc
+irqbalance
+#kernel-PAE
----
3) Create a python file containing the generator class. The name of the file should start with _create__ and then be followed by the template name and the extension _.py_. The generator class name should also be the template name, in Camel case, followed by _Generator_.
@@ -844,60 +822,60 @@ You have to define the function _generate(self, target, argv)_, where the second
Inside the _generate_ function, you must call the other function _file_from_template_ passing as parameter one of the template files you've created, the variables you've defined and their values, and the name of the output file, that should be named in the same manner as if it was created manually.
-This is the file with the generator class for the mount_options template, it's called create_mount_options.py:
+This is the file with the generator class for the installed package template, it's called create_package_installed.py:
[source,python]
----
#
-# create_mount_options.py
-# generate template-based checks for partition mount rights
-
-import re
+# create_package_installed.py
+# automatically generate checks for installed packages
+#
from template_common import FilesGenerator, UnknownTargetError
-class MountOptionsGenerator(FilesGenerator):
- def generate(self, target, path_info):
- mount_point, mount_option = path_info
- point_id = re.sub('[-\./]', '_', mount_point)
- if mount_point:
- if target == "ansible":
- self.file_from_template(
- "./template_ANSIBLE_mount_options",
- {
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
- },
- "./ansible/mount_option{0}.yml", point_id + '_' + mount_option
- )
-
- elif target == "anaconda":
- self.file_from_template(
- "./template_ANACONDA_mount_options",
- {
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
- },
- "./anaconda/mount_option{0}.anaconda", point_id + '_' + mount_option
- )
-
- elif target == "oval":
- self.file_from_template(
- "./template_OVAL_mount_options",
- {
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": mount_option,
- "%POINTID%": point_id,
- },
- "./oval/mount_option{0}.xml", point_id + "_" + mount_option
- )
- else:
- raise UnknownTargetError(target)
-
- def csv_format(self):
- return("CSV should contains lines of the format: "
- "mount_point,mount_option,[mount_option]+")
+class PackageInstalledGenerator(FilesGenerator):
+ def generate(self, target, package_info):
+ pkgname = package_info[0]
+ if not pkgname:
+ raise RuntimeError(
+ "ERROR: input violation: the package name must be defined")
+
+ if target == "oval":
+ self.file_from_template(
+ "./template_OVAL_package_installed",
+ {"%PKGNAME%": pkgname},
+ "./oval/package_{0}_installed.xml", pkgname
+ )
+
+ elif target == "bash":
+ self.file_from_template(
+ "./template_BASH_package_installed",
+ {"%PKGNAME%": pkgname},
+ "./bash/package_{0}_installed.sh", pkgname
+ )
+
+ elif target == "ansible":
+ self.file_from_template(
+ "./template_ANSIBLE_package_installed",
+ {"%PKGNAME%": pkgname},
+ "./ansible/package_{0}_installed.yml", pkgname
+ )
+
+ elif target == "anaconda":
+ self.file_from_template(
+ "./template_ANACONDA_package_installed",
+ {"%PKGNAME%": pkgname},
+ "./anaconda/package_{0}_installed.anaconda", pkgname
+ )
+
+ elif target == "puppet":
+ self.file_from_template(
+ "./template_PUPPET_package_installed",
+ {"%PKGNAME%": pkgname},
+ "./puppet/package_{0}_installed.pp", pkgname
+ )
+
----
4) Finally, you have to ensure the SSG knows your template. To do that, you have to edit the file _shared/utils/generate-from-template.py_ and include the generator class you've just created and declare which csv file to use along with it.
@@ -910,14 +888,14 @@ This is an example of a patch to add a new template into the templating system:
from create_sysctl import SysctlGenerator
from create_services_disabled import ServiceDisabledGenerator
from create_services_enabled import ServiceEnabledGenerator
-+from create_mount_options import MountOptionsGenerator
++from create_package_installed import PackageInstalledGenerator
@@ -43,6 +44,7 @@ def __init__(self):
"sysctl_values.csv": SysctlGenerator(),
"services_disabled.csv": ServiceDisabledGenerator(),
"services_disabled.csv": ServiceDisabledGenerator(),
"services_enabled.csv": ServiceEnabledGenerator(),
-+ "mount_options.csv": MountOptionsGenerator(),
++ "packages_installed.csv": PackageInstalledGenerator(),
}
self.supported_ovals = ["oval_5.10"]
----
diff --git a/rhel6/templates/csv/mount_options.csv b/rhel6/templates/csv/mount_options.csv
index 18dbb080d1..826097f00e 100644
--- a/rhel6/templates/csv/mount_options.csv
+++ b/rhel6/templates/csv/mount_options.csv
@@ -1,3 +1,7 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv
index e6c492b048..cc66455b7d 100644
--- a/rhel7/templates/csv/mount_options.csv
+++ b/rhel7/templates/csv/mount_options.csv
@@ -1,3 +1,7 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/rhel7/templates/csv/mounts.csv b/rhel7/templates/csv/mounts.csv
new file mode 100644
index 0000000000..e2d172d038
--- /dev/null
+++ b/rhel7/templates/csv/mounts.csv
@@ -0,0 +1,8 @@
+# format:
+# <mount_point> - this means <mount_point> on separate partition
+/home
+/tmp
+/var
+/var/log
+/var/log/audit
+/var/tmp
diff --git a/shared/checks/oval/partition_for_home.xml b/shared/checks/oval/partition_for_home.xml
deleted file mode 100644
index b7ec338780..0000000000
--- a/shared/checks/oval/partition_for_home.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_home" version="1">
- <metadata>
- <title>Ensure /home Located On Separate Partition</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- </affected>
- <description>If user home directories will be stored locally, create a
- separate partition for /home. If /home will be mounted from another
- system such as an NFS server, then creating a separate partition is not
- necessary at this time, and the mountpoint can instead be configured
- later.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_home_partition" comment="/home on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_home_partition" version="1" comment="/home on own partition">
- <linux:object object_ref="object_mount_home_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_home_own_partition" version="1">
- <linux:mount_point>/home</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/shared/checks/oval/partition_for_tmp.xml b/shared/checks/oval/partition_for_tmp.xml
deleted file mode 100644
index 97456cda14..0000000000
--- a/shared/checks/oval/partition_for_tmp.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_tmp" version="1">
- <metadata>
- <title>Ensure /tmp Located On Separate Partition</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- </affected>
- <description>The /tmp directory is a world-writable directory used for
- temporary file storage. Verify that it has its own partition or logical
- volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_tmp_partition" comment="/tmp on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_tmp_partition" version="1" comment="/tmp on own partition">
- <linux:object object_ref="object_own_tmp_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_own_tmp_partition" version="1">
- <linux:mount_point>/tmp</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/shared/checks/oval/partition_for_var.xml b/shared/checks/oval/partition_for_var.xml
deleted file mode 100644
index 54464b37da..0000000000
--- a/shared/checks/oval/partition_for_var.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var" version="1">
- <metadata>
- <title>Ensure /var Located On Separate Partition</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- </affected>
- <description>Ensuring that /var is mounted on its own partition enables
- the setting of more restrictive mount options, which is used as temporary
- storage by many program, particularly system services such as daemons. It
- is not uncommon for the /var directory to contain world-writable
- directories, installed by other software packages.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_partition" comment="/var on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_partition" version="1" comment="/var on own partition">
- <linux:object object_ref="object_mount_var_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_own_partition" version="1">
- <linux:mount_point>/var</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/shared/checks/oval/partition_for_var_log.xml b/shared/checks/oval/partition_for_var_log.xml
deleted file mode 100644
index 39d1854266..0000000000
--- a/shared/checks/oval/partition_for_var_log.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log" version="1">
- <metadata>
- <title>Ensure /var/log Located On Separate Partition</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- </affected>
- <description>System logs are stored in the /var/log directory. Ensure
- that it has its own partition or logical volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_partition" comment="/var/log on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_partition" version="1" comment="/var/log on own partition">
- <linux:object object_ref="object_mount_var_log_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_own_partition" version="1">
- <linux:mount_point>/var/log</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/shared/checks/oval/partition_for_var_log_audit.xml b/shared/checks/oval/partition_for_var_log_audit.xml
deleted file mode 100644
index 77688a6619..0000000000
--- a/shared/checks/oval/partition_for_var_log_audit.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log_audit" version="1">
- <metadata>
- <title>Ensure /var/log/audit Located On Separate Partition</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- </affected>
- <description>Audit logs are stored in the /var/log/audit directory.
- Ensure that it has its own partition or logical volume. Make absolutely
- certain that it is large enough to store all audit logs that will be
- created by the auditing daemon.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_audit_partition" comment="/var/log/audit on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_audit_partition" version="1"
- comment="check for /var/log/audit partition">
- <linux:object object_ref="object_mount_var_log_audit_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_audit_own_partition"
- version="1">
- <linux:mount_point>/var/log/audit</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/shared/checks/oval/partition_for_var_tmp.xml b/shared/checks/oval/partition_for_var_tmp.xml
deleted file mode 100644
index c28914c42d..0000000000
--- a/shared/checks/oval/partition_for_var_tmp.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_tmp" version="1">
- <metadata>
- <title>Ensure /var/tmp Located On Separate Partition</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- </affected>
- <description>The /var/tmp directory is a world-writable directory used for
- temporary file storage. Verify that it has its own partition or logical
- volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_tmp_partition" comment="/var/tmp on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_tmp_partition" version="1" comment="/var/tmp on own partition">
- <linux:object object_ref="object_own_var_tmp_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_own_var_tmp_partition" version="1">
- <linux:mount_point>/var/tmp</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/shared/templates/create_mount_options.py b/shared/templates/create_mount_options.py
index bd491de89a..71d9cda119 100644
--- a/shared/templates/create_mount_options.py
+++ b/shared/templates/create_mount_options.py
@@ -1,6 +1,7 @@
#
-# create_mount_options.py
-# generate template-based checks for partition mount rights
+# create_mounts.py
+# generate template-based checks for partitions and partition
+# mount rights
import re
diff --git a/shared/templates/create_mounts.py b/shared/templates/create_mounts.py
new file mode 100644
index 0000000000..1553aafbd1
--- /dev/null
+++ b/shared/templates/create_mounts.py
@@ -0,0 +1,40 @@
+#
+# create_mounts.py
+# generate template-based checks for partitions and partition
+# mount rights
+
+
+import re
+
+from template_common import FilesGenerator, UnknownTargetError
+
+
+class MountsGenerator(FilesGenerator):
+ def generate(self, target, path_info):
+ mount_point, = path_info
+ point_id = re.sub('[-\./]', '_', mount_point)
+ if mount_point:
+ if target == "anaconda":
+ self.file_from_template(
+ "./template_ANACONDA_mount",
+ {
+ "%MOUNTPOINT%": mount_point,
+ },
+ "./anaconda/partition_for{0}.anaconda", point_id
+ )
+
+ elif target == "oval":
+ self.file_from_template(
+ "./template_OVAL_mount",
+ {
+ "%MOUNTPOINT%": mount_point,
+ "%POINTID%": point_id,
+ },
+ "./oval/partition_for{0}.xml", point_id
+ )
+ else:
+ raise UnknownTargetError(target)
+
+ def csv_format(self):
+ return("CSV should contains lines of the format: "
+ "mount_point")
diff --git a/shared/templates/template_ANACONDA_mount b/shared/templates/template_ANACONDA_mount
new file mode 100644
index 0000000000..d215fd9442
--- /dev/null
+++ b/shared/templates/template_ANACONDA_mount
@@ -0,0 +1,7 @@
+# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = high
+
+part %MOUNTPOINT%
diff --git a/shared/templates/template_OVAL_mount b/shared/templates/template_OVAL_mount
new file mode 100644
index 0000000000..637f0358e7
--- /dev/null
+++ b/shared/templates/template_OVAL_mount
@@ -0,0 +1,25 @@
+<def-group>
+ <definition class="compliance" id="partition_for%POINTID%" version="1">
+ <metadata>
+ <title>Ensure %MOUNTPOINT% Located On Separate Partition</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>If stored locally, create a separate partition for
+ %MOUNTPOINT%. If %MOUNTPOINT% will be mounted from another
+ system such as an NFS server, then creating a separate partition is not
+ necessary at this time, and the mountpoint can instead be configured
+ later.</description>
+ </metadata>
+ <criteria>
+ <criterion test_ref="test%POINTID%_partition" comment="%MOUNTPOINT% on own partition" />
+ </criteria>
+ </definition>
+ <linux:partition_test check="all" check_existence="all_exist"
+ id="test%POINTID%_partition" version="1" comment="%MOUNTPOINT% on own partition">
+ <linux:object object_ref="object_mount%POINTID%_own_partition" />
+ </linux:partition_test>
+ <linux:partition_object id="object_mount%POINTID%_own_partition" version="1">
+ <linux:mount_point>%MOUNTPOINT%</linux:mount_point>
+ </linux:partition_object>
+</def-group>
diff --git a/shared/utils/generate-from-templates.py b/shared/utils/generate-from-templates.py
index a93bc2db5d..30fc68092b 100755
--- a/shared/utils/generate-from-templates.py
+++ b/shared/utils/generate-from-templates.py
@@ -10,6 +10,7 @@
from create_accounts_password import AccountsPasswordGenerator
from create_kernel_modules_disabled import KernelModulesDisabledGenerator
+from create_mounts import MountsGenerator
from create_mount_options import MountOptionsGenerator
from create_package_installed import PackageInstalledGenerator
from create_package_removed import PackageRemovedGenerator
@@ -45,6 +46,7 @@ def __init__(self):
"kernel_modules_disabled.csv": KernelModulesDisabledGenerator(),
"file_dir_permissions.csv": PermissionGenerator(),
"accounts_password.csv": AccountsPasswordGenerator(),
+ "mounts.csv": MountsGenerator(),
"mount_options.csv": MountOptionsGenerator(),
"selinux_booleans.csv": SEBoolGenerator(),
"audit_rules_dac_modification.csv": AuditRulesDacModificationGenerator(),
diff --git a/sle12/templates/csv/mount_options.csv b/sle12/templates/csv/mount_options.csv
index e6c492b048..cc66455b7d 100644
--- a/sle12/templates/csv/mount_options.csv
+++ b/sle12/templates/csv/mount_options.csv
@@ -1,3 +1,7 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/ubuntu14/checks/oval/partition_for_home.xml b/ubuntu14/checks/oval/partition_for_home.xml
deleted file mode 100644
index 73afba67d0..0000000000
--- a/ubuntu14/checks/oval/partition_for_home.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_home" version="1">
- <metadata>
- <title>Ensure /home Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1404</platform>
- </affected>
- <description>If user home directories will be stored locally, create a
- separate partition for /home. If /home will be mounted from another
- system such as an NFS server, then creating a separate partition is not
- necessary at this time, and the mountpoint can instead be configured
- later.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_home_partition" comment="/home on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_home_partition" version="1" comment="/home on own partition">
- <linux:object object_ref="object_mount_home_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_home_own_partition" version="1">
- <linux:mount_point>/home</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu14/checks/oval/partition_for_srv.xml b/ubuntu14/checks/oval/partition_for_srv.xml
deleted file mode 100644
index f5f5c3f05d..0000000000
--- a/ubuntu14/checks/oval/partition_for_srv.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_srv" version="1">
- <metadata>
- <title>Ensure /srv Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1404</platform>
- </affected>
- <description>If a file server (FTP, TFTP...) is hosted locally, create a separate partition
- for /srv at installation time (or migrate it later using LVM). If
- /srv will be mounted from another system such as an NFS server, then
- creating a separate partition is not necessary at installation time, and the
- mountpoint can instead be configured later.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_srv_partition" comment="/srv on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_srv_partition" version="1" comment="/srv on own partition">
- <linux:object object_ref="object_mount_srv_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_srv_own_partition" version="1">
- <linux:mount_point>/srv</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu14/checks/oval/partition_for_tmp.xml b/ubuntu14/checks/oval/partition_for_tmp.xml
deleted file mode 100644
index 72065225ce..0000000000
--- a/ubuntu14/checks/oval/partition_for_tmp.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_tmp" version="1">
- <metadata>
- <title>Ensure /tmp Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1404</platform>
- </affected>
- <description>The /tmp directory is a world-writable directory used for
- temporary file storage. Verify that it has its own partition or logical
- volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_tmp_partition" comment="/tmp on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_tmp_partition" version="1" comment="/tmp on own partition">
- <linux:object object_ref="object_own_tmp_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_own_tmp_partition" version="1">
- <linux:mount_point>/tmp</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu14/checks/oval/partition_for_var.xml b/ubuntu14/checks/oval/partition_for_var.xml
deleted file mode 100644
index 3c260d7aac..0000000000
--- a/ubuntu14/checks/oval/partition_for_var.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var" version="1">
- <metadata>
- <title>Ensure /var Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1404</platform>
- </affected>
- <description>Ensuring that /var is mounted on its own partition enables
- the setting of more restrictive mount options, which is used as temporary
- storage by many program, particularly system services such as daemons. It
- is not uncommon for the /var directory to contain world-writable
- directories, installed by other software packages.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_partition" comment="/var on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_partition" version="1" comment="/var on own partition">
- <linux:object object_ref="object_mount_var_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_own_partition" version="1">
- <linux:mount_point>/var</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu14/checks/oval/partition_for_var_log.xml b/ubuntu14/checks/oval/partition_for_var_log.xml
deleted file mode 100644
index 5bac27c58d..0000000000
--- a/ubuntu14/checks/oval/partition_for_var_log.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log" version="1">
- <metadata>
- <title>Ensure /var/log Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1404</platform>
- </affected>
- <description>System logs are stored in the /var/log directory. Ensure
- that it has its own partition or logical volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_partition" comment="/var/log on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_partition" version="1" comment="/var/log on own partition">
- <linux:object object_ref="object_mount_var_log_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_own_partition" version="1">
- <linux:mount_point>/var/log</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu14/checks/oval/partition_for_var_log_audit.xml b/ubuntu14/checks/oval/partition_for_var_log_audit.xml
deleted file mode 100644
index c12988e369..0000000000
--- a/ubuntu14/checks/oval/partition_for_var_log_audit.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log_audit" version="1">
- <metadata>
- <title>Ensure /var/log/audit Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1404</platform>
- </affected>
- <description>Audit logs are stored in the /var/log/audit directory.
- Ensure that it has its own partition or logical volume. Make absolutely
- certain that it is large enough to store all audit logs that will be
- created by the auditing daemon.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_audit_partition" comment="/var/log/audit on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_audit_partition" version="1"
- comment="check for /var/log/audit partition">
- <linux:object object_ref="object_mount_var_log_audit_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_audit_own_partition"
- version="1">
- <linux:mount_point>/var/log/audit</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu14/templates/csv/mount_options.csv b/ubuntu14/templates/csv/mount_options.csv
new file mode 100644
index 0000000000..543d0aa96a
--- /dev/null
+++ b/ubuntu14/templates/csv/mount_options.csv
@@ -0,0 +1,17 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
+/home,nosuid
+/home,nodev
+/var/log,nosuid
+/var/log,nodev
+/var/log,noexec
+/var/lib,nodev
+/var/lib,nosuid
+/var,nosuid
+/var,nodev
+/var,noexec
+/tmp,nodev
+/tmp,nosuid
+/usr,nodev
diff --git a/ubuntu14/templates/csv/mounts.csv b/ubuntu14/templates/csv/mounts.csv
new file mode 100644
index 0000000000..0fbb4af649
--- /dev/null
+++ b/ubuntu14/templates/csv/mounts.csv
@@ -0,0 +1,8 @@
+# format:
+# <mount_point> - this means <mount_point> on separate partition
+/home
+/srv
+/tmp
+/var
+/var/log
+/var/log/audit
diff --git a/ubuntu16/checks/oval/partition_for_home.xml b/ubuntu16/checks/oval/partition_for_home.xml
deleted file mode 100644
index 9c3a46256c..0000000000
--- a/ubuntu16/checks/oval/partition_for_home.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_home" version="1">
- <metadata>
- <title>Ensure /home Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1604</platform>
- </affected>
- <description>If user home directories will be stored locally, create a
- separate partition for /home. If /home will be mounted from another
- system such as an NFS server, then creating a separate partition is not
- necessary at this time, and the mountpoint can instead be configured
- later.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_home_partition" comment="/home on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_home_partition" version="1" comment="/home on own partition">
- <linux:object object_ref="object_mount_home_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_home_own_partition" version="1">
- <linux:mount_point>/home</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu16/checks/oval/partition_for_srv.xml b/ubuntu16/checks/oval/partition_for_srv.xml
deleted file mode 100644
index 84fe8a0da7..0000000000
--- a/ubuntu16/checks/oval/partition_for_srv.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_srv" version="1">
- <metadata>
- <title>Ensure /srv Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1604</platform>
- </affected>
- <description>If a file server (FTP, TFTP...) is hosted locally, create a separate partition
- for /srv at installation time (or migrate it later using LVM). If
- /srv will be mounted from another system such as an NFS server, then
- creating a separate partition is not necessary at installation time, and the
- mountpoint can instead be configured later.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_srv_partition" comment="/srv on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist" id="test_srv_partition" version="1" comment="/srv on own partition">
- <linux:object object_ref="object_mount_srv_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_srv_own_partition" version="1">
- <linux:mount_point>/srv</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu16/checks/oval/partition_for_tmp.xml b/ubuntu16/checks/oval/partition_for_tmp.xml
deleted file mode 100644
index cf27072e34..0000000000
--- a/ubuntu16/checks/oval/partition_for_tmp.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_tmp" version="1">
- <metadata>
- <title>Ensure /tmp Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1604</platform>
- </affected>
- <description>The /tmp directory is a world-writable directory used for
- temporary file storage. Verify that it has its own partition or logical
- volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_tmp_partition" comment="/tmp on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_tmp_partition" version="1" comment="/tmp on own partition">
- <linux:object object_ref="object_own_tmp_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_own_tmp_partition" version="1">
- <linux:mount_point>/tmp</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu16/checks/oval/partition_for_var.xml b/ubuntu16/checks/oval/partition_for_var.xml
deleted file mode 100644
index d6c96b4fbf..0000000000
--- a/ubuntu16/checks/oval/partition_for_var.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var" version="1">
- <metadata>
- <title>Ensure /var Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1604</platform>
- </affected>
- <description>Ensuring that /var is mounted on its own partition enables
- the setting of more restrictive mount options, which is used as temporary
- storage by many program, particularly system services such as daemons. It
- is not uncommon for the /var directory to contain world-writable
- directories, installed by other software packages.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_partition" comment="/var on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_partition" version="1" comment="/var on own partition">
- <linux:object object_ref="object_mount_var_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_own_partition" version="1">
- <linux:mount_point>/var</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu16/checks/oval/partition_for_var_log.xml b/ubuntu16/checks/oval/partition_for_var_log.xml
deleted file mode 100644
index e1bb9f06a9..0000000000
--- a/ubuntu16/checks/oval/partition_for_var_log.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log" version="1">
- <metadata>
- <title>Ensure /var/log Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1604</platform>
- </affected>
- <description>System logs are stored in the /var/log directory. Ensure
- that it has its own partition or logical volume.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_partition" comment="/var/log on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_partition" version="1" comment="/var/log on own partition">
- <linux:object object_ref="object_mount_var_log_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_own_partition" version="1">
- <linux:mount_point>/var/log</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu16/checks/oval/partition_for_var_log_audit.xml b/ubuntu16/checks/oval/partition_for_var_log_audit.xml
deleted file mode 100644
index da9ec9f416..0000000000
--- a/ubuntu16/checks/oval/partition_for_var_log_audit.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<def-group>
- <definition class="compliance" id="partition_for_var_log_audit" version="1">
- <metadata>
- <title>Ensure /var/log/audit Located On Separate Partition</title>
- <affected family="unix">
- <platform>Ubuntu 1604</platform>
- </affected>
- <description>Audit logs are stored in the /var/log/audit directory.
- Ensure that it has its own partition or logical volume. Make absolutely
- certain that it is large enough to store all audit logs that will be
- created by the auditing daemon.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_var_log_audit_partition" comment="/var/log/audit on own partition" />
- </criteria>
- </definition>
- <linux:partition_test check="all" check_existence="all_exist"
- id="test_var_log_audit_partition" version="1"
- comment="check for /var/log/audit partition">
- <linux:object object_ref="object_mount_var_log_audit_own_partition" />
- </linux:partition_test>
- <linux:partition_object id="object_mount_var_log_audit_own_partition"
- version="1">
- <linux:mount_point>/var/log/audit</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/ubuntu16/templates/csv/mount_options.csv b/ubuntu16/templates/csv/mount_options.csv
new file mode 100644
index 0000000000..543d0aa96a
--- /dev/null
+++ b/ubuntu16/templates/csv/mount_options.csv
@@ -0,0 +1,17 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
+/home,nosuid
+/home,nodev
+/var/log,nosuid
+/var/log,nodev
+/var/log,noexec
+/var/lib,nodev
+/var/lib,nosuid
+/var,nosuid
+/var,nodev
+/var,noexec
+/tmp,nodev
+/tmp,nosuid
+/usr,nodev
diff --git a/ubuntu16/templates/csv/mounts.csv b/ubuntu16/templates/csv/mounts.csv
new file mode 100644
index 0000000000..0fbb4af649
--- /dev/null
+++ b/ubuntu16/templates/csv/mounts.csv
@@ -0,0 +1,8 @@
+# format:
+# <mount_point> - this means <mount_point> on separate partition
+/home
+/srv
+/tmp
+/var
+/var/log
+/var/log/audit
From f242dcc69c5da58dfbd80bafe8d023260e5b02a8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 22 Mar 2018 15:47:20 +0100
Subject: [PATCH 1/2] Add test scenarios for ldap_client_start_tls
- ldap_auth_and_start_tls pass - LDAP and TLS configured for auths
- not_using_ldap fail - not configured to use LDAP for authentication
- tls_not_starting fail - not configured to use TLS for authentications
---
.../ldap_auth_and_start_tls.pass.sh | 15 +++++++++++++++
.../rule_ldap_client_start_tls/not_using_ldap.fail.sh | 16 ++++++++++++++++
.../rule_ldap_client_start_tls/tls_not_starting.fail.sh | 7 +++++++
3 files changed, 38 insertions(+)
create mode 100644 tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/ldap_auth_and_start_tls.pass.sh
create mode 100644 tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/not_using_ldap.fail.sh
create mode 100644 tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/tls_not_starting.fail.sh
diff --git a/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/ldap_auth_and_start_tls.pass.sh b/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/ldap_auth_and_start_tls.pass.sh
new file mode 100644
index 0000000000..2d45f395f6
--- /dev/null
+++ b/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/ldap_auth_and_start_tls.pass.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+
+AUTHCONFIG_REGEX="^[[:space:]]*USELDAPAUTH=yes[[:space:]]*$"
+grep -q "$AUTHCONFIG_REGEX" /etc/sysconfig/authconfig && \
+ sed -i "s/$AUTHCONFIG_REGEX/USELDAPAUTH=yes/" /etc/sysconfig/authconfig || \
+ echo "USELDAPAUTH=yes" >> /etc/sysconfig/authconfig
+
+yum install -y nss-pam-ldapd
+
+START_TLS_REGEX="^[[:space:]]*ssl[[:space:]]*start_tls[[:space:]]*$"
+grep -q "$START_TLS_REGEX" /etc/nslcd.conf && \
+ sed -i "s/$START_TLS_REGEX/ssl start_tls/" /etc/nslcd.conf || \
+ echo "ssl start_tls" >> /etc/nslcd.conf
diff --git a/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/not_using_ldap.fail.sh b/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/not_using_ldap.fail.sh
new file mode 100644
index 0000000000..a98e21c639
--- /dev/null
+++ b/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/not_using_ldap.fail.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+
+yum install -y nss-pam-ldapd
+
+AUTHCONFIG_REGEX="^[[:space:]]*USELDAPAUTH=yes[[:space:]]*$"
+grep -q "$AUTHCONFIG_REGEX" /etc/sysconfig/authconfig && \
+ sed -i "s/$AUTHCONFIG_REGEX//" /etc/sysconfig/authconfig
+
+yum install -y nss-pam-ldapd
+
+START_TLS_REGEX="^[[:space:]]*ssl[[:space:]]*start_tls[[:space:]]*$"
+grep -q "$START_TLS_REGEX" /etc/nslcd.conf && \
+ sed -i "s/$START_TLS_REGEX/ssl start_tls/" /etc/nslcd.conf || \
+ echo "ssl start_tls" >> /etc/nslcd.conf
diff --git a/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/tls_not_starting.fail.sh b/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/tls_not_starting.fail.sh
new file mode 100644
index 0000000000..5e6d4be281
--- /dev/null
+++ b/tests/data/group_services/group_ldap/group_openldap_client/rule_ldap_client_start_tls/tls_not_starting.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7
+
+yum install -y nss-pam-ldapd
+
+sed -i "/$START_TLS_REGEX/d" /etc/nslcd.conf || true
From c48e1f0086b39540255d1086ac9e66711d76be4d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 22 Mar 2018 15:51:21 +0100
Subject: [PATCH 2/2] Add remediation for ldap_client_start_tls
Configure USELDAPAUTH and start_tls
---
shared/fixes/bash/ldap_client_start_tls.sh | 10 ++++++++++
1 file changed, 10 insertions(+)
create mode 100644 shared/fixes/bash/ldap_client_start_tls.sh
diff --git a/shared/fixes/bash/ldap_client_start_tls.sh b/shared/fixes/bash/ldap_client_start_tls.sh
new file mode 100644
index 0000000000..5ec0ad187e
--- /dev/null
+++ b/shared/fixes/bash/ldap_client_start_tls.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_rhel
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Use LDAP for authentication
+replace_or_append '/etc/sysconfig/authconfig' 'USELDAPAUTH' 'yes' '@CCENUM@' '%s=%s'
+
+# Configure client to use TLS for all authentications
+replace_or_append '/etc/nslcd.conf' 'ssl' 'start_tls' '@CCENUM@' '%s %s'
From 6d4e7fbd0e51e54c58481f815f5b8e6f73f7926f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 23 Mar 2018 14:26:20 +0100
Subject: [PATCH 1/3] Add tests for sssd_enable_pam_services
- sssd_pam_services pass - expected config line is present
- services_pam_missing fail - expected config line is missing
- services_pam_wrong_section - expected config line is put in wrong
section of config file
---
.../services_pam_missing.fail.sh | 13 +++++++++++++
.../services_pam_wrong_section.fail.sh | 7 +++++++
.../sssd_pam_services.pass.sh | 13 +++++++++++++
.../rule_sssd_enable_pam_services/wrong_sssd.conf | 16 ++++++++++++++++
4 files changed, 49 insertions(+)
create mode 100644 tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh
create mode 100644 tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh
create mode 100644 tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh
create mode 100644 tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/wrong_sssd.conf
diff --git a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh
new file mode 100644
index 0000000000..d65ff1d1cb
--- /dev/null
+++ b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = none
+
+SSSD_PAM_SERVICES_REGEX="^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$"
+SSSD_PAM_SERVICES="[sssd]
+services pam"
+SSSD_CONF="/etc/sssd/sssd.conf"
+
+grep -q "$SSSD_PAM_SERVICES_REGEX" $SSSD_CONF && \
+ sed -i "/$SSSD_PAM_SERVICES_REGEX/d" $SSSD_CONF || \
+ true
diff --git a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh
new file mode 100644
index 0000000000..1c0c8543e0
--- /dev/null
+++ b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = none
+
+SSSD_CONF="/etc/sssd/sssd.conf"
+cp wrong_sssd.conf $SSSD_CONF
diff --git a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh
new file mode 100644
index 0000000000..84a5bb21ef
--- /dev/null
+++ b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+# remediation = none
+
+SSSD_PAM_SERVICES_REGEX="^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$"
+SSSD_PAM_SERVICES="[sssd]
+services = pam"
+SSSD_CONF="/etc/sssd/sssd.conf"
+
+grep -q "$SSSD_PAM_SERVICES_REGEX" $SSSD_CONF && \
+ sed -i "s/$SSSD_PAM_SERVICES_REGEX/$SSD_PAM_SERVICES/" $SSSD_CONF || \
+ echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF
diff --git a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/wrong_sssd.conf b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/wrong_sssd.conf
new file mode 100644
index 0000000000..0fcad10e84
--- /dev/null
+++ b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/wrong_sssd.conf
@@ -0,0 +1,16 @@
+[sssd]
+services = nss
+domains = shadowutils
+
+[nss]
+
+[pam]
+services = pam
+
+[domain/shadowutils]
+id_provider = files
+
+auth_provider = proxy
+proxy_pam_target = sssd-shadowutils
+
+proxy_fast_alias = True
From 8a353c79825a6224da7f59ff4a4802ffc6ab83a6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 23 Mar 2018 14:28:50 +0100
Subject: [PATCH 2/3] Make regex in OVAL for sssd_enabled_pam_services stricter
Do not accept section declaration between "[sssd] and "^service.*pam$"
as pass.
---
shared/checks/oval/sssd_enable_pam_services.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/checks/oval/sssd_enable_pam_services.xml b/shared/checks/oval/sssd_enable_pam_services.xml
index 5deb8d78b8..522f892469 100644
--- a/shared/checks/oval/sssd_enable_pam_services.xml
+++ b/shared/checks/oval/sssd_enable_pam_services.xml
@@ -20,7 +20,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sssd_enable_pam_services" version="1">
<ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*\[sssd]([^\n\[\]]*\n+)+?[\s]*services.*pam.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
From 76378f32ad10c50e053cecfe0acc2f529626ec86 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 26 Mar 2018 14:21:32 +0200
Subject: [PATCH 3/3] Add remediation for sssd_enable_pam_services
---
shared/fixes/bash/sssd_enable_pam_services.sh | 19 +++++++++++++++++++
.../services_pam_missing.fail.sh | 1 -
.../services_pam_wrong_section.fail.sh | 1 -
.../sssd_pam_services.pass.sh | 1 -
4 files changed, 19 insertions(+), 3 deletions(-)
create mode 100644 shared/fixes/bash/sssd_enable_pam_services.sh
diff --git a/shared/fixes/bash/sssd_enable_pam_services.sh b/shared/fixes/bash/sssd_enable_pam_services.sh
new file mode 100644
index 0000000000..f3c9cc8606
--- /dev/null
+++ b/shared/fixes/bash/sssd_enable_pam_services.sh
@@ -0,0 +1,19 @@
+# platform = multi_platform_rhel
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$"
+SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$"
+SSSD_PAM_SERVICES="[sssd]
+services = pam"
+SSSD_CONF="/etc/sssd/sssd.conf"
+
+# If there is services line with pam, good
+# If there is services line without pam, append pam
+# If not echo services line with pam
+grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \
+ grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \
+ sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \
+ echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF
+
diff --git a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh
index d65ff1d1cb..036e8bf07a 100644
--- a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh
+++ b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_missing.fail.sh
@@ -1,7 +1,6 @@
#!/bin/bash
#
# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
-# remediation = none
SSSD_PAM_SERVICES_REGEX="^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$"
SSSD_PAM_SERVICES="[sssd]
diff --git a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh
index 1c0c8543e0..a1d587a9e7 100644
--- a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh
+++ b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/services_pam_wrong_section.fail.sh
@@ -1,7 +1,6 @@
#!/bin/bash
#
# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
-# remediation = none
SSSD_CONF="/etc/sssd/sssd.conf"
cp wrong_sssd.conf $SSSD_CONF
diff --git a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh
index 84a5bb21ef..bb0cc62b28 100644
--- a/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh
+++ b/tests/data/group_services/group_sssd/rule_sssd_enable_pam_services/sssd_pam_services.pass.sh
@@ -1,7 +1,6 @@
#!/bin/bash
#
# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
-# remediation = none
SSSD_PAM_SERVICES_REGEX="^[\s]*\[sssd]([^\n]*\n+)+?[\s]*services.*pam.*$"
SSSD_PAM_SERVICES="[sssd]
From 234fdb657feafef4ab75c41a3f6da4f66734cf3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 26 Mar 2018 17:13:13 +0200
Subject: [PATCH 01/17] Added support for checks and remediation for
mount_options.
* Introduced templates for bash remediations of mount_options.
* Enabled templates for profiles that contain respective rules in XCCDF.
* Introduced shared bash remediation based on existing remediations.
---
fedora/templates/csv/mount_options.csv | 12 ++++++++++++
fedora/templates/template_BASH_mount_options | 8 ++++++++
rhel6/templates/csv/mount_options.csv | 1 +
rhel6/templates/template_BASH_mount_options | 8 ++++++++
rhel7/fixes/bash/mount_option_tmp_nodev.sh | 12 ------------
rhel7/fixes/bash/mount_option_tmp_noexec.sh | 12 ------------
rhel7/fixes/bash/mount_option_tmp_nosuid.sh | 12 ------------
rhel7/templates/csv/mount_options.csv | 1 +
rhel7/templates/template_BASH_mount_options | 8 ++++++++
.../ensure_mount_option_in_fstab.sh | 20 ++++++++++++++++++++
shared/templates/create_mount_options.py | 10 ++++++++++
shared/templates/template_BASH_mount_option | 8 ++++++++
wrlinux/templates/csv/mount_options.csv | 12 ++++++++++++
wrlinux/templates/template_BASH_mount_options | 9 +++++++++
14 files changed, 97 insertions(+), 36 deletions(-)
create mode 100644 fedora/templates/csv/mount_options.csv
create mode 100644 fedora/templates/template_BASH_mount_options
create mode 100644 rhel6/templates/template_BASH_mount_options
delete mode 100644 rhel7/fixes/bash/mount_option_tmp_nodev.sh
delete mode 100644 rhel7/fixes/bash/mount_option_tmp_noexec.sh
delete mode 100644 rhel7/fixes/bash/mount_option_tmp_nosuid.sh
create mode 100644 rhel7/templates/template_BASH_mount_options
create mode 100644 shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
create mode 100644 shared/templates/template_BASH_mount_option
create mode 100644 wrlinux/templates/csv/mount_options.csv
create mode 100644 wrlinux/templates/template_BASH_mount_options
diff --git a/fedora/templates/csv/mount_options.csv b/fedora/templates/csv/mount_options.csv
new file mode 100644
index 0000000000..1d55557127
--- /dev/null
+++ b/fedora/templates/csv/mount_options.csv
@@ -0,0 +1,12 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
+/dev/shm,nodev
+/dev/shm,noexec
+/dev/shm,nosuid
+/tmp,nodev
+/tmp,noexec
+/tmp,nosuid
+/var/tmp,bind
+
diff --git a/fedora/templates/template_BASH_mount_options b/fedora/templates/template_BASH_mount_options
new file mode 100644
index 0000000000..bd42704a4f
--- /dev/null
+++ b/fedora/templates/template_BASH_mount_options
@@ -0,0 +1,8 @@
+# platform = multi_platform_fedora
+# reboot = false
+
+. /usr/share/scap-security-guide/remediation_functions
+
+ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
+
+mount -o remount %MOUNTPOINT%
diff --git a/rhel6/templates/csv/mount_options.csv b/rhel6/templates/csv/mount_options.csv
index 826097f00e..4e1aad5a53 100644
--- a/rhel6/templates/csv/mount_options.csv
+++ b/rhel6/templates/csv/mount_options.csv
@@ -8,3 +8,4 @@
/tmp,nodev
/tmp,noexec
/tmp,nosuid
+/var/tmp,bind
diff --git a/rhel6/templates/template_BASH_mount_options b/rhel6/templates/template_BASH_mount_options
new file mode 100644
index 0000000000..ce74bf5497
--- /dev/null
+++ b/rhel6/templates/template_BASH_mount_options
@@ -0,0 +1,8 @@
+# platform = Red Hat Enterprise Linux 6
+# reboot = false
+
+. /usr/share/scap-security-guide/remediation_functions
+
+ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
+
+mount -o remount %MOUNTPOINT%
diff --git a/rhel7/fixes/bash/mount_option_tmp_nodev.sh b/rhel7/fixes/bash/mount_option_tmp_nodev.sh
deleted file mode 100644
index fe7359faae..0000000000
--- a/rhel7/fixes/bash/mount_option_tmp_nodev.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-# platform = Red Hat Enterprise Linux 7
-NEW_OPT=nodev
-
-if [ $(grep " \/tmp " /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
- MNT_OPTS=$(grep " \/tmp " /etc/fstab | awk '{print $4}')
- sed -i "s/\( \/tmp.*${MNT_OPTS}\)/\1,${NEW_OPT}/" /etc/fstab
-
- if [ $MNT_OPTS = "defaults" ]
- then
- sed -i "s/defaults,//" /etc/fstab
- fi
-fi
diff --git a/rhel7/fixes/bash/mount_option_tmp_noexec.sh b/rhel7/fixes/bash/mount_option_tmp_noexec.sh
deleted file mode 100644
index 0e97575eeb..0000000000
--- a/rhel7/fixes/bash/mount_option_tmp_noexec.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-# platform = Red Hat Enterprise Linux 7
-NEW_OPT=noexec
-
-if [ $(grep " \/tmp " /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
- MNT_OPTS=$(grep " \/tmp " /etc/fstab | awk '{print $4}')
- sed -i "s/\( \/tmp.*${MNT_OPTS}\)/\1,${NEW_OPT}/" /etc/fstab
-
- if [ $MNT_OPTS = "defaults" ]
- then
- sed -i "s/defaults,//" /etc/fstab
- fi
-fi
diff --git a/rhel7/fixes/bash/mount_option_tmp_nosuid.sh b/rhel7/fixes/bash/mount_option_tmp_nosuid.sh
deleted file mode 100644
index 3c3211a758..0000000000
--- a/rhel7/fixes/bash/mount_option_tmp_nosuid.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-# platform = Red Hat Enterprise Linux 7
-NEW_OPT="nosuid"
-
-if [ $(grep " \/tmp " /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
- MNT_OPTS=$(grep " \/tmp " /etc/fstab | awk '{print $4}')
- sed -i "s/\( \/tmp.*${MNT_OPTS}\)/\1,${NEW_OPT}/" /etc/fstab
-
- if [ $MNT_OPTS = "defaults" ]
- then
- sed -i "s/defaults,//" /etc/fstab
- fi
-fi
diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv
index cc66455b7d..3d3eaf2a8f 100644
--- a/rhel7/templates/csv/mount_options.csv
+++ b/rhel7/templates/csv/mount_options.csv
@@ -13,3 +13,4 @@
/var/tmp,nodev
/var/tmp,noexec
/var/tmp,nosuid
+/var/tmp,bind
diff --git a/rhel7/templates/template_BASH_mount_options b/rhel7/templates/template_BASH_mount_options
new file mode 100644
index 0000000000..0bcd8d88a2
--- /dev/null
+++ b/rhel7/templates/template_BASH_mount_options
@@ -0,0 +1,8 @@
+# platform = Red Hat Enterprise Linux 7
+# reboot = false
+
+. /usr/share/scap-security-guide/remediation_functions
+
+ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
+
+mount -o remount %MOUNTPOINT%
diff --git a/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh b/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
new file mode 100644
index 0000000000..bda3bca43b
--- /dev/null
+++ b/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
@@ -0,0 +1,20 @@
+# $1: mount point
+# $2: new mount point option
+function ensure_mount_option_in_fstab {
+ local _mount_point="$1" _new_opt="$2" _mount_point_match_regexp="" _previous_mount_opts=""
+ _mount_point_match_regexp="[[:space:]]$_mount_point[[:space:]]"
+
+ if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt" ) -eq 0 ]; then
+ _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
+ sed -i "s/\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)/\1,${_new_opt}/" /etc/fstab
+ fi
+}
+
+
+function remove_defaults_from_fstab_if_overriden {
+ _mount_point_match_regexp="[[:space:]]$1[[:space:]]"
+ if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,") -gt 0 ]
+ then
+ sed -i "s/\(${_mount_point_match_regexp}.*\)defaults,/\1/" /etc/fstab
+ fi
+}
diff --git a/shared/templates/create_mount_options.py b/shared/templates/create_mount_options.py
index 71d9cda119..36c8083989 100644
--- a/shared/templates/create_mount_options.py
+++ b/shared/templates/create_mount_options.py
@@ -33,6 +33,16 @@ def generate(self, target, path_info):
"./anaconda/mount_option{0}.anaconda", point_id + '_' + mount_option
)
+ elif target == "bash":
+ self.file_from_template(
+ "./template_BASH_mount_options",
+ {
+ "%MOUNTPOINT%": mount_point,
+ "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
+ },
+ "./bash/mount_option{0}.sh", point_id + '_' + mount_option
+ )
+
elif target == "oval":
self.file_from_template(
"./template_OVAL_mount_options",
diff --git a/shared/templates/template_BASH_mount_option b/shared/templates/template_BASH_mount_option
new file mode 100644
index 0000000000..0bcd8d88a2
--- /dev/null
+++ b/shared/templates/template_BASH_mount_option
@@ -0,0 +1,8 @@
+# platform = Red Hat Enterprise Linux 7
+# reboot = false
+
+. /usr/share/scap-security-guide/remediation_functions
+
+ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
+
+mount -o remount %MOUNTPOINT%
diff --git a/wrlinux/templates/csv/mount_options.csv b/wrlinux/templates/csv/mount_options.csv
new file mode 100644
index 0000000000..1d55557127
--- /dev/null
+++ b/wrlinux/templates/csv/mount_options.csv
@@ -0,0 +1,12 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>
+/dev/shm,nodev
+/dev/shm,noexec
+/dev/shm,nosuid
+/tmp,nodev
+/tmp,noexec
+/tmp,nosuid
+/var/tmp,bind
+
diff --git a/wrlinux/templates/template_BASH_mount_options b/wrlinux/templates/template_BASH_mount_options
new file mode 100644
index 0000000000..f373c36a21
--- /dev/null
+++ b/wrlinux/templates/template_BASH_mount_options
@@ -0,0 +1,9 @@
+# platform = multi_platform_wrlinux
+# reboot = false
+
+. /usr/share/scap-security-guide/remediation_functions
+
+ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
+
+mount -o remount %MOUNTPOINT%
+
From 630c64d41cbdcf37900ab611df5b7313bbc5803d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 26 Mar 2018 18:44:24 +0200
Subject: [PATCH 02/17] Further clean-up of the mount options remediations.
* Removed remediations that were obsoleted by templates.
* Made some of the remaining special cases use the shared functionality.
---
rhel6/fixes/bash/mount_option_dev_shm_nodev.sh | 40 ---------------------
rhel6/fixes/bash/mount_option_dev_shm_noexec.sh | 41 ----------------------
rhel6/fixes/bash/mount_option_dev_shm_nosuid.sh | 40 ---------------------
.../mount_option_nodev_removable_partitions.sh | 7 ++--
.../mount_option_noexec_removable_partitions.sh | 7 ++--
.../mount_option_nosuid_removable_partitions.sh | 7 ++--
shared/fixes/bash/mount_option_var_tmp_bind.sh | 10 ------
7 files changed, 6 insertions(+), 146 deletions(-)
delete mode 100644 rhel6/fixes/bash/mount_option_dev_shm_nodev.sh
delete mode 100644 rhel6/fixes/bash/mount_option_dev_shm_noexec.sh
delete mode 100644 rhel6/fixes/bash/mount_option_dev_shm_nosuid.sh
delete mode 100644 shared/fixes/bash/mount_option_var_tmp_bind.sh
diff --git a/rhel6/fixes/bash/mount_option_dev_shm_nodev.sh b/rhel6/fixes/bash/mount_option_dev_shm_nodev.sh
deleted file mode 100644
index dd212b6d9d..0000000000
--- a/rhel6/fixes/bash/mount_option_dev_shm_nodev.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-# platform = Red Hat Enterprise Linux 6
-
-# Load /etc/fstab's /dev/shm row into DEV_SHM_FSTAB variable separating start &
-# end of the filesystem mount options (4-th field) with the '#' character
-DEV_SHM_FSTAB=$(sed -n "s/\(.*[[:space:]]\+\/dev\/shm[[:space:]]\+tmpfs[[:space:]]\+\)\([^[:space:]]\+\)/\1#\2#/p" /etc/fstab)
-
-#Rest of script can trash /etc/fstab if $DEV_SHM_FSTAB is empty, check before continuing.
-echo $DEV_SHM_FSTAB | grep -q -P '/dev/shm'
-if [ $? -eq 0 ]; then
- # Save the:
- # * 1-th, 2-nd, 3-rd fields into DEV_SHM_HEAD variable
- # * 4-th field into DEV_SHM_OPTS variable, and
- # * 5-th, and 6-th fields into DEV_SHM_TAIL variable
- # splitting DEV_SHM_FSTAB variable value based on the '#' separator
- IFS='#' read DEV_SHM_HEAD DEV_SHM_OPTS DEV_SHM_TAIL <<< "$DEV_SHM_FSTAB"
-
- # Replace occurrence of 'defaults' key with the actual list of mount options
- # for Red Hat Enterprise Linux 6
- DEV_SHM_OPTS=${DEV_SHM_OPTS//defaults/rw,suid,dev,exec,auto,nouser,async,relatime}
-
- # 'dev' option (not prefixed with 'no') present in the list?
- echo $DEV_SHM_OPTS | grep -q -P '(?<!no)dev'
- if [ $? -eq 0 ]
- then
- # 'dev' option found, replace with 'nodev'
- DEV_SHM_OPTS=${DEV_SHM_OPTS//dev/nodev}
- fi
-
- # at least one 'nodev' present in the options list?
- echo $DEV_SHM_OPTS | grep -q -v 'nodev'
- if [ $? -eq 0 ]
- then
- # 'nodev' not found yet, append it
- DEV_SHM_OPTS="$DEV_SHM_OPTS,nodev"
- fi
-
- # DEV_SHM_OPTS now contains final list of mount options. Replace original form of /dev/shm row
- # in /etc/fstab with the corrected version
- sed -i "s#${DEV_SHM_HEAD}\(.*\)${DEV_SHM_TAIL}#${DEV_SHM_HEAD}${DEV_SHM_OPTS}${DEV_SHM_TAIL}#" /etc/fstab
-fi
diff --git a/rhel6/fixes/bash/mount_option_dev_shm_noexec.sh b/rhel6/fixes/bash/mount_option_dev_shm_noexec.sh
deleted file mode 100644
index eb2929219f..0000000000
--- a/rhel6/fixes/bash/mount_option_dev_shm_noexec.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-# platform = Red Hat Enterprise Linux 6
-
-# Load /etc/fstab's /dev/shm row into DEV_SHM_FSTAB variable separating start &
-# end of the filesystem mount options (4-th field) with the '#' character
-DEV_SHM_FSTAB=$(sed -n "s/\(.*[[:space:]]\+\/dev\/shm[[:space:]]\+tmpfs[[:space:]]\+\)\([^[:space:]]\+\)/\1#\2#/p" /etc/fstab)
-
-#Rest of script can trash /etc/fstab if $DEV_SHM_FSTAB is empty, check before continuing.
-echo $DEV_SHM_FSTAB | grep -q -P '/dev/shm'
-if [ $? -eq 0 ]; then
- # Save the:
- # * 1-th, 2-nd, 3-rd fields into DEV_SHM_HEAD variable
- # * 4-th field into DEV_SHM_OPTS variable, and
- # * 5-th, and 6-th fields into DEV_SHM_TAIL variable
- # splitting DEV_SHM_FSTAB variable value based on the '#' separator
- IFS='#' read DEV_SHM_HEAD DEV_SHM_OPTS DEV_SHM_TAIL <<< "$DEV_SHM_FSTAB"
-
- # Replace occurrence of 'defaults' key with the actual list of mount options
- # for Red Hat Enterprise Linux 6
- DEV_SHM_OPTS=${DEV_SHM_OPTS//defaults/rw,suid,dev,exec,auto,nouser,async,relatime}
-
- # 'exec' option (not prefixed with 'no') present in the list?
- echo $DEV_SHM_OPTS | grep -q -P '(?<!no)exec'
- if [ $? -eq 0 ]
- then
- # 'exec' option found, replace with 'noexec'
- DEV_SHM_OPTS=${DEV_SHM_OPTS//exec/noexec}
- fi
-
- # at least one 'noexec' present in the options list?
- echo $DEV_SHM_OPTS | grep -q -v 'noexec'
- if [ $? -eq 0 ]
- then
- # 'noexec' not found yet, append it
- DEV_SHM_OPTS="$DEV_SHM_OPTS,noexec"
- fi
-
- # DEV_SHM_OPTS now contains final list of mount options. Replace original form of /dev/shm row
- # in /etc/fstab with the corrected version
- sed -i "s#${DEV_SHM_HEAD}\(.*\)${DEV_SHM_TAIL}#${DEV_SHM_HEAD}${DEV_SHM_OPTS}${DEV_SHM_TAIL}#" /etc/fstab
-
-fi
diff --git a/rhel6/fixes/bash/mount_option_dev_shm_nosuid.sh b/rhel6/fixes/bash/mount_option_dev_shm_nosuid.sh
deleted file mode 100644
index ff4dc185bf..0000000000
--- a/rhel6/fixes/bash/mount_option_dev_shm_nosuid.sh
+++ /dev/null
@@ -1,40 +0,0 @@
-# platform = Red Hat Enterprise Linux 6
-
-# Load /etc/fstab's /dev/shm row into DEV_SHM_FSTAB variable separating start &
-# end of the filesystem mount options (4-th field) with the '#' character
-DEV_SHM_FSTAB=$(sed -n "s/\(.*[[:space:]]\+\/dev\/shm[[:space:]]\+tmpfs[[:space:]]\+\)\([^[:space:]]\+\)/\1#\2#/p" /etc/fstab)
-
-#Rest of script can trash /etc/fstab if $DEV_SHM_FSTAB is empty, check before continuing.
-echo $DEV_SHM_FSTAB | grep -q -P '/dev/shm'
-if [ $? -eq 0 ]; then
- # Save the:
- # * 1-th, 2-nd, 3-rd fields into DEV_SHM_HEAD variable
- # * 4-th field into DEV_SHM_OPTS variable, and
- # * 5-th, and 6-th fields into DEV_SHM_TAIL variable
- # splitting DEV_SHM_FSTAB variable value based on the '#' separator
- IFS='#' read DEV_SHM_HEAD DEV_SHM_OPTS DEV_SHM_TAIL <<< "$DEV_SHM_FSTAB"
-
- # Replace occurrence of 'defaults' key with the actual list of mount options
- # for Red Hat Enterprise Linux 6
- DEV_SHM_OPTS=${DEV_SHM_OPTS//defaults/rw,suid,dev,exec,auto,nouser,async,relatime}
-
- # 'suid' option (not prefixed with 'no') present in the list?
- echo $DEV_SHM_OPTS | grep -q -P '(?<!no)suid'
- if [ $? -eq 0 ]
- then
- # 'suid' option found, replace with 'nosuid'
- DEV_SHM_OPTS=${DEV_SHM_OPTS//suid/nosuid}
- fi
-
- # at least one 'nosuid' present in the options list?
- echo $DEV_SHM_OPTS | grep -q -v 'nosuid'
- if [ $? -eq 0 ]
- then
- # 'nosuid' not found yet, append it
- DEV_SHM_OPTS="$DEV_SHM_OPTS,nosuid"
- fi
-
- # DEV_SHM_OPTS now contains final list of mount options. Replace original form of /dev/shm row
- # in /etc/fstab with the corrected version
- sed -i "s#${DEV_SHM_HEAD}\(.*\)${DEV_SHM_TAIL}#${DEV_SHM_HEAD}${DEV_SHM_OPTS}${DEV_SHM_TAIL}#" /etc/fstab
-fi
diff --git a/shared/fixes/bash/mount_option_nodev_removable_partitions.sh b/shared/fixes/bash/mount_option_nodev_removable_partitions.sh
index dc7eebe5dd..8ec23aad41 100644
--- a/shared/fixes/bash/mount_option_nodev_removable_partitions.sh
+++ b/shared/fixes/bash/mount_option_nodev_removable_partitions.sh
@@ -5,9 +5,6 @@
populate var_removable_partition
-NEW_OPT="nodev"
+ensure_mount_option_in_fstab "$var_removable_partition" nodev
-if [ $(grep "$var_removable_partition" /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
- MNT_OPTS=$(grep "$var_removable_partition" /etc/fstab | awk '{print $4}')
- sed -i "s|\($var_removable_partition.*${MNT_OPTS}\)|\1,${NEW_OPT}|" /etc/fstab
-fi
+mount -o remount "$var_removable_partition"
diff --git a/shared/fixes/bash/mount_option_noexec_removable_partitions.sh b/shared/fixes/bash/mount_option_noexec_removable_partitions.sh
index f927e4e8e9..40984b152b 100644
--- a/shared/fixes/bash/mount_option_noexec_removable_partitions.sh
+++ b/shared/fixes/bash/mount_option_noexec_removable_partitions.sh
@@ -5,9 +5,6 @@
populate var_removable_partition
-NEW_OPT="noexec"
+ensure_mount_option_in_fstab "$var_removable_partition" noexec
-if [ $(grep "$var_removable_partition" /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
- MNT_OPTS=$(grep "$var_removable_partition" /etc/fstab | awk '{print $4}')
- sed -i "s|\($var_removable_partition.*${MNT_OPTS}\)|\1,${NEW_OPT}|" /etc/fstab
-fi
+mount -o remount "$var_removable_partition"
diff --git a/shared/fixes/bash/mount_option_nosuid_removable_partitions.sh b/shared/fixes/bash/mount_option_nosuid_removable_partitions.sh
index b2f8ad1b97..d76a8caedf 100644
--- a/shared/fixes/bash/mount_option_nosuid_removable_partitions.sh
+++ b/shared/fixes/bash/mount_option_nosuid_removable_partitions.sh
@@ -5,9 +5,6 @@
populate var_removable_partition
-NEW_OPT="nosuid"
+ensure_mount_option_in_fstab "$var_removable_partition" nosuid
-if [ $(grep "$var_removable_partition" /etc/fstab | grep -c "$NEW_OPT" ) -eq 0 ]; then
- MNT_OPTS=$(grep "$var_removable_partition" /etc/fstab | awk '{print $4}')
- sed -i "s|\($var_removable_partition.*${MNT_OPTS}\)|\1,${NEW_OPT}|" /etc/fstab
-fi
+mount -o remount "$var_removable_partition"
diff --git a/shared/fixes/bash/mount_option_var_tmp_bind.sh b/shared/fixes/bash/mount_option_var_tmp_bind.sh
deleted file mode 100644
index a9d86aaf06..0000000000
--- a/shared/fixes/bash/mount_option_var_tmp_bind.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-# platform = multi_platform_rhel
-# Delete particular /etc/fstab's row if /var/tmp is already configured to
-# represent a mount point (for some device or filesystem other than /tmp)
-if grep -q -P '.*\/var\/tmp.*' /etc/fstab
-then
- sed -i '/.*\/var\/tmp.*/d' /etc/fstab
-fi
-
-# Bind-mount /var/tmp to /tmp via /etc/fstab (preserving the /etc/fstab form)
-printf "%-24s%-24s%-8s%-32s%-3s\n" "/tmp" "/var/tmp" "none" "rw,nodev,noexec,nosuid,bind" "0 0" >> /etc/fstab
From 3e504aa5479e32f524645bf9c335623811975b37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 27 Mar 2018 16:16:24 +0200
Subject: [PATCH 03/17] Converted more mount option checks to templates.
* Refactored template plugin to easily support templates with variables.
---
.../mount_option_noexec_removable_partitions.sh | 10 --
.../mount_option_nosuid_removable_partitions.sh | 10 --
shared/templates/create_mount_options.py | 113 +++++++++++++--------
shared/templates/csv/mount_options.csv | 10 ++
...ount_options => template_ANACONDA_mount_option} | 0
...mount_options => template_ANSIBLE_mount_option} | 0
shared/templates/template_ANSIBLE_mount_option_var | 38 +++++++
.../template_BASH_mount_option_var} | 7 +-
8 files changed, 123 insertions(+), 65 deletions(-)
delete mode 100644 shared/fixes/bash/mount_option_noexec_removable_partitions.sh
delete mode 100644 shared/fixes/bash/mount_option_nosuid_removable_partitions.sh
create mode 100644 shared/templates/csv/mount_options.csv
rename shared/templates/{template_ANACONDA_mount_options => template_ANACONDA_mount_option} (100%)
rename shared/templates/{template_ANSIBLE_mount_options => template_ANSIBLE_mount_option} (100%)
create mode 100644 shared/templates/template_ANSIBLE_mount_option_var
rename shared/{fixes/bash/mount_option_nodev_removable_partitions.sh => templates/template_BASH_mount_option_var} (51%)
diff --git a/shared/fixes/bash/mount_option_noexec_removable_partitions.sh b/shared/fixes/bash/mount_option_noexec_removable_partitions.sh
deleted file mode 100644
index 40984b152b..0000000000
--- a/shared/fixes/bash/mount_option_noexec_removable_partitions.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-# platform = multi_platform_rhel, multi_platform_fedora
-
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-populate var_removable_partition
-
-ensure_mount_option_in_fstab "$var_removable_partition" noexec
-
-mount -o remount "$var_removable_partition"
diff --git a/shared/fixes/bash/mount_option_nosuid_removable_partitions.sh b/shared/fixes/bash/mount_option_nosuid_removable_partitions.sh
deleted file mode 100644
index d76a8caedf..0000000000
--- a/shared/fixes/bash/mount_option_nosuid_removable_partitions.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-# platform = multi_platform_rhel, multi_platform_fedora
-
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-populate var_removable_partition
-
-ensure_mount_option_in_fstab "$var_removable_partition" nosuid
-
-mount -o remount "$var_removable_partition"
diff --git a/shared/templates/create_mount_options.py b/shared/templates/create_mount_options.py
index 36c8083989..7434516390 100644
--- a/shared/templates/create_mount_options.py
+++ b/shared/templates/create_mount_options.py
@@ -8,54 +8,83 @@
from template_common import FilesGenerator, UnknownTargetError
+class MountOptionTarget(object):
+ def __init__(self, generator, output_format_string):
+ self.output_format_string = output_format_string
+ self.generator = generator
+
+ def process(self, mount_point, mount_option, point_id, template_file):
+ raise NotImplementedError("You are supposed to use a derived class.")
+
+
+class RemediationTarget(MountOptionTarget):
+ def process(self, mount_point, mount_option, point_id, template_file, stem=""):
+ if len(stem) == 0:
+ stem = point_id + '_' + mount_option
+ self.generator.file_from_template(
+ template_file,
+ {
+ "%MOUNTPOINT%": mount_point,
+ "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
+ },
+ self.output_format_string,
+ stem
+ )
+
+
+class OvalTarget(MountOptionTarget):
+ def __init__(self, generator):
+ super(OvalTarget, self).__init__(
+ generator, "./oval/mount_option{0}.xml")
+
+ def process(self, mount_point, mount_option, point_id, template_file, stem=""):
+ if len(stem) == 0:
+ stem = point_id + '_' + mount_option
+ self.generator.file_from_template(
+ template_file,
+ {
+ "%MOUNTPOINT%": mount_point,
+ "%MOUNTOPTION%": mount_option,
+ "%POINTID%": point_id,
+ },
+ self.output_format_string,
+ stem
+ )
+
+
class MountOptionsGenerator(FilesGenerator):
+ def __init__(self):
+ self.targets = {}
+ self.targets["bash"] = RemediationTarget(
+ self, "./bash/mount_option{0}.sh")
+ self.targets["ansible"] = RemediationTarget(
+ self, "./ansible/mount_option{0}.yml")
+ self.targets["anaconda"] = RemediationTarget(
+ self, "./anaconda/mount_option{0}.anaconda")
+ self.targets["oval"] = OvalTarget(self)
+ super(MountOptionsGenerator, self).__init__()
+
def generate(self, target, path_info):
mount_point, mount_option = path_info
- point_id = re.sub('[-\./]', '_', mount_point)
if mount_point:
- if target == "ansible":
- self.file_from_template(
- "./template_ANSIBLE_mount_options",
- {
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
- },
- "./ansible/mount_option{0}.yml", point_id + '_' + mount_option
- )
-
- elif target == "anaconda":
- self.file_from_template(
- "./template_ANACONDA_mount_options",
- {
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
- },
- "./anaconda/mount_option{0}.anaconda", point_id + '_' + mount_option
- )
-
- elif target == "bash":
- self.file_from_template(
- "./template_BASH_mount_options",
- {
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
- },
- "./bash/mount_option{0}.sh", point_id + '_' + mount_option
- )
-
- elif target == "oval":
- self.file_from_template(
- "./template_OVAL_mount_options",
- {
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": mount_option,
- "%POINTID%": point_id,
- },
- "./oval/mount_option{0}.xml", point_id + "_" + mount_option
- )
- else:
+
+ processing_entity = self.targets.get(target)
+ if processing_entity is None:
raise UnknownTargetError(target)
+ point_id = re.sub('[-\./]', '_', mount_point)
+
+ uppercase_target_name = target.upper()
+ template_file = "./template_{0}_mount_option".format(uppercase_target_name)
+ stem = ""
+ if mount_point.startswith("var_"):
+ # var_removable_partition -> removable_partitions
+ point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
+ template_file = "{0}_var".format(template_file)
+ stem = "_{0}_{1}".format(mount_option, point_id)
+
+ processing_entity.process(mount_point, mount_option, point_id, template_file, stem)
+
def csv_format(self):
return("CSV should contains lines of the format: "
"mount_point,mount_option,[mount_option]+")
diff --git a/shared/templates/csv/mount_options.csv b/shared/templates/csv/mount_options.csv
new file mode 100644
index 0000000000..aa014f7187
--- /dev/null
+++ b/shared/templates/csv/mount_options.csv
@@ -0,0 +1,10 @@
+# format:
+# <mount_point>,<mount_option> - mounted with specified option. for more than
+# one option, use multiple lines with the same
+# <mount_point>, use variable name (i.e. name
+# beginning with var_, without the leading
+# '$' to reference a variable)
+
+var_removable_partition,nodev
+var_removable_partition,nosuid
+var_removable_partition,noexec
diff --git a/shared/templates/template_ANACONDA_mount_options b/shared/templates/template_ANACONDA_mount_option
similarity index 100%
rename from shared/templates/template_ANACONDA_mount_options
rename to shared/templates/template_ANACONDA_mount_option
diff --git a/shared/templates/template_ANSIBLE_mount_options b/shared/templates/template_ANSIBLE_mount_option
similarity index 100%
rename from shared/templates/template_ANSIBLE_mount_options
rename to shared/templates/template_ANSIBLE_mount_option
diff --git a/shared/templates/template_ANSIBLE_mount_option_var b/shared/templates/template_ANSIBLE_mount_option_var
new file mode 100644
index 0000000000..10c57a6e72
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_mount_option_var
@@ -0,0 +1,38 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = high
+- (xccdf-var %MOUNTPOINT%)
+
+- name: get back device associated to mountpoint
+ shell: mount | grep ' {{ %MOUNTPOINT% }} ' |cut -d ' ' -f 1
+ register: device_name
+ check_mode: no
+ tags:
+ @ANSIBLE_TAGS@
+
+- name: get back device previous mount option
+ shell: mount | grep ' {{ %MOUNTPOINT% }} ' | sed -re 's:.*\((.*)\):\1:'
+ register: device_cur_mountoption
+ check_mode: no
+ tags:
+ @ANSIBLE_TAGS@
+
+- name: get back device fstype
+ shell: mount | grep ' {{ %MOUNTPOINT% }} ' | cut -d ' ' -f 5
+ register: device_fstype
+ check_mode: no
+ tags:
+ @ANSIBLE_TAGS@
+
+- name: Ensure permission %MOUNTOPTION% are set on %MOUNTPOINT%
+ mount:
+ path: "{{ %MOUNTPOINT% }}"
+ src: "{{device_name.stdout}}"
+ opts: "{{ device_cur_mountoption.stdout }},%MOUNTOPTION%"
+ state: "mounted"
+ fstype: "{{device_fstype.stdout}}"
+ tags:
+ @ANSIBLE_TAGS@
+
diff --git a/shared/fixes/bash/mount_option_nodev_removable_partitions.sh b/shared/templates/template_BASH_mount_option_var
similarity index 51%
rename from shared/fixes/bash/mount_option_nodev_removable_partitions.sh
rename to shared/templates/template_BASH_mount_option_var
index 8ec23aad41..17e4d73a8d 100644
--- a/shared/fixes/bash/mount_option_nodev_removable_partitions.sh
+++ b/shared/templates/template_BASH_mount_option_var
@@ -1,10 +1,11 @@
# platform = multi_platform_rhel, multi_platform_fedora
+# reboot = false
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_removable_partition
+populate %MOUNTPOINT%
-ensure_mount_option_in_fstab "$var_removable_partition" nodev
+ensure_mount_option_in_fstab "$%MOUNTPOINT%" %MOUNTOPTION%
-mount -o remount "$var_removable_partition"
+mount -o remount "$%MOUNTPOINT%"
From a0830be7d4e7a0fc6869efb11ec678a93b55907a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 27 Mar 2018 19:05:54 +0200
Subject: [PATCH 04/17] Templated an OVAL of removable partitions.
---
.../mount_option_noexec_remote_filesystems.xml | 40 ---------
.../mount_option_nosuid_remote_filesystems.xml | 40 ---------
shared/templates/create_mount_options.py | 26 ++++--
...AL_mount_options => template_OVAL_mount_option} | 0
...emplate_OVAL_mount_option_removable_partitions} | 99 ++++++++++------------
5 files changed, 67 insertions(+), 138 deletions(-)
delete mode 100644 shared/checks/oval/mount_option_noexec_remote_filesystems.xml
delete mode 100644 shared/checks/oval/mount_option_nosuid_remote_filesystems.xml
rename shared/templates/{template_OVAL_mount_options => template_OVAL_mount_option} (100%)
rename shared/{checks/oval/mount_option_nodev_removable_partitions.xml => templates/template_OVAL_mount_option_removable_partitions} (55%)
diff --git a/shared/checks/oval/mount_option_noexec_remote_filesystems.xml b/shared/checks/oval/mount_option_noexec_remote_filesystems.xml
deleted file mode 100644
index 885b2d0a04..0000000000
--- a/shared/checks/oval/mount_option_noexec_remote_filesystems.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<def-group>
- <definition class="compliance" id="mount_option_noexec_remote_filesystems" version="1">
- <metadata>
- <title>Mount Remote Filesystems with noexec</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 7</platform>
- </affected>
- <description>The noexec option should be enabled for all NFS mounts in /etc/fstab.</description>
- </metadata>
- <criteria operator="XOR">
- <!-- these tests are designed to be mutually exclusive; either no nfs mounts exist in /etc/fstab -->
- <!-- or all of the nfs mounts defined in /etc/fstab have the noexec mount option specified -->
- <criterion comment="remote nfs filesystems" test_ref="test_no_nfs_defined_etc_fstab_noexec" />
- <criterion comment="remote nfs filesystems" test_ref="test_nfs_noexec_etc_fstab" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="all nfs has noexec" id="test_nfs_noexec_etc_fstab" version="1">
- <ind:object object_ref="object_nfs_noexec_etc_fstab" />
- <ind:state state_ref="state_remote_filesystem_noexec" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_nfs_noexec_etc_fstab" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match">^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$</ind:pattern>
- <!-- the "not equal" operation essentially means all instances of the regexp -->
- <ind:instance datatype="int" operation="not equal">0</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_remote_filesystem_noexec" version="1">
- <ind:subexpression operation="pattern match">^.*noexec.*$</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="no nfs" id="test_no_nfs_defined_etc_fstab_noexec" version="1">
- <!-- this test returns 'true' if /etc/fstab does not contain nfs/nfs4 mounts -->
- <ind:object object_ref="object_no_nfs_defined_etc_fstab_noexec" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_no_nfs_defined_etc_fstab_noexec" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match">^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$</ind:pattern>
- <!-- the "not equal" operation below essentially means all instances of the regexp -->
- <ind:instance datatype="int" operation="not equal">0</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/shared/checks/oval/mount_option_nosuid_remote_filesystems.xml b/shared/checks/oval/mount_option_nosuid_remote_filesystems.xml
deleted file mode 100644
index 502a8ab3ae..0000000000
--- a/shared/checks/oval/mount_option_nosuid_remote_filesystems.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<def-group>
- <definition class="compliance" id="mount_option_nosuid_remote_filesystems" version="1">
- <metadata>
- <title>Mount Remote Filesystems with nosuid</title>
- <affected family="unix">
- <platform>multi_platform_rhel</platform>
- </affected>
- <description>The nosuid option should be enabled for all NFS mounts in /etc/fstab.</description>
- </metadata>
- <criteria operator="XOR">
- <!-- these tests are designed to be mutually exclusive; either no nfs mounts exist in /etc/fstab -->
- <!-- or all of the nfs mounts defined in /etc/fstab have the nosuid mount option specified -->
- <criterion comment="remote nfs filesystems" test_ref="test_no_nfs_defined_etc_fstab_nosuid" />
- <criterion comment="remote nfs filesystems" test_ref="test_nfs_nosuid_etc_fstab" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="all nfs has nosuid" id="test_nfs_nosuid_etc_fstab" version="1">
- <ind:object object_ref="object_nfs_nosuid_etc_fstab" />
- <ind:state state_ref="state_remote_filesystem_nosuid" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_nfs_nosuid_etc_fstab" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match">^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$</ind:pattern>
- <!-- the "not equal" operation essentially means all instances of the regexp -->
- <ind:instance datatype="int" operation="not equal">0</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_remote_filesystem_nosuid" version="1">
- <ind:subexpression operation="pattern match">^.*nosuid.*$</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="no nfs" id="test_no_nfs_defined_etc_fstab_nosuid" version="1">
- <!-- this test returns 'true' if /etc/fstab does not contain nfs/nfs4 mounts -->
- <ind:object object_ref="object_no_nfs_defined_etc_fstab_nosuid" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_no_nfs_defined_etc_fstab_nosuid" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match">^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$</ind:pattern>
- <!-- the "not equal" operation below essentially means all instances of the regexp -->
- <ind:instance datatype="int" operation="not equal">0</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/shared/templates/create_mount_options.py b/shared/templates/create_mount_options.py
index 7434516390..f8a035a60a 100644
--- a/shared/templates/create_mount_options.py
+++ b/shared/templates/create_mount_options.py
@@ -16,6 +16,9 @@ def __init__(self, generator, output_format_string):
def process(self, mount_point, mount_option, point_id, template_file):
raise NotImplementedError("You are supposed to use a derived class.")
+ def process_with_variable(self, mount_point, mount_option, point_id, template_file):
+ raise NotImplementedError("You are supposed to use a derived class.")
+
class RemediationTarget(MountOptionTarget):
def process(self, mount_point, mount_option, point_id, template_file, stem=""):
@@ -31,12 +34,25 @@ def process(self, mount_point, mount_option, point_id, template_file, stem=""):
stem
)
+ def process_with_variable(self, mount_point, mount_option, point_id, template_file):
+ # e.g. var_removable_partition -> removable_partitions
+ point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
+ template_file = "{0}_var".format(template_file)
+ stem = "_{0}_{1}".format(mount_option, point_id)
+ return self.process(mount_point, mount_option, point_id, template_file, stem)
+
class OvalTarget(MountOptionTarget):
def __init__(self, generator):
super(OvalTarget, self).__init__(
generator, "./oval/mount_option{0}.xml")
+ def process_with_variable(self, mount_point, mount_option, point_id, template_file):
+ point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
+ template_file = "{0}_{1}".format(template_file, point_id)
+ stem = "_{0}_{1}".format(mount_option, point_id)
+ return self.process(mount_point, mount_option, point_id, template_file, stem)
+
def process(self, mount_point, mount_option, point_id, template_file, stem=""):
if len(stem) == 0:
stem = point_id + '_' + mount_option
@@ -78,12 +94,10 @@ def generate(self, target, path_info):
template_file = "./template_{0}_mount_option".format(uppercase_target_name)
stem = ""
if mount_point.startswith("var_"):
- # var_removable_partition -> removable_partitions
- point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
- template_file = "{0}_var".format(template_file)
- stem = "_{0}_{1}".format(mount_option, point_id)
-
- processing_entity.process(mount_point, mount_option, point_id, template_file, stem)
+ processing_entity.process_with_variable(
+ mount_point, mount_option, point_id, template_file)
+ else:
+ processing_entity.process(mount_point, mount_option, point_id, template_file, stem)
def csv_format(self):
return("CSV should contains lines of the format: "
diff --git a/shared/templates/template_OVAL_mount_options b/shared/templates/template_OVAL_mount_option
similarity index 100%
rename from shared/templates/template_OVAL_mount_options
rename to shared/templates/template_OVAL_mount_option
diff --git a/shared/checks/oval/mount_option_nodev_removable_partitions.xml b/shared/templates/template_OVAL_mount_option_removable_partitions
similarity index 55%
rename from shared/checks/oval/mount_option_nodev_removable_partitions.xml
rename to shared/templates/template_OVAL_mount_option_removable_partitions
index 02af3d63fa..a6f4b247b9 100644
--- a/shared/checks/oval/mount_option_nodev_removable_partitions.xml
+++ b/shared/templates/template_OVAL_mount_option_removable_partitions
@@ -1,15 +1,10 @@
<def-group>
- <definition class="compliance" id="mount_option_nodev_removable_partitions" version="4">
+ <definition class="compliance" id="mount_option_%MOUNTOPTION%_removable_partitions" version="4">
<metadata>
- <title>Add nodev Option to Removable Media Partitions</title>
+ <title>Add %MOUNTOPTION% Option to Removable Media Partitions</title>
<affected family="unix">
<platform>multi_platform_rhel</platform>
</affected>
- <description>The nodev mount option prevents files from being interpreted
- as character or block devices. Legitimate character and block devices
- should exist in the /dev directory on the root partition or within chroot
- jails built for system services. All other locations should not allow
- character and block devices.</description>
</metadata>
<criteria operator="OR">
<!-- First check if specified removable partition truly exists on the system. If not, don't check /etc/fstab & runtime configuration
@@ -17,35 +12,35 @@
<extend_definition comment="Check if removable partition really exists on the system"
definition_ref="removable_partition_doesnt_exist" />
<!-- Removable device exists. Check if it's CD/DVD drive. If so, verify that at least one from all of the possible its alternative
- names in /etc/fstab & runtime configuration are configured with 'nodev' option -->
+ names in /etc/fstab & runtime configuration are configured with '%MOUNTOPTION%' option -->
<criteria operator="AND">
<extend_definition comment="Check if removable partition value represents CD/DVD drive"
definition_ref="var_removable_partition_is_cd_dvd_drive" />
<criteria operator="OR">
<criteria operator="AND">
- <criterion test_ref="test_nodev_etc_fstab_cd_dvd_drive"
- comment="Check if at least one from CD/DVD drive alternative names is using 'nodev' mount option in /etc/fstab" />
- <criterion test_ref="test_nodev_runtime_cd_dvd_drive"
- comment="Check if at least one from CD/DVD drive alternative names is using 'nodev' mount option in runtime configuration" />
+ <criterion test_ref="test_%MOUNTOPTION%_etc_fstab_cd_dvd_drive"
+ comment="Check if at least one from CD/DVD drive alternative names is using '%MOUNTOPTION%' mount option in /etc/fstab" />
+ <criterion test_ref="test_%MOUNTOPTION%_runtime_cd_dvd_drive"
+ comment="Check if at least one from CD/DVD drive alternative names is using '%MOUNTOPTION%' mount option in runtime configuration" />
</criteria>
<extend_definition definition_ref="no_cd_dvd_drive_in_etc_fstab"
comment="Check if CD/DVD drive is not configured to automount in /etc/fstab" />
</criteria>
</criteria>
- <!-- Removable device exists & isn't CD/DVD drive. Check the particular devices is configured with 'nodev' mount option in both
+ <!-- Removable device exists & isn't CD/DVD drive. Check the particular devices is configured with '%MOUNTOPTION%' mount option in both
/etc/fstab & runtime configuration -->
<criteria operator="AND">
- <criterion test_ref="test_nodev_etc_fstab_not_cd_dvd_drive"
- comment="Check if removable partition is using 'nodev' mount option in /etc/fstab" />
- <criterion test_ref="test_nodev_runtime_not_cd_dvd_drive"
- comment="Check if removable partition is using 'nodev' mount option in runtime configuration" />
+ <criterion test_ref="test_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive"
+ comment="Check if removable partition is using '%MOUNTOPTION%' mount option in /etc/fstab" />
+ <criterion test_ref="test_%MOUNTOPTION%_runtime_not_cd_dvd_drive"
+ comment="Check if removable partition is using '%MOUNTOPTION%' mount option in runtime configuration" />
</criteria>
</criteria>
</definition>
<!-- If specified removable partition represents CD / DVD drive, create a variable
holding also alternative names for CD / DVD block special device as used by udev -->
- <constant_variable id="variable_cd_dvd_drive_alternative_names_nodev" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
+ <constant_variable id="variable_cd_dvd_drive_alternative_names_%MOUNTOPTION%" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
<value>/dev/cdrom</value>
<value>/dev/dvd</value>
<value>/dev/scd0</value>
@@ -54,10 +49,10 @@
<!-- For each of the CD / DVD drive alternative names create regular expression pattern
to be used in textfilecontent54_object below -->
- <local_variable id="variable_cd_dvd_drive_regex_pattern_nodev" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
+ <local_variable id="variable_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
<concat>
<literal_component>^[\s]*</literal_component>
- <variable_component var_ref="variable_cd_dvd_drive_alternative_names_nodev" />
+ <variable_component var_ref="variable_cd_dvd_drive_alternative_names_%MOUNTOPTION%" />
<!-- Capture the mount options field (4-th column of /etc/fstab) -->
<literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</literal_component>
</concat>
@@ -65,50 +60,50 @@
<!-- If specified removable partition represents CD / DVD drive, use all alternative
names to check /etc/fstab & runtime settings -->
- <ind:textfilecontent54_test id="test_nodev_etc_fstab_cd_dvd_drive" check_existence="any_exist" check="all" comment="'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
- <ind:object object_ref="object_nodev_etc_fstab_cd_dvd_drive" />
- <ind:state state_ref="state_nodev_etc_fstab_cd_dvd_drive" />
+ <ind:textfilecontent54_test id="test_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" check_existence="any_exist" check="all" comment="'%MOUNTOPTION%' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
+ <ind:object object_ref="object_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" />
+ <ind:state state_ref="state_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_nodev_etc_fstab_cd_dvd_drive" version="1">
+ <ind:textfilecontent54_object id="object_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" version="1">
<ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match" datatype="string" var_ref="variable_cd_dvd_drive_regex_pattern_nodev" var_check="at least one" />
+ <ind:pattern operation="pattern match" datatype="string" var_ref="variable_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" var_check="at least one" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_nodev_etc_fstab_cd_dvd_drive" version="1">
- <ind:subexpression operation="pattern match" datatype="string">^.*,?nodev,?.*$</ind:subexpression>
+ <ind:textfilecontent54_state id="state_%MOUNTOPTION%_etc_fstab_cd_dvd_drive" version="1">
+ <ind:subexpression operation="pattern match" datatype="string">^.*,?%MOUNTOPTION%,?.*$</ind:subexpression>
</ind:textfilecontent54_state>
- <linux:partition_test id="test_nodev_runtime_cd_dvd_drive" check="all" comment="'nodev' mount option used for at least one CD / DVD drive alternative names in runtime configuration" version="1">
- <linux:object object_ref="object_nodev_runtime_cd_dvd_drive" />
+ <linux:partition_test id="test_%MOUNTOPTION%_runtime_cd_dvd_drive" check="all" comment="'%MOUNTOPTION%' mount option used for at least one CD / DVD drive alternative names in runtime configuration" version="1">
+ <linux:object object_ref="object_%MOUNTOPTION%_runtime_cd_dvd_drive" />
</linux:partition_test>
- <linux:partition_object id="object_nodev_runtime_cd_dvd_drive" version="1">
+ <linux:partition_object id="object_%MOUNTOPTION%_runtime_cd_dvd_drive" version="1">
<!-- CD / DVD drive can be mounted under any mount_point. We don't know ahead its exact name.
=> Capture all & filter out only the relevant ones via the corresponding state -->
<linux:mount_point operation="pattern match">^.*$</linux:mount_point>
<!-- Therefore from all the captured mount points select only those having
device set to some CD / DVD drive alternative name and simultaneously
- having 'nodev' mount option used -->
- <filter action="include">state_nodev_runtime_cd_dvd_drive</filter>
+ having '%MOUNTOPTION%' mount option used -->
+ <filter action="include">state_%MOUNTOPTION%_runtime_cd_dvd_drive</filter>
</linux:partition_object>
- <linux:partition_state id="state_nodev_runtime_cd_dvd_drive" version="1">
- <linux:device datatype="string" operation="equals" var_ref="variable_cd_dvd_drive_alternative_names_nodev" var_check="at least one" />
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
+ <linux:partition_state id="state_%MOUNTOPTION%_runtime_cd_dvd_drive" version="1">
+ <linux:device datatype="string" operation="equals" var_ref="variable_cd_dvd_drive_alternative_names_%MOUNTOPTION%" var_check="at least one" />
+ <linux:mount_options datatype="string" entity_check="at least one" operation="equals">%MOUNTOPTION%</linux:mount_options>
</linux:partition_state>
<!-- Specified removable partition exists & doesn't represent a CD/DVD drive.
- Check if configured with 'nodev' mount option in both /etc/fstab & runtime configuration -->
- <ind:textfilecontent54_test id="test_nodev_etc_fstab_not_cd_dvd_drive" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'nodev' mount option in /etc/fstab" version="1">
- <ind:object object_ref="object_nodev_etc_fstab_not_cd_dvd_drive" />
- <ind:state state_ref="state_nodev_etc_fstab_not_cd_dvd_drive" />
+ Check if configured with '%MOUNTOPTION%' mount option in both /etc/fstab & runtime configuration -->
+ <ind:textfilecontent54_test id="test_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with '%MOUNTOPTION%' mount option in /etc/fstab" version="1">
+ <ind:object object_ref="object_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" />
+ <ind:state state_ref="state_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" />
</ind:textfilecontent54_test>
<!-- Create regular expression pattern for the device to be used in the
textfilecontent54_object below -->
- <local_variable id="variable_not_cd_dvd_drive_regex_pattern_nodev" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
+ <local_variable id="variable_not_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
<concat>
<literal_component>^[\s]*</literal_component>
<variable_component var_ref="var_removable_partition" />
@@ -117,33 +112,33 @@
</concat>
</local_variable>
- <ind:textfilecontent54_object id="object_nodev_etc_fstab_not_cd_dvd_drive" version="1">
+ <ind:textfilecontent54_object id="object_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" version="1">
<ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match" datatype="string" var_ref="variable_not_cd_dvd_drive_regex_pattern_nodev" var_check="at least one" />
+ <ind:pattern operation="pattern match" datatype="string" var_ref="variable_not_cd_dvd_drive_regex_pattern_%MOUNTOPTION%" var_check="at least one" />
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_nodev_etc_fstab_not_cd_dvd_drive" version="1">
- <ind:subexpression operation="pattern match" datatype="string">^.*,?nodev,?.*</ind:subexpression>
+ <ind:textfilecontent54_state id="state_%MOUNTOPTION%_etc_fstab_not_cd_dvd_drive" version="1">
+ <ind:subexpression operation="pattern match" datatype="string">^.*,?%MOUNTOPTION%,?.*</ind:subexpression>
</ind:textfilecontent54_state>
- <linux:partition_test id="test_nodev_runtime_not_cd_dvd_drive" check="all" check_existence="all_exist" comment="'nodev' mount option used for removable partition in runtime configuration" version="1">
- <linux:object object_ref="object_nodev_runtime_not_cd_dvd_drive" />
+ <linux:partition_test id="test_%MOUNTOPTION%_runtime_not_cd_dvd_drive" check="all" check_existence="all_exist" comment="'%MOUNTOPTION%' mount option used for removable partition in runtime configuration" version="1">
+ <linux:object object_ref="object_%MOUNTOPTION%_runtime_not_cd_dvd_drive" />
</linux:partition_test>
- <linux:partition_object id="object_nodev_runtime_not_cd_dvd_drive" version="1">
+ <linux:partition_object id="object_%MOUNTOPTION%_runtime_not_cd_dvd_drive" version="1">
<!-- Removable partition can be mounted under any mount point. We don't know it's
- exact name ahead => capture all & filter out only those relevant later via state -->
+ exact name ahead => Capture all & filter out only those relevant later via state -->
<linux:mount_point operation="pattern match">^.*$</linux:mount_point>
<!-- From all the captured mount points select only those having device equal
to 'var_removable_partition' variable value and simultaneously having
- 'nodev' mount option set -->
- <filter action="include">state_nodev_runtime_not_cd_dvd_drive</filter>
+ '%MOUNTOPTION%' mount option set -->
+ <filter action="include">state_%MOUNTOPTION%_runtime_not_cd_dvd_drive</filter>
</linux:partition_object>
- <linux:partition_state id="state_nodev_runtime_not_cd_dvd_drive" version="1">
+ <linux:partition_state id="state_%MOUNTOPTION%_runtime_not_cd_dvd_drive" version="1">
<linux:device datatype="string" operation="equals" var_ref="var_removable_partition" var_check="at least one" />
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
+ <linux:mount_options datatype="string" entity_check="at least one" operation="equals">%MOUNTOPTION%</linux:mount_options>
</linux:partition_state>
<external_variable comment="removable partition" datatype="string" id="var_removable_partition" version="1" />
From 8e684b558f0f46f4e8acc4271e4dc9e1ffcec590 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 27 Mar 2018 19:21:28 +0200
Subject: [PATCH] Made the service disable command more complete.
---
shared/bash_remediation_functions/service_command.sh | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/shared/bash_remediation_functions/service_command.sh b/shared/bash_remediation_functions/service_command.sh
index 4b0cc4de0a..feb8a9648f 100644
--- a/shared/bash_remediation_functions/service_command.sh
+++ b/shared/bash_remediation_functions/service_command.sh
@@ -47,20 +47,24 @@ else
fi
# If chkconfig_util is not empty, use chkconfig/service commands.
-if ! [ "x$chkconfig_util" = x ] ; then
+if [ "x$chkconfig_util" != x ] ; then
$service_util $service $service_operation
$chkconfig_util --level 0123456 $service $chkconfig_state
else
$service_util $service_operation $service
$service_util $service_state $service
+ # The service may not be running because it has been started and failed,
+ # so let's reset the state so OVAL checks pass.
+ # Service should be 'inactive', not 'failed' after reboot though.
+ $service_util reset-failed $service
fi
# Test if local variable xinetd is empty using non-bashism.
# If empty, then xinetd is not being used.
-if ! [ "x$xinetd" = x ] ; then
+if [ "x$xinetd" != x ] ; then
grep -qi disable /etc/xinetd.d/$xinetd && \
- if ! [ "$service_operation" != 'disable' ] ; then
+ if [ "$service_operation" = 'disable' ] ; then
sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd
else
sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd
From 0e83474ea75d762c77f78630448ad5a72b58d211 Mon Sep 17 00:00:00 2001
From: James Cassell <james.cassell@ll.mit.edu>
Date: Tue, 10 Apr 2018 14:17:01 -0400
Subject: [PATCH] trailing slash is not required for "-w" audit rules
---
shared/templates/csv/audit_rules_login_events.csv | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/csv/audit_rules_login_events.csv b/shared/templates/csv/audit_rules_login_events.csv
index 5c9793afbe..cdec8d6b8e 100644
--- a/shared/templates/csv/audit_rules_login_events.csv
+++ b/shared/templates/csv/audit_rules_login_events.csv
@@ -1,3 +1,3 @@
-/var/run/faillock/
+/var/run/faillock
/var/log/lastlog
/var/log/tallylog
From 53e8a161cb656d1daf8c3fb9eaa088347f844b5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 29 Mar 2018 13:33:15 +0200
Subject: [PATCH 05/17] Minor mount_options fixes.
* Deduplicated template files.
* Fixed OVAL syntax.
* Added comments to respective .csv files.
---
debian8/templates/csv/mount_options.csv | 5 +++--
fedora/templates/csv/mount_options.csv | 5 +++--
fedora/templates/template_BASH_mount_options | 8 --------
rhel6/templates/csv/mount_options.csv | 5 +++--
rhel6/templates/template_BASH_mount_options | 8 --------
rhel7/templates/csv/mount_options.csv | 5 +++--
rhel7/templates/template_BASH_mount_options | 8 --------
.../ensure_mount_option_in_fstab.sh | 21 +++++++++++++++++----
.../mount_option_nodev_nonroot_local_partitions.xml | 2 +-
.../oval/mount_option_nodev_remote_filesystems.xml | 2 +-
.../mount_option_noexec_removable_partitions.xml | 2 +-
.../mount_option_nosuid_removable_partitions.xml | 2 +-
.../checks/oval/mount_option_smb_client_signing.xml | 2 +-
shared/checks/oval/mount_option_var_tmp_bind.xml | 3 +--
shared/templates/csv/mount_options.csv | 7 +++----
shared/templates/template_BASH_mount_option | 3 ++-
shared/templates/template_BASH_mount_option_var | 2 +-
.../template_OVAL_mount_option_removable_partitions | 3 ++-
sle12/templates/csv/mount_options.csv | 5 +++--
ubuntu14/templates/csv/mount_options.csv | 5 +++--
ubuntu16/templates/csv/mount_options.csv | 5 +++--
wrlinux/templates/csv/mount_options.csv | 5 +++--
wrlinux/templates/template_BASH_mount_options | 9 ---------
23 files changed, 55 insertions(+), 67 deletions(-)
delete mode 100644 fedora/templates/template_BASH_mount_options
delete mode 100644 rhel6/templates/template_BASH_mount_options
delete mode 100644 rhel7/templates/template_BASH_mount_options
delete mode 100644 wrlinux/templates/template_BASH_mount_options
diff --git a/debian8/templates/csv/mount_options.csv b/debian8/templates/csv/mount_options.csv
index 543d0aa96a..893ce26a5f 100644
--- a/debian8/templates/csv/mount_options.csv
+++ b/debian8/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/home,nosuid
/home,nodev
/var/log,nosuid
diff --git a/fedora/templates/csv/mount_options.csv b/fedora/templates/csv/mount_options.csv
index 1d55557127..7c6e389a7d 100644
--- a/fedora/templates/csv/mount_options.csv
+++ b/fedora/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/fedora/templates/template_BASH_mount_options b/fedora/templates/template_BASH_mount_options
deleted file mode 100644
index bd42704a4f..0000000000
--- a/fedora/templates/template_BASH_mount_options
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = multi_platform_fedora
-# reboot = false
-
-. /usr/share/scap-security-guide/remediation_functions
-
-ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
-
-mount -o remount %MOUNTPOINT%
diff --git a/rhel6/templates/csv/mount_options.csv b/rhel6/templates/csv/mount_options.csv
index 4e1aad5a53..a12e40377a 100644
--- a/rhel6/templates/csv/mount_options.csv
+++ b/rhel6/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/rhel6/templates/template_BASH_mount_options b/rhel6/templates/template_BASH_mount_options
deleted file mode 100644
index ce74bf5497..0000000000
--- a/rhel6/templates/template_BASH_mount_options
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = Red Hat Enterprise Linux 6
-# reboot = false
-
-. /usr/share/scap-security-guide/remediation_functions
-
-ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
-
-mount -o remount %MOUNTPOINT%
diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv
index 3d3eaf2a8f..2e2c09227c 100644
--- a/rhel7/templates/csv/mount_options.csv
+++ b/rhel7/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/rhel7/templates/template_BASH_mount_options b/rhel7/templates/template_BASH_mount_options
deleted file mode 100644
index 0bcd8d88a2..0000000000
--- a/rhel7/templates/template_BASH_mount_options
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = Red Hat Enterprise Linux 7
-# reboot = false
-
-. /usr/share/scap-security-guide/remediation_functions
-
-ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
-
-mount -o remount %MOUNTPOINT%
diff --git a/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh b/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
index bda3bca43b..2035677ac4 100644
--- a/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
+++ b/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
@@ -2,19 +2,32 @@
# $2: new mount point option
function ensure_mount_option_in_fstab {
local _mount_point="$1" _new_opt="$2" _mount_point_match_regexp="" _previous_mount_opts=""
- _mount_point_match_regexp="[[:space:]]$_mount_point[[:space:]]"
+ _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")"
if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt" ) -eq 0 ]; then
_previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}')
- sed -i "s/\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)/\1,${_new_opt}/" /etc/fstab
+ sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab
fi
}
+# $1: mount point
+function get_mount_point_regexp {
+ printf "[[:space:]]%s[[:space:]]" "$1"
+}
+
+# $1: mount point
+function assert_mount_point_in_fstab {
+ local _mount_point_match_regexp
+ _mount_point_match_regexp="$(get_mount_point_regexp "$1")"
+ grep "$_mount_point_match_regexp" -q /etc/fstab \
+ || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
+}
function remove_defaults_from_fstab_if_overriden {
- _mount_point_match_regexp="[[:space:]]$1[[:space:]]"
+ local _mount_point_match_regexp
+ _mount_point_match_regexp="$(get_mount_point_regexp "$1")"
if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,") -gt 0 ]
then
- sed -i "s/\(${_mount_point_match_regexp}.*\)defaults,/\1/" /etc/fstab
+ sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
fi
}
diff --git a/shared/checks/oval/mount_option_nodev_nonroot_local_partitions.xml b/shared/checks/oval/mount_option_nodev_nonroot_local_partitions.xml
index 6b335e1b66..ba2728b0db 100644
--- a/shared/checks/oval/mount_option_nodev_nonroot_local_partitions.xml
+++ b/shared/checks/oval/mount_option_nodev_nonroot_local_partitions.xml
@@ -4,7 +4,7 @@
<metadata>
<title>Add nodev Option to Non-Root Local Partitions</title>
<affected family="unix">
- <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_all</platform>
</affected>
<description>The nodev mount option prevents files from being interpreted
as character or block devices. Legitimate character and block devices
diff --git a/shared/checks/oval/mount_option_nodev_remote_filesystems.xml b/shared/checks/oval/mount_option_nodev_remote_filesystems.xml
index 8921a9146c..8e4d06519b 100644
--- a/shared/checks/oval/mount_option_nodev_remote_filesystems.xml
+++ b/shared/checks/oval/mount_option_nodev_remote_filesystems.xml
@@ -3,7 +3,7 @@
<metadata>
<title>Mount Remote Filesystems with nodev</title>
<affected family="unix">
- <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_all</platform>
</affected>
<description>The nodev option should be enabled for all NFS mounts in /etc/fstab.</description>
</metadata>
diff --git a/shared/checks/oval/mount_option_noexec_removable_partitions.xml b/shared/checks/oval/mount_option_noexec_removable_partitions.xml
index 78e3c7d9da..ffeca3bd19 100644
--- a/shared/checks/oval/mount_option_noexec_removable_partitions.xml
+++ b/shared/checks/oval/mount_option_noexec_removable_partitions.xml
@@ -3,7 +3,7 @@
<metadata>
<title>Add noexec Option to Removable Media Partitions</title>
<affected family="unix">
- <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_all</platform>
</affected>
<description>The noexec mount option prevents the direct execution of
binaries on the mounted filesystem. Users should not be allowed to
diff --git a/shared/checks/oval/mount_option_nosuid_removable_partitions.xml b/shared/checks/oval/mount_option_nosuid_removable_partitions.xml
index 61a03d4c2c..fb66b16a03 100644
--- a/shared/checks/oval/mount_option_nosuid_removable_partitions.xml
+++ b/shared/checks/oval/mount_option_nosuid_removable_partitions.xml
@@ -3,7 +3,7 @@
<metadata>
<title>Add nosuid Option to Removable Media Partitions</title>
<affected family="unix">
- <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_all</platform>
</affected>
<description>The nosuid mount option prevents set-user-identifier (suid)
and set-group-identifier (sgid) permissions from taking effect. These
diff --git a/shared/checks/oval/mount_option_smb_client_signing.xml b/shared/checks/oval/mount_option_smb_client_signing.xml
index ed9a86ba16..dd4450b67f 100644
--- a/shared/checks/oval/mount_option_smb_client_signing.xml
+++ b/shared/checks/oval/mount_option_smb_client_signing.xml
@@ -5,7 +5,7 @@
<title>Require Client SMB Packet Signing, if using
mount.cifs</title>
<affected family="unix">
- <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_all</platform>
</affected>
<description>Require packet signing of clients who mount
Samba shares using the mount.cifs program (e.g., those who
diff --git a/shared/checks/oval/mount_option_var_tmp_bind.xml b/shared/checks/oval/mount_option_var_tmp_bind.xml
index 6ad2fc4917..0ecd7d6e71 100644
--- a/shared/checks/oval/mount_option_var_tmp_bind.xml
+++ b/shared/checks/oval/mount_option_var_tmp_bind.xml
@@ -3,8 +3,7 @@
<metadata>
<title>Bind Mount /var/tmp To /tmp</title>
<affected family="unix">
- <platform>multi_platform_rhel</platform>
- <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_all</platform>
</affected>
<description>The /var/tmp directory should be bind mounted to /tmp in
order to consolidate temporary storage into one location protected by the
diff --git a/shared/templates/csv/mount_options.csv b/shared/templates/csv/mount_options.csv
index aa014f7187..0afafa1627 100644
--- a/shared/templates/csv/mount_options.csv
+++ b/shared/templates/csv/mount_options.csv
@@ -1,9 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>, use variable name (i.e. name
-# beginning with var_, without the leading
-# '$' to reference a variable)
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
var_removable_partition,nodev
var_removable_partition,nosuid
diff --git a/shared/templates/template_BASH_mount_option b/shared/templates/template_BASH_mount_option
index 0bcd8d88a2..e7b6210afa 100644
--- a/shared/templates/template_BASH_mount_option
+++ b/shared/templates/template_BASH_mount_option
@@ -1,8 +1,9 @@
-# platform = Red Hat Enterprise Linux 7
+# platform = multi_platform_all
# reboot = false
. /usr/share/scap-security-guide/remediation_functions
+assert_mount_point_in_fstab %MOUNTPOINT% || exit 1
ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
mount -o remount %MOUNTPOINT%
diff --git a/shared/templates/template_BASH_mount_option_var b/shared/templates/template_BASH_mount_option_var
index 17e4d73a8d..cccf3eb3a7 100644
--- a/shared/templates/template_BASH_mount_option_var
+++ b/shared/templates/template_BASH_mount_option_var
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel, multi_platform_fedora
+# platform = multi_platform_all
# reboot = false
# Include source function library.
diff --git a/shared/templates/template_OVAL_mount_option_removable_partitions b/shared/templates/template_OVAL_mount_option_removable_partitions
index a6f4b247b9..1d30f3d939 100644
--- a/shared/templates/template_OVAL_mount_option_removable_partitions
+++ b/shared/templates/template_OVAL_mount_option_removable_partitions
@@ -3,8 +3,9 @@
<metadata>
<title>Add %MOUNTOPTION% Option to Removable Media Partitions</title>
<affected family="unix">
- <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_all</platform>
</affected>
+ <description>The %MOUNTOPTION% option should be enabled for all removable devices mounts in /etc/fstab.</description>
</metadata>
<criteria operator="OR">
<!-- First check if specified removable partition truly exists on the system. If not, don't check /etc/fstab & runtime configuration
diff --git a/sle12/templates/csv/mount_options.csv b/sle12/templates/csv/mount_options.csv
index cc66455b7d..ea30f97e07 100644
--- a/sle12/templates/csv/mount_options.csv
+++ b/sle12/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/ubuntu14/templates/csv/mount_options.csv b/ubuntu14/templates/csv/mount_options.csv
index 543d0aa96a..893ce26a5f 100644
--- a/ubuntu14/templates/csv/mount_options.csv
+++ b/ubuntu14/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/home,nosuid
/home,nodev
/var/log,nosuid
diff --git a/ubuntu16/templates/csv/mount_options.csv b/ubuntu16/templates/csv/mount_options.csv
index 543d0aa96a..893ce26a5f 100644
--- a/ubuntu16/templates/csv/mount_options.csv
+++ b/ubuntu16/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/home,nosuid
/home,nodev
/var/log,nosuid
diff --git a/wrlinux/templates/csv/mount_options.csv b/wrlinux/templates/csv/mount_options.csv
index 1d55557127..7c6e389a7d 100644
--- a/wrlinux/templates/csv/mount_options.csv
+++ b/wrlinux/templates/csv/mount_options.csv
@@ -1,7 +1,8 @@
# format:
# <mount_point>,<mount_option> - mounted with specified option. for more than
-# one option, use multiple lines with the same
-# <mount_point>
+# one option, use multiple lines with the same <mount_point>, use the
+# variable name (i.e. name beginning with var_, without the leading
+# '$' to reference a variable, e.g. var_removable_partition,nodev)
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/wrlinux/templates/template_BASH_mount_options b/wrlinux/templates/template_BASH_mount_options
deleted file mode 100644
index f373c36a21..0000000000
--- a/wrlinux/templates/template_BASH_mount_options
+++ /dev/null
@@ -1,9 +0,0 @@
-# platform = multi_platform_wrlinux
-# reboot = false
-
-. /usr/share/scap-security-guide/remediation_functions
-
-ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
-
-mount -o remount %MOUNTPOINT%
-
From 0335b08dbf9f5833e5d69617019840078bdcc588 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Fri, 6 Apr 2018 11:17:13 +0200
Subject: [PATCH 06/17] Expanded platforms of dependent OVALs.
---
shared/checks/oval/no_cd_dvd_drive_in_etc_fstab.xml | 2 ++
shared/checks/oval/package_samba-common_installed.xml | 2 ++
shared/checks/oval/removable_partition_doesnt_exist.xml | 2 ++
shared/checks/oval/var_removable_partition_is_cd_dvd_drive.xml | 2 ++
shared/templates/template_OVAL_mount_option_removable_partitions | 4 +++-
5 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/shared/checks/oval/no_cd_dvd_drive_in_etc_fstab.xml b/shared/checks/oval/no_cd_dvd_drive_in_etc_fstab.xml
index 4eb0366f20..60282f6010 100644
--- a/shared/checks/oval/no_cd_dvd_drive_in_etc_fstab.xml
+++ b/shared/checks/oval/no_cd_dvd_drive_in_etc_fstab.xml
@@ -4,6 +4,8 @@
<title>No CD/DVD drive is configured to automount in /etc/fstab</title>
<affected family="unix">
<platform>multi_platform_rhel</platform>
+ <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_wrlinux</platform>
</affected>
<description>Check the /etc/fstab and check if a CD/DVD drive
is not configured for automount.</description>
diff --git a/shared/checks/oval/package_samba-common_installed.xml b/shared/checks/oval/package_samba-common_installed.xml
index 1f5a57a900..c8354e917e 100644
--- a/shared/checks/oval/package_samba-common_installed.xml
+++ b/shared/checks/oval/package_samba-common_installed.xml
@@ -5,6 +5,8 @@
<title>Package samba-common Installed</title>
<affected family="unix">
<platform>multi_platform_rhel</platform>
+ <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_wrlinux</platform>
</affected>
<description>The RPM package samba-common should be installed.</description>
</metadata>
diff --git a/shared/checks/oval/removable_partition_doesnt_exist.xml b/shared/checks/oval/removable_partition_doesnt_exist.xml
index a8a47b4c63..dc3fb91029 100644
--- a/shared/checks/oval/removable_partition_doesnt_exist.xml
+++ b/shared/checks/oval/removable_partition_doesnt_exist.xml
@@ -4,6 +4,8 @@
<title>Device Files for Removable Media Partitions Does Not Exist on the System</title>
<affected family="unix">
<platform>multi_platform_rhel</platform>
+ <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_wrlinux</platform>
</affected>
<description>Verify if device file representing removable partitions
exist on the system</description>
diff --git a/shared/checks/oval/var_removable_partition_is_cd_dvd_drive.xml b/shared/checks/oval/var_removable_partition_is_cd_dvd_drive.xml
index bc6aacd484..17ea54cea4 100644
--- a/shared/checks/oval/var_removable_partition_is_cd_dvd_drive.xml
+++ b/shared/checks/oval/var_removable_partition_is_cd_dvd_drive.xml
@@ -4,6 +4,8 @@
<title>Value of 'var_removable_partition' variable is set to '/dev/cdrom'</title>
<affected family="unix">
<platform>multi_platform_rhel</platform>
+ <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_wrlinux</platform>
</affected>
<description>Verify if value of 'var_removable_partition' variable is set
to '/dev/cdrom'</description>
diff --git a/shared/templates/template_OVAL_mount_option_removable_partitions b/shared/templates/template_OVAL_mount_option_removable_partitions
index 1d30f3d939..e3ee65c88f 100644
--- a/shared/templates/template_OVAL_mount_option_removable_partitions
+++ b/shared/templates/template_OVAL_mount_option_removable_partitions
@@ -3,7 +3,9 @@
<metadata>
<title>Add %MOUNTOPTION% Option to Removable Media Partitions</title>
<affected family="unix">
- <platform>multi_platform_all</platform>
+ <platform>multi_platform_rhel</platform>
+ <platform>multi_platform_fedora</platform>
+ <platform>multi_platform_wrlinux</platform>
</affected>
<description>The %MOUNTOPTION% option should be enabled for all removable devices mounts in /etc/fstab.</description>
</metadata>
From e43d7623eb4ada8a2b27db3b7af95a5468535737 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 9 Apr 2018 15:32:12 +0200
Subject: [PATCH 07/17] Made mount options remediations more robust.
Added an optional condition that remediation of mount point in /etc/fstab may not
need an already existing fstab record.
---
...fstab.sh => include_mount_options_functions.sh} | 5 +++
shared/templates/create_mount_options.py | 40 +++++++++++++++-------
shared/templates/csv/mount_options.csv | 6 ++--
shared/templates/template_BASH_mount_option | 7 +++-
shared/templates/template_BASH_mount_option_var | 6 ++++
shared/templates/template_common.py | 1 +
6 files changed, 48 insertions(+), 17 deletions(-)
rename shared/bash_remediation_functions/{ensure_mount_option_in_fstab.sh => include_mount_options_functions.sh} (94%)
diff --git a/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh
similarity index 94%
rename from shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
rename to shared/bash_remediation_functions/include_mount_options_functions.sh
index 2035677ac4..521f34c4b0 100644
--- a/shared/bash_remediation_functions/ensure_mount_option_in_fstab.sh
+++ b/shared/bash_remediation_functions/include_mount_options_functions.sh
@@ -1,3 +1,7 @@
+function include_mount_options_functions {
+ :
+}
+
# $1: mount point
# $2: new mount point option
function ensure_mount_option_in_fstab {
@@ -23,6 +27,7 @@ function assert_mount_point_in_fstab {
|| { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; }
}
+# $1: mount point
function remove_defaults_from_fstab_if_overriden {
local _mount_point_match_regexp
_mount_point_match_regexp="$(get_mount_point_regexp "$1")"
diff --git a/shared/templates/create_mount_options.py b/shared/templates/create_mount_options.py
index f8a035a60a..b691eb34e2 100644
--- a/shared/templates/create_mount_options.py
+++ b/shared/templates/create_mount_options.py
@@ -13,33 +13,39 @@ def __init__(self, generator, output_format_string):
self.output_format_string = output_format_string
self.generator = generator
- def process(self, mount_point, mount_option, point_id, template_file):
+ def process(self, mount_point, mount_option, point_id, assert_mount_exists, template_file):
raise NotImplementedError("You are supposed to use a derived class.")
- def process_with_variable(self, mount_point, mount_option, point_id, template_file):
+ def process_with_variable(
+ self, mount_point, mount_option, point_id, assert_mount_exists, template_file):
raise NotImplementedError("You are supposed to use a derived class.")
class RemediationTarget(MountOptionTarget):
- def process(self, mount_point, mount_option, point_id, template_file, stem=""):
+ def process(self, mount_point, mount_option, point_id, assert_mount_exists,
+ template_file, stem=""):
if len(stem) == 0:
stem = point_id + '_' + mount_option
+ mount_has_to_exist = "yes" if assert_mount_exists else "no"
self.generator.file_from_template(
template_file,
{
- "%MOUNTPOINT%": mount_point,
+ "%MOUNT_HAS_TO_EXIST%": mount_has_to_exist,
+ "%MOUNTPOINT%": mount_point,
"%MOUNTOPTION%": re.sub(' ', ',', mount_option),
},
self.output_format_string,
stem
)
- def process_with_variable(self, mount_point, mount_option, point_id, template_file):
+ def process_with_variable(self, mount_point, mount_option, point_id, assert_mount_exists,
+ template_file):
# e.g. var_removable_partition -> removable_partitions
point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
template_file = "{0}_var".format(template_file)
stem = "_{0}_{1}".format(mount_option, point_id)
- return self.process(mount_point, mount_option, point_id, template_file, stem)
+ return self.process(mount_point, mount_option, point_id,
+ assert_mount_exists, template_file, stem)
class OvalTarget(MountOptionTarget):
@@ -47,13 +53,15 @@ def __init__(self, generator):
super(OvalTarget, self).__init__(
generator, "./oval/mount_option{0}.xml")
- def process_with_variable(self, mount_point, mount_option, point_id, template_file):
+ def process_with_variable(
+ self, mount_point, mount_option, point_id, assert_mount_exists, template_file):
point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
template_file = "{0}_{1}".format(template_file, point_id)
stem = "_{0}_{1}".format(mount_option, point_id)
return self.process(mount_point, mount_option, point_id, template_file, stem)
- def process(self, mount_point, mount_option, point_id, template_file, stem=""):
+ def process(self, mount_point, mount_option, point_id, assert_mount_exists,
+ template_file, stem=""):
if len(stem) == 0:
stem = point_id + '_' + mount_option
self.generator.file_from_template(
@@ -81,7 +89,12 @@ def __init__(self):
super(MountOptionsGenerator, self).__init__()
def generate(self, target, path_info):
- mount_point, mount_option = path_info
+ mount_point, mount_option = path_info[:2]
+ mount_has_to_exist = True
+ if len(path_info) > 2:
+ assert len(path_info) == 3
+ assert path_info[-1] == "create_fstab_entry_if_needed"
+ mount_has_to_exist = False
if mount_point:
processing_entity = self.targets.get(target)
@@ -92,13 +105,14 @@ def generate(self, target, path_info):
uppercase_target_name = target.upper()
template_file = "./template_{0}_mount_option".format(uppercase_target_name)
- stem = ""
+
if mount_point.startswith("var_"):
processing_entity.process_with_variable(
- mount_point, mount_option, point_id, template_file)
+ mount_point, mount_option, point_id, mount_has_to_exist, template_file)
else:
- processing_entity.process(mount_point, mount_option, point_id, template_file, stem)
+ processing_entity.process(
+ mount_point, mount_option, point_id, mount_has_to_exist, template_file)
def csv_format(self):
return("CSV should contains lines of the format: "
- "mount_point,mount_option,[mount_option]+")
+ "<mount_point>,<mount_option>[,create_fstab_entry_if_needed])")
diff --git a/shared/templates/csv/mount_options.csv b/shared/templates/csv/mount_options.csv
index 0afafa1627..3e9a50ccb2 100644
--- a/shared/templates/csv/mount_options.csv
+++ b/shared/templates/csv/mount_options.csv
@@ -4,6 +4,6 @@
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
-var_removable_partition,nodev
-var_removable_partition,nosuid
-var_removable_partition,noexec
+var_removable_partition,nodev,create_fstab_entry_if_needed
+var_removable_partition,nosuid,create_fstab_entry_if_needed
+var_removable_partition,noexec,create_fstab_entry_if_needed
diff --git a/shared/templates/template_BASH_mount_option b/shared/templates/template_BASH_mount_option
index e7b6210afa..e8f898c82d 100644
--- a/shared/templates/template_BASH_mount_option
+++ b/shared/templates/template_BASH_mount_option
@@ -3,7 +3,12 @@
. /usr/share/scap-security-guide/remediation_functions
-assert_mount_point_in_fstab %MOUNTPOINT% || exit 1
+include_mount_options_functions
+
+# test "$mount_has_to_exist" = 'yes'
+test "%MOUNT_HAS_TO_EXIST%" = 'yes' && assert_mount_point_in_fstab %MOUNTPOINT% \
+ || { echo "Not remediating, because there is no record of %MOUNTPOINT% in /etc/fstab" >&2; exit 1; }
+
ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
mount -o remount %MOUNTPOINT%
diff --git a/shared/templates/template_BASH_mount_option_var b/shared/templates/template_BASH_mount_option_var
index cccf3eb3a7..e6ca176fa5 100644
--- a/shared/templates/template_BASH_mount_option_var
+++ b/shared/templates/template_BASH_mount_option_var
@@ -6,6 +6,12 @@
populate %MOUNTPOINT%
+include_mount_options_functions
+
+# test "$mount_has_to_exist" = 'yes'
+test "%MOUNT_HAS_TO_EXIST%" = 'yes' && assert_mount_point_in_fstab %MOUNTPOINT% \
+ || { echo "Not remediating, because there is no record of %MOUNTPOINT% in /etc/fstab" >&2; exit 1; }
+
ensure_mount_option_in_fstab "$%MOUNTPOINT%" %MOUNTOPTION%
mount -o remount "$%MOUNTPOINT%"
diff --git a/shared/templates/template_common.py b/shared/templates/template_common.py
index 2ba7de7968..5ee6562742 100644
--- a/shared/templates/template_common.py
+++ b/shared/templates/template_common.py
@@ -29,6 +29,7 @@ def __init__(self, template, paths):
% (template, ", ".join(paths))
)
+
TARGET_REGEX = re.compile(r"#\s*only-for:([\s\w,]*)")
From 7ab3a8686f491543377be879552f4209a092b979 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 11 Apr 2018 10:27:29 +0200
Subject: [PATCH 08/17] Improved remediations, added tests for /var/tmp noexec.
---
.../include_mount_options_functions.sh | 11 +++++++
shared/templates/template_BASH_mount_option | 4 +--
shared/templates/template_BASH_mount_option_var | 4 +--
.../rule_mount_option_var_tmp_bind/partition.sh | 8 -----
.../rule_mount_option_var_tmp_bind/runtime.pass.sh | 5 ----
.../separate.fail.sh | 6 ----
.../rule_mount_option_var_tmp_noexec/partition.sh | 34 ++++++++++++++++++++++
.../runtime.pass.sh | 10 +++++++
.../separate.fail.sh | 10 +++++++
9 files changed, 69 insertions(+), 23 deletions(-)
delete mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/partition.sh
delete mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/runtime.pass.sh
delete mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separate.fail.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/runtime.pass.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/separate.fail.sh
diff --git a/shared/bash_remediation_functions/include_mount_options_functions.sh b/shared/bash_remediation_functions/include_mount_options_functions.sh
index 521f34c4b0..133b06e44c 100644
--- a/shared/bash_remediation_functions/include_mount_options_functions.sh
+++ b/shared/bash_remediation_functions/include_mount_options_functions.sh
@@ -36,3 +36,14 @@ function remove_defaults_from_fstab_if_overriden {
sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab
fi
}
+
+# $1: mount point
+function ensure_partition_is_mounted {
+ local _mount_point="$1"
+ mkdir -p "$_mount_point" || return 1
+ if mountpoint -q "$_mount_point"; then
+ mount -o remount --target "$_mount_point"
+ else
+ mount --target "$_mount_point"
+ fi
+}
diff --git a/shared/templates/template_BASH_mount_option b/shared/templates/template_BASH_mount_option
index e8f898c82d..801b4e9bf9 100644
--- a/shared/templates/template_BASH_mount_option
+++ b/shared/templates/template_BASH_mount_option
@@ -9,6 +9,6 @@ include_mount_options_functions
test "%MOUNT_HAS_TO_EXIST%" = 'yes' && assert_mount_point_in_fstab %MOUNTPOINT% \
|| { echo "Not remediating, because there is no record of %MOUNTPOINT% in /etc/fstab" >&2; exit 1; }
-ensure_mount_option_in_fstab %MOUNTPOINT% %MOUNTOPTION%
+ensure_mount_option_in_fstab "%MOUNTPOINT%" "%MOUNTOPTION%"
-mount -o remount %MOUNTPOINT%
+ensure_partition_is_mounted "%MOUNTPOINT%"
diff --git a/shared/templates/template_BASH_mount_option_var b/shared/templates/template_BASH_mount_option_var
index e6ca176fa5..3174abb798 100644
--- a/shared/templates/template_BASH_mount_option_var
+++ b/shared/templates/template_BASH_mount_option_var
@@ -12,6 +12,6 @@ include_mount_options_functions
test "%MOUNT_HAS_TO_EXIST%" = 'yes' && assert_mount_point_in_fstab %MOUNTPOINT% \
|| { echo "Not remediating, because there is no record of %MOUNTPOINT% in /etc/fstab" >&2; exit 1; }
-ensure_mount_option_in_fstab "$%MOUNTPOINT%" %MOUNTOPTION%
+ensure_mount_option_in_fstab "$%MOUNTPOINT%" "%MOUNTOPTION%"
-mount -o remount "$%MOUNTPOINT%"
+ensure_partition_is_mounted "%MOUNTPOINT%"
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/partition.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/partition.sh
deleted file mode 100644
index 419eb3fdfc..0000000000
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/partition.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-PARTITION="/root/new_partition"
-
-dd if=/dev/zero of=$PARTITION bs=1M count=50
-mkfs.ext2 -F $PARTITION
-mount $PARTITION /tmp
-echo "$PARTITION /tmp none rw,nodev,noexec,nosuid,bind 0 0" >> /etc/fstab
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/runtime.pass.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/runtime.pass.sh
deleted file mode 100644
index 462ee866b5..0000000000
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/runtime.pass.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_C2S
-
-. partition.sh
-mount -B /tmp /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separate.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separate.fail.sh
deleted file mode 100644
index 66592ab4d9..0000000000
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_bind/separate.fail.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_C2S
-
-. partition.sh
-mount $PARTITION /var/tmp
-echo "$PARTITION /var/tmp none rw,nodev,noexec,nosuid,bind 0 0" >> /etc/fstab
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh
new file mode 100644
index 0000000000..2887ac6a8a
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+PARTITION="/root/new_partition"
+
+create_partition() {
+ dd if=/dev/zero of=$PARTITION bs=1M count=50
+ mkfs.ext2 -F $PARTITION
+}
+
+# $1: The mount point
+# $2: The additional mount options
+make_fstab_given_partition_line() {
+ local _mount_point="$1" _additional_mount_options="$2"
+ test -z "$_additional_mount_options" || _additional_mount_options=",$_additional_mount_options"
+ printf "%s %s ext2 rw%s 0 0\n" "$PARTITION" "$_mount_point" "$_additional_mount_options" > /etc/fstab
+}
+
+# $1: The mount point
+make_fstab_correct_partition_line() {
+ make_fstab_given_partition_line "$1" "nodev,noexec,nosuid"
+}
+
+# $1: The mount point
+mount_partition() {
+ mkdir -p "$1"
+ # mount "$PARTITION" "$1"
+ mount --target "$1"
+}
+
+mount_bind_partition() {
+ mkdir -p "$1"
+ # mount -B "$PARTITION" "$1"
+ mount --target -B "$1"
+}
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/runtime.pass.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/runtime.pass.sh
new file mode 100644
index 0000000000..abe44d34b7
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/runtime.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. partition.sh
+
+create_partition
+
+make_fstab_correct_partition_line /var/tmp
+
+mount_partition /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/separate.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/separate.fail.sh
new file mode 100644
index 0000000000..31a404b836
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/separate.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. partition.sh
+
+create_partition
+
+make_fstab_correct_partition_line /var/tmp
+
+# fstab is correct, but we are not mounted.
From d06430741e6316499ee1495a99de0e9a673761cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 12 Apr 2018 16:46:20 +0200
Subject: [PATCH 09/17] Cleanup templates, improved mount options tests.
---
.../mount_option_noexec_removable_partitions.xml | 152 ---------------------
.../mount_option_nosuid_removable_partitions.xml | 152 ---------------------
.../dvd_bad_opts.fail.sh | 8 ++
.../dvd_good_opts.pass.sh | 8 ++
.../removable_partitions.sh | 32 +++++
.../rule_mount_option_var_tmp_noexec/fstab.fail.sh | 12 ++
6 files changed, 60 insertions(+), 304 deletions(-)
delete mode 100644 shared/checks/oval/mount_option_noexec_removable_partitions.xml
delete mode 100644 shared/checks/oval/mount_option_nosuid_removable_partitions.xml
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_bad_opts.fail.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_good_opts.pass.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/removable_partitions.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
diff --git a/shared/checks/oval/mount_option_noexec_removable_partitions.xml b/shared/checks/oval/mount_option_noexec_removable_partitions.xml
deleted file mode 100644
index ffeca3bd19..0000000000
--- a/shared/checks/oval/mount_option_noexec_removable_partitions.xml
+++ /dev/null
@@ -1,152 +0,0 @@
-<def-group>
- <definition class="compliance" id="mount_option_noexec_removable_partitions" version="4">
- <metadata>
- <title>Add noexec Option to Removable Media Partitions</title>
- <affected family="unix">
- <platform>multi_platform_all</platform>
- </affected>
- <description>The noexec mount option prevents the direct execution of
- binaries on the mounted filesystem. Users should not be allowed to
- execute binaries that exist on partitions mounted from removable media
- (such as a USB key). The noexec option prevents code from being executed
- directly from the media itself, and may therefore provide a line of
- defense against certain types of worms or malicious code.</description>
- </metadata>
- <criteria operator="OR">
- <!-- First check if specified removable partition truly exists on the system. If not, don't check /etc/fstab & runtime configuration
- since there's no device to check against -->
- <extend_definition comment="Check if removable partition really exists on the system"
- definition_ref="removable_partition_doesnt_exist" />
- <!-- Removable device exists. Check if it's CD/DVD drive. If so, verify that at least one from all of the possible its alternative
- names in /etc/fstab & runtime configuration are configured with 'noexec' option -->
- <criteria operator="AND">
- <extend_definition comment="Check if removable partition value represents CD/DVD drive"
- definition_ref="var_removable_partition_is_cd_dvd_drive" />
- <criteria operator="OR">
- <criteria operator="AND">
- <criterion test_ref="test_noexec_etc_fstab_cd_dvd_drive"
- comment="Check if at least one from CD/DVD drive alternative names is using 'noexec' mount option in /etc/fstab" />
- <criterion test_ref="test_noexec_runtime_cd_dvd_drive"
- comment="Check if at least one from CD/DVD drive alternative names is using 'noexec' mount option in runtime configuration" />
- </criteria>
- <extend_definition definition_ref="no_cd_dvd_drive_in_etc_fstab"
- comment="Check if CD/DVD drive is not configured to automount in /etc/fstab" />
- </criteria>
- </criteria>
- <!-- Removable device exists & isn't CD/DVD drive. Check the particular devices is configured with 'noexec' mount option in both
- /etc/fstab & runtime configuration -->
- <criteria operator="AND">
- <criterion test_ref="test_noexec_etc_fstab_not_cd_dvd_drive"
- comment="Check if removable partition is using 'noexec' mount option in /etc/fstab" />
- <criterion test_ref="test_noexec_runtime_not_cd_dvd_drive"
- comment="Check if removable partition is using 'noexec' mount option in runtime configuration" />
- </criteria>
- </criteria>
- </definition>
-
- <!-- If specified removable partition represents CD / DVD drive, create a variable
- holding also alternative names for CD / DVD block special device as used by udev -->
- <constant_variable id="variable_cd_dvd_drive_alternative_names_noexec" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
- <value>/dev/cdrom</value>
- <value>/dev/dvd</value>
- <value>/dev/scd0</value>
- <value>/dev/sr0</value>
- </constant_variable>
-
- <!-- For each of the CD / DVD drive alternative names create regular expression pattern
- to be used in textfilecontent54_object below -->
- <local_variable id="variable_cd_dvd_drive_regex_pattern_noexec" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
- <concat>
- <literal_component>^[\s]*</literal_component>
- <variable_component var_ref="variable_cd_dvd_drive_alternative_names_noexec" />
- <!-- Capture the mount options field (4-th column of /etc/fstab) -->
- <literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</literal_component>
- </concat>
- </local_variable>
-
- <!-- If specified removable partition represents CD / DVD drive, use all alternative
- names to check /etc/fstab & runtime settings -->
- <ind:textfilecontent54_test id="test_noexec_etc_fstab_cd_dvd_drive" check_existence="any_exist" check="all" comment="'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
- <ind:object object_ref="object_noexec_etc_fstab_cd_dvd_drive" />
- <ind:state state_ref="state_noexec_etc_fstab_cd_dvd_drive" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_noexec_etc_fstab_cd_dvd_drive" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match" datatype="string" var_ref="variable_cd_dvd_drive_regex_pattern_noexec" var_check="at least one" />
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_noexec_etc_fstab_cd_dvd_drive" version="1">
- <ind:subexpression operation="pattern match" datatype="string">^.*,?noexec,?.*$</ind:subexpression>
- </ind:textfilecontent54_state>
-
- <linux:partition_test id="test_noexec_runtime_cd_dvd_drive" check="all" comment="'noexec' mount option used for at least one CD / DVD drive alternative names in runtime configuration" version="1">
- <linux:object object_ref="object_noexec_runtime_cd_dvd_drive" />
- </linux:partition_test>
-
- <linux:partition_object id="object_noexec_runtime_cd_dvd_drive" version="1">
- <!-- CD / DVD drive can be mounted under any mount_point. We don't know ahead its exact name.
- => Capture all & filter out only the relevant ones via the corresponding state -->
- <linux:mount_point operation="pattern match">^.*$</linux:mount_point>
- <!-- Therefore from all the captured mount points select only those having
- device set to some CD / DVD drive alternative name and simultaneously
- having 'noexec' mount option used -->
- <filter action="include">state_noexec_runtime_cd_dvd_drive</filter>
- </linux:partition_object>
-
- <linux:partition_state id="state_noexec_runtime_cd_dvd_drive" version="1">
- <linux:device datatype="string" operation="equals" var_ref="variable_cd_dvd_drive_alternative_names_noexec" var_check="at least one" />
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
- </linux:partition_state>
-
- <!-- Specified removable partition exists & doesn't represent a CD/DVD drive.
- Check if configured with 'noexec' mount option in both /etc/fstab & runtime configuration -->
- <ind:textfilecontent54_test id="test_noexec_etc_fstab_not_cd_dvd_drive" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'noexec' mount option in /etc/fstab" version="1">
- <ind:object object_ref="object_noexec_etc_fstab_not_cd_dvd_drive" />
- <ind:state state_ref="state_noexec_etc_fstab_not_cd_dvd_drive" />
- </ind:textfilecontent54_test>
-
- <!-- Create regular expression pattern for the device to be used in the
- textfilecontent54_object below -->
- <local_variable id="variable_not_cd_dvd_drive_regex_pattern_noexec" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
- <concat>
- <literal_component>^[\s]*</literal_component>
- <variable_component var_ref="var_removable_partition" />
- <!-- Capture the mount options field (4-th column of /etc/fstab) -->
- <literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</literal_component>
- </concat>
- </local_variable>
-
- <ind:textfilecontent54_object id="object_noexec_etc_fstab_not_cd_dvd_drive" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match" datatype="string" var_ref="variable_not_cd_dvd_drive_regex_pattern_noexec" var_check="at least one" />
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_noexec_etc_fstab_not_cd_dvd_drive" version="1">
- <ind:subexpression operation="pattern match" datatype="string">^.*,?noexec,?.*</ind:subexpression>
- </ind:textfilecontent54_state>
-
- <linux:partition_test id="test_noexec_runtime_not_cd_dvd_drive" check="all" check_existence="all_exist" comment="'noexec' mount option used for removable partition in runtime configuration" version="1">
- <linux:object object_ref="object_noexec_runtime_not_cd_dvd_drive" />
- </linux:partition_test>
-
- <linux:partition_object id="object_noexec_runtime_not_cd_dvd_drive" version="1">
- <!-- Removable partition can be mounted under any mount point. We don't know it's
- exact name ahead => Capture all & filter out only those relevant later via state -->
- <linux:mount_point operation="pattern match">^.*$</linux:mount_point>
- <!-- From all the captured mount points select only those having device equal
- to 'var_removable_partition' variable value and simultaneously having
- 'noexec' mount option set -->
- <filter action="include">state_noexec_runtime_not_cd_dvd_drive</filter>
- </linux:partition_object>
-
- <linux:partition_state id="state_noexec_runtime_not_cd_dvd_drive" version="1">
- <linux:device datatype="string" operation="equals" var_ref="var_removable_partition" var_check="at least one" />
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
- </linux:partition_state>
-
- <external_variable comment="removable partition" datatype="string" id="var_removable_partition" version="1" />
-
-</def-group>
diff --git a/shared/checks/oval/mount_option_nosuid_removable_partitions.xml b/shared/checks/oval/mount_option_nosuid_removable_partitions.xml
deleted file mode 100644
index fb66b16a03..0000000000
--- a/shared/checks/oval/mount_option_nosuid_removable_partitions.xml
+++ /dev/null
@@ -1,152 +0,0 @@
-<def-group>
- <definition class="compliance" id="mount_option_nosuid_removable_partitions" version="4">
- <metadata>
- <title>Add nosuid Option to Removable Media Partitions</title>
- <affected family="unix">
- <platform>multi_platform_all</platform>
- </affected>
- <description>The nosuid mount option prevents set-user-identifier (suid)
- and set-group-identifier (sgid) permissions from taking effect. These
- permissions allow users to execute binaries with the same permissions as
- the owner and group of the file respectively. Users should not be allowed
- to introduce suid and guid files into the system via partitions mounted
- from removeable media.</description>
- </metadata>
- <criteria operator="OR">
- <!-- First check if specified removable partition truly exists on the system. If not, don't check /etc/fstab & runtime configuration
- since there's no device to check against -->
- <extend_definition comment="Check if removable partition really exists on the system"
- definition_ref="removable_partition_doesnt_exist" />
- <!-- Removable device exists. Check if it's CD/DVD drive. If so, verify that at least one from all of the possible its alternative
- names in /etc/fstab & runtime configuration are configured with 'nosuid' option -->
- <criteria operator="AND">
- <extend_definition comment="Check if removable partition value represents CD/DVD drive"
- definition_ref="var_removable_partition_is_cd_dvd_drive" />
- <criteria operator="OR">
- <criteria operator="AND">
- <criterion test_ref="test_nosuid_etc_fstab_cd_dvd_drive"
- comment="Check if at least one from CD/DVD drive alternative names is using 'nosuid' mount option in /etc/fstab" />
- <criterion test_ref="test_nosuid_runtime_cd_dvd_drive"
- comment="Check if at least one from CD/DVD drive alternative names is using 'nosuid' mount option in runtime configuration" />
- </criteria>
- <extend_definition definition_ref="no_cd_dvd_drive_in_etc_fstab"
- comment="Check if CD/DVD drive is not configured to automount in /etc/fstab" />
- </criteria>
- </criteria>
- <!-- Removable device exists & isn't CD/DVD drive. Check the particular devices is configured with 'nosuid' mount option in both
- /etc/fstab & runtime configuration -->
- <criteria operator="AND">
- <criterion test_ref="test_nosuid_etc_fstab_not_cd_dvd_drive"
- comment="Check if removable partition is using 'nosuid' mount option in /etc/fstab" />
- <criterion test_ref="test_nosuid_runtime_not_cd_dvd_drive"
- comment="Check if removable partition is using 'nosuid' mount option in runtime configuration" />
- </criteria>
- </criteria>
- </definition>
-
- <!-- If specified removable partition represents CD / DVD drive, create a variable
- holding also alternative names for CD / DVD block special device as used by udev -->
- <constant_variable id="variable_cd_dvd_drive_alternative_names_nosuid" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
- <value>/dev/cdrom</value>
- <value>/dev/dvd</value>
- <value>/dev/scd0</value>
- <value>/dev/sr0</value>
- </constant_variable>
-
- <!-- For each of the CD / DVD drive alternative names create regular expression pattern
- to be used in textfilecontent54_object below -->
- <local_variable id="variable_cd_dvd_drive_regex_pattern_nosuid" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
- <concat>
- <literal_component>^[\s]*</literal_component>
- <variable_component var_ref="variable_cd_dvd_drive_alternative_names_nosuid" />
- <!-- Capture the mount options field (4-th column of /etc/fstab) -->
- <literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</literal_component>
- </concat>
- </local_variable>
-
- <!-- If specified removable partition represents CD / DVD drive, use all alternative
- names to check /etc/fstab & runtime settings -->
- <ind:textfilecontent54_test id="test_nosuid_etc_fstab_cd_dvd_drive" check_existence="any_exist" check="all" comment="'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
- <ind:object object_ref="object_nosuid_etc_fstab_cd_dvd_drive" />
- <ind:state state_ref="state_nosuid_etc_fstab_cd_dvd_drive" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_nosuid_etc_fstab_cd_dvd_drive" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match" datatype="string" var_ref="variable_cd_dvd_drive_regex_pattern_nosuid" var_check="at least one" />
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_nosuid_etc_fstab_cd_dvd_drive" version="1">
- <ind:subexpression operation="pattern match" datatype="string">^.*,?nosuid,?.*$</ind:subexpression>
- </ind:textfilecontent54_state>
-
- <linux:partition_test id="test_nosuid_runtime_cd_dvd_drive" check="all" comment="'nosuid' mount option used for at least one CD / DVD drive alternative names in runtime configuration" version="1">
- <linux:object object_ref="object_nosuid_runtime_cd_dvd_drive" />
- </linux:partition_test>
-
- <linux:partition_object id="object_nosuid_runtime_cd_dvd_drive" version="1">
- <!-- CD / DVD drive can be mounted under any mount_point. We don't know ahead its exact name.
- => Capture all & filter out only the relevant ones via the corresponding state -->
- <linux:mount_point operation="pattern match">^.*$</linux:mount_point>
- <!-- Therefore from all the captured mount points select only those having
- device set to some CD / DVD drive alternative name and simultaneously
- having 'nosuid' mount option used -->
- <filter action="include">state_nosuid_runtime_cd_dvd_drive</filter>
- </linux:partition_object>
-
- <linux:partition_state id="state_nosuid_runtime_cd_dvd_drive" version="1">
- <linux:device datatype="string" operation="equals" var_ref="variable_cd_dvd_drive_alternative_names_nosuid" var_check="at least one" />
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
- </linux:partition_state>
-
- <!-- Specified removable partition exists & doesn't represent a CD/DVD drive.
- Check if configured with 'nosuid' mount option in both /etc/fstab & runtime configuration -->
- <ind:textfilecontent54_test id="test_nosuid_etc_fstab_not_cd_dvd_drive" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'nosuid' mount option in /etc/fstab" version="1">
- <ind:object object_ref="object_nosuid_etc_fstab_not_cd_dvd_drive" />
- <ind:state state_ref="state_nosuid_etc_fstab_not_cd_dvd_drive" />
- </ind:textfilecontent54_test>
-
- <!-- Create regular expression pattern for the device to be used in the
- textfilecontent54_object below -->
- <local_variable id="variable_not_cd_dvd_drive_regex_pattern_nosuid" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
- <concat>
- <literal_component>^[\s]*</literal_component>
- <variable_component var_ref="var_removable_partition" />
- <!-- Capture the mount options field (4-th column of /etc/fstab) -->
- <literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</literal_component>
- </concat>
- </local_variable>
-
- <ind:textfilecontent54_object id="object_nosuid_etc_fstab_not_cd_dvd_drive" version="1">
- <ind:filepath>/etc/fstab</ind:filepath>
- <ind:pattern operation="pattern match" datatype="string" var_ref="variable_not_cd_dvd_drive_regex_pattern_nosuid" var_check="at least one" />
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_nosuid_etc_fstab_not_cd_dvd_drive" version="1">
- <ind:subexpression operation="pattern match" datatype="string">^.*,?nosuid,?.*</ind:subexpression>
- </ind:textfilecontent54_state>
-
- <linux:partition_test id="test_nosuid_runtime_not_cd_dvd_drive" check="all" check_existence="all_exist" comment="'nosuid' mount option used for removable partition in runtime configuration" version="1">
- <linux:object object_ref="object_nosuid_runtime_not_cd_dvd_drive" />
- </linux:partition_test>
-
- <linux:partition_object id="object_nosuid_runtime_not_cd_dvd_drive" version="1">
- <!-- Removable partition can be mounted under any mount point. We don't know it's
- exact name ahead => capture all & filter out only those relevant later via state -->
- <linux:mount_point operation="pattern match">^.*$</linux:mount_point>
- <!-- From all the captured mount points select only those having device equal
- to 'var_removable_partition' variable value and simultaneously having
- 'nosuid' mount option set -->
- <filter action="include">state_nosuid_runtime_not_cd_dvd_drive</filter>
- </linux:partition_object>
-
- <linux:partition_state id="state_nosuid_runtime_not_cd_dvd_drive" version="1">
- <linux:device datatype="string" operation="equals" var_ref="var_removable_partition" var_check="at least one" />
- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
- </linux:partition_state>
-
- <external_variable comment="removable partition" datatype="string" id="var_removable_partition" version="1" />
-
-</def-group>
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_bad_opts.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_bad_opts.fail.sh
new file mode 100644
index 0000000000..05e79847ef
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_bad_opts.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. removable_partitions.sh
+
+touch /dev/dvd
+dvdrom_fstab_line > /etc/fstab
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_good_opts.pass.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_good_opts.pass.sh
new file mode 100644
index 0000000000..fa4316ce7a
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/dvd_good_opts.pass.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+#
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. removable_partitions.sh
+
+touch /dev/dvd
+dvdrom_fstab_line noexec > /etc/fstab
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/removable_partitions.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/removable_partitions.sh
new file mode 100644
index 0000000000..8428b5f483
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_noexec_removable_partitions/removable_partitions.sh
@@ -0,0 +1,32 @@
+
+# $1: Mount device
+# $2: Mount point
+# $3: Mount options besides ro
+function cd_like_fstab_line {
+ local _mount_device="$1" _mount_point="$2" _additional_mount_options="$3"
+ test -z "$_additional_mount_options" || _additional_mount_options=",$_additional_mount_options"
+ printf "%s %s iso9660 ro%s 0 0" "$_mount_device" "$_mount_point" "$_additional_mount_options"
+}
+
+# $1: Mount options besides ro
+function cdrom_fstab_line {
+ cd_like_fstab_line "/dev/cdrom" "/var/cdrom" "$1"
+}
+
+# $1: Mount options besides ro
+function dvdrom_fstab_line {
+ cd_like_fstab_line "/dev/dvd" "/var/dvdrom" "$1"
+}
+
+# $1: Mount options besides ro
+# $2: Index of the device (optional, 0 is default)
+function sata_removable_fstab_line {
+ cd_like_fstab_line "/dev/sr${2:-0}" "/var/cdrom" "$1"
+}
+
+# $1: Mount options besides rw
+# $2: Index of the device (optional, 0 is default)
+function floppy_fstab_line {
+ test -z "$_additional_mount_options" || _additional_mount_options=",$_additional_mount_options"
+ printf "%s %s vfat rw%s 0 0" "/dev/fd${2:-0}" "/var/floppy" "$_additional_mount_options"
+}
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
new file mode 100644
index 0000000000..c03ec005f7
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. partition.sh
+
+create_partition
+
+make_fstab_given_partition_line /var/tmp nodev
+
+cat /etc/fstab
+
+mount_partition /var/tmp
From 149d0c0aae3b132738d5bd396456d3ddc0595ca4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 16 Apr 2018 14:49:19 +0200
Subject: [PATCH 10/17] Added more test cases.
---
.../rule_mount_option_home_nosuid/fstab.fail.sh | 12 ++++++++
.../rule_mount_option_home_nosuid/partition.sh | 32 ++++++++++++++++++++++
.../rule_mount_option_home_nosuid/runtime.pass.sh | 12 ++++++++
.../rule_mount_option_home_nosuid/separate.fail.sh | 12 ++++++++
.../rule_mount_option_tmp_noexec/fstab.fail.sh | 12 ++++++++
.../rule_mount_option_tmp_noexec/partition.sh | 32 ++++++++++++++++++++++
.../rule_mount_option_tmp_noexec/runtime.pass.sh | 10 +++++++
.../rule_mount_option_tmp_noexec/separate.fail.sh | 10 +++++++
.../rule_mount_option_var_tmp_noexec/fstab.fail.sh | 2 --
.../rule_mount_option_var_tmp_noexec/partition.sh | 2 --
10 files changed, 132 insertions(+), 4 deletions(-)
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/partition.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/runtime.pass.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/separate.fail.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/partition.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/runtime.pass.sh
create mode 100644 tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh
new file mode 100644
index 0000000000..e89a34d461
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/fstab.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+
+. partition.sh
+
+umount /home || true # no problem if not mounted
+
+create_partition
+
+make_fstab_given_partition_line /home nodev
+
+mount_partition /home
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/partition.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/partition.sh
new file mode 100644
index 0000000000..333a574f5e
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/partition.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+PARTITION="/root/new_partition"
+
+create_partition() {
+ dd if=/dev/zero of=$PARTITION bs=1M count=50
+ mkfs.ext2 -F $PARTITION
+}
+
+# $1: The mount point
+# $2: The additional mount options
+make_fstab_given_partition_line() {
+ local _mount_point="$1" _additional_mount_options="$2"
+ test -z "$_additional_mount_options" || _additional_mount_options=",$_additional_mount_options"
+ printf "%s %s ext2 rw%s 0 0\n" "$PARTITION" "$_mount_point" "$_additional_mount_options" > /etc/fstab
+}
+
+# $1: The mount point
+make_fstab_correct_partition_line() {
+ make_fstab_given_partition_line "$1" "nodev,noexec,nosuid"
+}
+
+# $1: The mount point
+mount_partition() {
+ mkdir -p "$1"
+ mount --target "$1"
+}
+
+mount_bind_partition() {
+ mkdir -p "$1"
+ mount --target -B "$1"
+}
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/runtime.pass.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/runtime.pass.sh
new file mode 100644
index 0000000000..e937f49f7f
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/runtime.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+
+. partition.sh
+
+umount /home || true # no problem if not mounted
+
+create_partition
+
+make_fstab_correct_partition_line /home
+
+mount_partition /home
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/separate.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/separate.fail.sh
new file mode 100644
index 0000000000..a4e069bd1d
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_home_nosuid/separate.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
+
+. partition.sh
+
+umount /home || true # no problem if not mounted
+
+create_partition
+
+make_fstab_correct_partition_line /home
+
+# fstab is correct, but we are not mounted.
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
new file mode 100644
index 0000000000..916c3cf3ea
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. partition.sh
+
+create_partition
+
+make_fstab_given_partition_line /tmp nodev
+
+cat /etc/fstab
+
+mount_partition /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/partition.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/partition.sh
new file mode 100644
index 0000000000..333a574f5e
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/partition.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+PARTITION="/root/new_partition"
+
+create_partition() {
+ dd if=/dev/zero of=$PARTITION bs=1M count=50
+ mkfs.ext2 -F $PARTITION
+}
+
+# $1: The mount point
+# $2: The additional mount options
+make_fstab_given_partition_line() {
+ local _mount_point="$1" _additional_mount_options="$2"
+ test -z "$_additional_mount_options" || _additional_mount_options=",$_additional_mount_options"
+ printf "%s %s ext2 rw%s 0 0\n" "$PARTITION" "$_mount_point" "$_additional_mount_options" > /etc/fstab
+}
+
+# $1: The mount point
+make_fstab_correct_partition_line() {
+ make_fstab_given_partition_line "$1" "nodev,noexec,nosuid"
+}
+
+# $1: The mount point
+mount_partition() {
+ mkdir -p "$1"
+ mount --target "$1"
+}
+
+mount_bind_partition() {
+ mkdir -p "$1"
+ mount --target -B "$1"
+}
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/runtime.pass.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/runtime.pass.sh
new file mode 100644
index 0000000000..243caac2be
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/runtime.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. partition.sh
+
+create_partition
+
+make_fstab_correct_partition_line /tmp
+
+mount_partition /tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh
new file mode 100644
index 0000000000..d04184af45
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_C2S
+
+. partition.sh
+
+create_partition
+
+make_fstab_correct_partition_line /tmp
+
+# fstab is correct, but we are not mounted.
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
index c03ec005f7..1b9c6a7d14 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/fstab.fail.sh
@@ -7,6 +7,4 @@ create_partition
make_fstab_given_partition_line /var/tmp nodev
-cat /etc/fstab
-
mount_partition /var/tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh
index 2887ac6a8a..333a574f5e 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_var_tmp_noexec/partition.sh
@@ -23,12 +23,10 @@ make_fstab_correct_partition_line() {
# $1: The mount point
mount_partition() {
mkdir -p "$1"
- # mount "$PARTITION" "$1"
mount --target "$1"
}
mount_bind_partition() {
mkdir -p "$1"
- # mount -B "$PARTITION" "$1"
mount --target -B "$1"
}
From 9e4a09638c443f1f86d1f3ed9a5344d84f19a809 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 16 Apr 2018 15:38:02 +0200
Subject: [PATCH 11/17] Updated mount_options csv comments.
---
debian8/templates/csv/mount_options.csv | 5 ++++-
fedora/templates/csv/mount_options.csv | 5 ++++-
rhel6/templates/csv/mount_options.csv | 5 ++++-
rhel7/templates/csv/mount_options.csv | 5 ++++-
shared/templates/csv/mount_options.csv | 5 ++++-
sle12/templates/csv/mount_options.csv | 5 ++++-
ubuntu14/templates/csv/mount_options.csv | 5 ++++-
ubuntu16/templates/csv/mount_options.csv | 5 ++++-
wrlinux/templates/csv/mount_options.csv | 5 ++++-
9 files changed, 36 insertions(+), 9 deletions(-)
diff --git a/debian8/templates/csv/mount_options.csv b/debian8/templates/csv/mount_options.csv
index 893ce26a5f..c85df506af 100644
--- a/debian8/templates/csv/mount_options.csv
+++ b/debian8/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/home,nosuid
/home,nodev
/var/log,nosuid
diff --git a/fedora/templates/csv/mount_options.csv b/fedora/templates/csv/mount_options.csv
index 7c6e389a7d..6bbdea38f9 100644
--- a/fedora/templates/csv/mount_options.csv
+++ b/fedora/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/rhel6/templates/csv/mount_options.csv b/rhel6/templates/csv/mount_options.csv
index a12e40377a..ebf6bba9df 100644
--- a/rhel6/templates/csv/mount_options.csv
+++ b/rhel6/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/rhel7/templates/csv/mount_options.csv b/rhel7/templates/csv/mount_options.csv
index 2e2c09227c..759e51b0fe 100644
--- a/rhel7/templates/csv/mount_options.csv
+++ b/rhel7/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/shared/templates/csv/mount_options.csv b/shared/templates/csv/mount_options.csv
index 3e9a50ccb2..f692f1b7bc 100644
--- a/shared/templates/csv/mount_options.csv
+++ b/shared/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
var_removable_partition,nodev,create_fstab_entry_if_needed
var_removable_partition,nosuid,create_fstab_entry_if_needed
diff --git a/sle12/templates/csv/mount_options.csv b/sle12/templates/csv/mount_options.csv
index ea30f97e07..b2df6c9f08 100644
--- a/sle12/templates/csv/mount_options.csv
+++ b/sle12/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
diff --git a/ubuntu14/templates/csv/mount_options.csv b/ubuntu14/templates/csv/mount_options.csv
index 893ce26a5f..c85df506af 100644
--- a/ubuntu14/templates/csv/mount_options.csv
+++ b/ubuntu14/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/home,nosuid
/home,nodev
/var/log,nosuid
diff --git a/ubuntu16/templates/csv/mount_options.csv b/ubuntu16/templates/csv/mount_options.csv
index 893ce26a5f..c85df506af 100644
--- a/ubuntu16/templates/csv/mount_options.csv
+++ b/ubuntu16/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/home,nosuid
/home,nodev
/var/log,nosuid
diff --git a/wrlinux/templates/csv/mount_options.csv b/wrlinux/templates/csv/mount_options.csv
index 7c6e389a7d..6bbdea38f9 100644
--- a/wrlinux/templates/csv/mount_options.csv
+++ b/wrlinux/templates/csv/mount_options.csv
@@ -1,8 +1,11 @@
# format:
-# <mount_point>,<mount_option> - mounted with specified option. for more than
+# <mount_point>,<mount_option>[,create_fstab_entry_if_needed]
+# - mount point mounted with specified option. for more than
# one option, use multiple lines with the same <mount_point>, use the
# variable name (i.e. name beginning with var_, without the leading
# '$' to reference a variable, e.g. var_removable_partition,nodev)
+# If the remediation can create (i.e. not just modify) an /etc/fstab line,
+# add the 'create_fstab_entry_if_needed' literal string as the third argument.
/dev/shm,nodev
/dev/shm,noexec
/dev/shm,nosuid
From f24cdd8886c01a8b391aaa616d72b43275a6a349 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 16 Apr 2018 15:38:23 +0200
Subject: [PATCH 12/17] Fixed variable deference in bash remediation template.
---
shared/templates/template_BASH_mount_option_var | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/shared/templates/template_BASH_mount_option_var b/shared/templates/template_BASH_mount_option_var
index 3174abb798..147fc6ab92 100644
--- a/shared/templates/template_BASH_mount_option_var
+++ b/shared/templates/template_BASH_mount_option_var
@@ -9,9 +9,9 @@ populate %MOUNTPOINT%
include_mount_options_functions
# test "$mount_has_to_exist" = 'yes'
-test "%MOUNT_HAS_TO_EXIST%" = 'yes' && assert_mount_point_in_fstab %MOUNTPOINT% \
- || { echo "Not remediating, because there is no record of %MOUNTPOINT% in /etc/fstab" >&2; exit 1; }
+test "%MOUNT_HAS_TO_EXIST%" = 'yes' && assert_mount_point_in_fstab "$%MOUNTPOINT%" \
+ || { echo "Not remediating, because there is no record of $%MOUNTPOINT% in /etc/fstab" >&2; exit 1; }
ensure_mount_option_in_fstab "$%MOUNTPOINT%" "%MOUNTOPTION%"
-ensure_partition_is_mounted "%MOUNTPOINT%"
+ensure_partition_is_mounted "$%MOUNTPOINT%"
From cfeee7e4bfe312f28c9870a5e179b077716dc911 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 17 Apr 2018 18:02:53 +0200
Subject: [PATCH 13/17] Refactored mount_options template creation.
---
shared/templates/create_mount_options.py | 152 +++++++++++++++++-----------
shared/templates/csv/mount_options.csv | 3 +
shared/templates/template_OVAL_mount_option | 14 +--
3 files changed, 102 insertions(+), 67 deletions(-)
diff --git a/shared/templates/create_mount_options.py b/shared/templates/create_mount_options.py
index b691eb34e2..ca65f9a709 100644
--- a/shared/templates/create_mount_options.py
+++ b/shared/templates/create_mount_options.py
@@ -8,71 +8,112 @@
from template_common import FilesGenerator, UnknownTargetError
+OUTPUTS_FORMAT_STRINGS = dict(
+ bash="./bash/mount_option_{0}.sh",
+ ansible="./ansible/mount_option_{0}.yml",
+ anaconda="./anaconda/mount_option_{0}.anaconda",
+ oval="./oval/mount_option_{0}.xml",
+)
+
+
+class Skipped(Exception):
+ pass
+
+
class MountOptionTarget(object):
- def __init__(self, generator, output_format_string):
- self.output_format_string = output_format_string
+ TEMPLATE_FILE_BASE = None
+ OUTPUT_FORMAT_STRING = None
+
+ def __init__(self, generator, target):
+ self.OUTPUT_FORMAT_STRING = OUTPUTS_FORMAT_STRINGS[target]
self.generator = generator
+ self.TEMPLATE_FILE_BASE = self.TEMPLATE_FILE_BASE.format(target=target.upper())
+ self.template_file = self.TEMPLATE_FILE_BASE
+
+ self._mount_point = ""
+ self._mount_option = ""
+ self._point_id = ""
+ self._output_id_template = "{point_id}_{mount_option}"
+ self._assert_mount_exists = True
+ self._output_fname = None
+
+ def process(self, mount_point, mount_option, assert_mount_exists):
+ point_id = re.sub('[-\./]', '_', mount_point).lstrip("_")
+
+ try:
+ self._set_correct_values(mount_point, mount_option, point_id)
+ except Skipped:
+ return
+
+ self._output_fname = self.OUTPUT_FORMAT_STRING.format(
+ self._output_id_template.format(
+ point_id=self._point_id, mount_option=self._mount_option)
+ )
+ self._assert_mount_exists = assert_mount_exists
+ self._process()
- def process(self, mount_point, mount_option, point_id, assert_mount_exists, template_file):
+ def _process(self):
raise NotImplementedError("You are supposed to use a derived class.")
- def process_with_variable(
- self, mount_point, mount_option, point_id, assert_mount_exists, template_file):
- raise NotImplementedError("You are supposed to use a derived class.")
+ def _set_correct_values(self, mount_point, mount_option, point_id):
+ self._mount_point = mount_point
+ self._point_id = point_id
+ self._mount_option = mount_option
class RemediationTarget(MountOptionTarget):
- def process(self, mount_point, mount_option, point_id, assert_mount_exists,
- template_file, stem=""):
- if len(stem) == 0:
- stem = point_id + '_' + mount_option
- mount_has_to_exist = "yes" if assert_mount_exists else "no"
+ TEMPLATE_FILE_BASE = "./template_{target}_mount_option"
+
+ def _process(self):
+ mount_has_to_exist = "yes" if self._assert_mount_exists else "no"
self.generator.file_from_template(
- template_file,
+ self.template_file,
{
"%MOUNT_HAS_TO_EXIST%": mount_has_to_exist,
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": re.sub(' ', ',', mount_option),
+ "%MOUNTPOINT%": self._mount_point,
+ "%MOUNTOPTION%": re.sub(' ', ',', self._mount_option),
},
- self.output_format_string,
- stem
+ self._output_fname,
+ ""
)
- def process_with_variable(self, mount_point, mount_option, point_id, assert_mount_exists,
- template_file):
- # e.g. var_removable_partition -> removable_partitions
- point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
- template_file = "{0}_var".format(template_file)
- stem = "_{0}_{1}".format(mount_option, point_id)
- return self.process(mount_point, mount_option, point_id,
- assert_mount_exists, template_file, stem)
+ def _set_correct_values(self, mount_point, mount_option, point_id):
+ super(RemediationTarget, self)._set_correct_values(mount_point, mount_option, point_id)
+ if mount_point.startswith("var_"):
+ self._point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
+ self.template_file = "{0}_var".format(self.TEMPLATE_FILE_BASE)
+ self._output_id_template = "{mount_option}_{point_id}"
+ elif not mount_point.startswith("/"): # no path, but not a variable either
+ raise Skipped("No template available yet")
class OvalTarget(MountOptionTarget):
+ TEMPLATE_FILE_BASE = "./template_OVAL_mount_option"
+
def __init__(self, generator):
super(OvalTarget, self).__init__(
- generator, "./oval/mount_option{0}.xml")
-
- def process_with_variable(
- self, mount_point, mount_option, point_id, assert_mount_exists, template_file):
- point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
- template_file = "{0}_{1}".format(template_file, point_id)
- stem = "_{0}_{1}".format(mount_option, point_id)
- return self.process(mount_point, mount_option, point_id, template_file, stem)
-
- def process(self, mount_point, mount_option, point_id, assert_mount_exists,
- template_file, stem=""):
- if len(stem) == 0:
- stem = point_id + '_' + mount_option
+ generator, "oval")
+
+ def _set_correct_values(self, mount_point, mount_option, point_id):
+ super(OvalTarget, self)._set_correct_values(mount_point, mount_option, point_id)
+ if mount_point.startswith("var_"):
+ self._point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
+ self.template_file = "{0}_{1}".format(self.TEMPLATE_FILE_BASE, self._point_id)
+ self._output_id_template = "{mount_option}_{point_id}"
+ elif not mount_point.startswith("/"): # no path, but not a variable either
+ point_id = re.sub(r"^(.*)", r"\1s", mount_point)
+ self.template_file = "{0}_{1}".format(self.TEMPLATE_FILE_BASE, self._point_id)
+
+ def _process(self):
self.generator.file_from_template(
- template_file,
+ self.template_file,
{
- "%MOUNTPOINT%": mount_point,
- "%MOUNTOPTION%": mount_option,
- "%POINTID%": point_id,
+ "%MOUNTPOINT%": self._mount_point,
+ "%MOUNTOPTION%": self._mount_option,
+ "%POINTID%": self._point_id,
},
- self.output_format_string,
- stem
+ self._output_fname,
+ ""
)
@@ -80,11 +121,11 @@ class MountOptionsGenerator(FilesGenerator):
def __init__(self):
self.targets = {}
self.targets["bash"] = RemediationTarget(
- self, "./bash/mount_option{0}.sh")
+ self, "bash")
self.targets["ansible"] = RemediationTarget(
- self, "./ansible/mount_option{0}.yml")
+ self, "ansible")
self.targets["anaconda"] = RemediationTarget(
- self, "./anaconda/mount_option{0}.anaconda")
+ self, "anaconda")
self.targets["oval"] = OvalTarget(self)
super(MountOptionsGenerator, self).__init__()
@@ -95,23 +136,14 @@ def generate(self, target, path_info):
assert len(path_info) == 3
assert path_info[-1] == "create_fstab_entry_if_needed"
mount_has_to_exist = False
- if mount_point:
-
- processing_entity = self.targets.get(target)
- if processing_entity is None:
- raise UnknownTargetError(target)
- point_id = re.sub('[-\./]', '_', mount_point)
+ assert mount_point
- uppercase_target_name = target.upper()
- template_file = "./template_{0}_mount_option".format(uppercase_target_name)
+ processing_entity = self.targets.get(target)
+ if processing_entity is None:
+ raise UnknownTargetError(target)
- if mount_point.startswith("var_"):
- processing_entity.process_with_variable(
- mount_point, mount_option, point_id, mount_has_to_exist, template_file)
- else:
- processing_entity.process(
- mount_point, mount_option, point_id, mount_has_to_exist, template_file)
+ processing_entity.process(mount_point, mount_option, mount_has_to_exist)
def csv_format(self):
return("CSV should contains lines of the format: "
diff --git a/shared/templates/csv/mount_options.csv b/shared/templates/csv/mount_options.csv
index f692f1b7bc..7e3263decf 100644
--- a/shared/templates/csv/mount_options.csv
+++ b/shared/templates/csv/mount_options.csv
@@ -10,3 +10,6 @@
var_removable_partition,nodev,create_fstab_entry_if_needed
var_removable_partition,nosuid,create_fstab_entry_if_needed
var_removable_partition,noexec,create_fstab_entry_if_needed
+remote_filesystems,nodev,create_fstab_entry_if_needed
+remote_filesystems,nosuid,create_fstab_entry_if_needed
+remote_filesystems,noexec,create_fstab_entry_if_needed
diff --git a/shared/templates/template_OVAL_mount_option b/shared/templates/template_OVAL_mount_option
index 946876fb7f..6ff2d870f7 100644
--- a/shared/templates/template_OVAL_mount_option
+++ b/shared/templates/template_OVAL_mount_option
@@ -1,5 +1,5 @@
<def-group>
- <definition class="compliance" id="mount_option%POINTID%_%MOUNTOPTION%" version="1">
+ <definition class="compliance" id="mount_option_%POINTID%_%MOUNTOPTION%" version="1">
<metadata>
<title>Add %MOUNTOPTION% Option to %MOUNTPOINT%</title>
<affected family="unix">
@@ -8,19 +8,19 @@
<description>%MOUNTPOINT% should be mounted with mount option %MOUNTOPTION%.</description>
</metadata>
<criteria>
- <criterion comment="%MOUNTOPTION% on %MOUNTPOINT%" test_ref="test%POINTID%_partition_%MOUNTOPTION%" />
+ <criterion comment="%MOUNTOPTION% on %MOUNTPOINT%" test_ref="test_%POINTID%_partition_%MOUNTOPTION%" />
</criteria>
</definition>
<linux:partition_test check="all" check_existence="all_exist"
- id="test%POINTID%_partition_%MOUNTOPTION%" version="1" comment="%MOUNTOPTION% on %MOUNTPOINT%">
- <linux:object object_ref="object%POINTID%_partition_%MOUNTOPTION%" />
- <linux:state state_ref="state%POINTID%_partition_%MOUNTOPTION%" />
+ id="test_%POINTID%_partition_%MOUNTOPTION%" version="1" comment="%MOUNTOPTION% on %MOUNTPOINT%">
+ <linux:object object_ref="object_%POINTID%_partition_%MOUNTOPTION%" />
+ <linux:state state_ref="state_%POINTID%_partition_%MOUNTOPTION%" />
</linux:partition_test>
- <linux:partition_object id="object%POINTID%_partition_%MOUNTOPTION%" version="1">
+ <linux:partition_object id="object_%POINTID%_partition_%MOUNTOPTION%" version="1">
<linux:mount_point>%MOUNTPOINT%</linux:mount_point>
</linux:partition_object>
- <linux:partition_state id="state%POINTID%_partition_%MOUNTOPTION%" version="1">
+ <linux:partition_state id="state_%POINTID%_partition_%MOUNTOPTION%" version="1">
<linux:mount_options datatype="string" entity_check="at least one" operation="equals">%MOUNTOPTION%</linux:mount_options>
</linux:partition_state>
</def-group>
From d66dc32ce0cfc1a9e6aa32ae12a53c13f4041795 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Wed, 18 Apr 2018 14:16:02 +0200
Subject: [PATCH 14/17] Fixed a test typo.
---
.../group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
index 916c3cf3ea..d72018ed8f 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
@@ -9,4 +9,4 @@ make_fstab_given_partition_line /tmp nodev
cat /etc/fstab
-mount_partition /var/tmp
+mount_partition /tmp
From f1df2741051d6402b4ad67ab67f2e155ecd8f45c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 19 Apr 2018 10:58:04 +0200
Subject: [PATCH 15/17] Improved naming.
---
shared/templates/create_mount_options.py | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/shared/templates/create_mount_options.py b/shared/templates/create_mount_options.py
index ca65f9a709..dc24e6461d 100644
--- a/shared/templates/create_mount_options.py
+++ b/shared/templates/create_mount_options.py
@@ -3,7 +3,10 @@
# generate template-based checks for partitions and partition
# mount rights
+from __future__ import print_function
+
import re
+import sys
from template_common import FilesGenerator, UnknownTargetError
@@ -41,8 +44,10 @@ def process(self, mount_point, mount_option, assert_mount_exists):
point_id = re.sub('[-\./]', '_', mount_point).lstrip("_")
try:
- self._set_correct_values(mount_point, mount_option, point_id)
- except Skipped:
+ self._translate_input_values(mount_point, mount_option, point_id)
+ except Skipped as exc:
+ # This would spam the user too many times during build.
+ # print("Note: {0} - {1}".format(mount_point, str(exc)), file=sys.stderr)
return
self._output_fname = self.OUTPUT_FORMAT_STRING.format(
@@ -55,7 +60,7 @@ def process(self, mount_point, mount_option, assert_mount_exists):
def _process(self):
raise NotImplementedError("You are supposed to use a derived class.")
- def _set_correct_values(self, mount_point, mount_option, point_id):
+ def _translate_input_values(self, mount_point, mount_option, point_id):
self._mount_point = mount_point
self._point_id = point_id
self._mount_option = mount_option
@@ -77,14 +82,17 @@ def _process(self):
""
)
- def _set_correct_values(self, mount_point, mount_option, point_id):
- super(RemediationTarget, self)._set_correct_values(mount_point, mount_option, point_id)
+ def _translate_input_values(self, mount_point, mount_option, point_id):
+ super(RemediationTarget, self)._translate_input_values(mount_point, mount_option, point_id)
if mount_point.startswith("var_"):
self._point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
self.template_file = "{0}_var".format(self.TEMPLATE_FILE_BASE)
self._output_id_template = "{mount_option}_{point_id}"
elif not mount_point.startswith("/"): # no path, but not a variable either
- raise Skipped("No template available yet")
+ raise Skipped(
+ "Remediations are available only for for literal mount points, "
+ "or by mount points defined by variables, thus beginning with 'var_'."
+ )
class OvalTarget(MountOptionTarget):
@@ -94,8 +102,8 @@ def __init__(self, generator):
super(OvalTarget, self).__init__(
generator, "oval")
- def _set_correct_values(self, mount_point, mount_option, point_id):
- super(OvalTarget, self)._set_correct_values(mount_point, mount_option, point_id)
+ def _translate_input_values(self, mount_point, mount_option, point_id):
+ super(OvalTarget, self)._translate_input_values(mount_point, mount_option, point_id)
if mount_point.startswith("var_"):
self._point_id = re.sub(r"^var_(.*)", r"\1s", mount_point)
self.template_file = "{0}_{1}".format(self.TEMPLATE_FILE_BASE, self._point_id)
From cd797532ce23af4b43334b6249655c5049fa653f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 19 Apr 2018 10:58:21 +0200
Subject: [PATCH 16/17] Added shared template for remote filesystems.
And removed a shared check.
---
.../template_OVAL_mount_option_remote_filesystems} | 30 +++++++++++-----------
1 file changed, 15 insertions(+), 15 deletions(-)
rename shared/{checks/oval/mount_option_nodev_remote_filesystems.xml => templates/template_OVAL_mount_option_remote_filesystems} (59%)
diff --git a/shared/checks/oval/mount_option_nodev_remote_filesystems.xml b/shared/templates/template_OVAL_mount_option_remote_filesystems
similarity index 59%
rename from shared/checks/oval/mount_option_nodev_remote_filesystems.xml
rename to shared/templates/template_OVAL_mount_option_remote_filesystems
index 8e4d06519b..090e12135c 100644
--- a/shared/checks/oval/mount_option_nodev_remote_filesystems.xml
+++ b/shared/templates/template_OVAL_mount_option_remote_filesystems
@@ -1,37 +1,37 @@
<def-group>
- <definition class="compliance" id="mount_option_nodev_remote_filesystems" version="1">
+ <definition class="compliance" id="mount_option_%MOUNTOPTION%_remote_filesystems" version="1">
<metadata>
- <title>Mount Remote Filesystems with nodev</title>
+ <title>Mount Remote Filesystems with %MOUNTOPTION%</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
- <description>The nodev option should be enabled for all NFS mounts in /etc/fstab.</description>
+ <description>The %MOUNTOPTION% option should be enabled for all NFS mounts in /etc/fstab.</description>
</metadata>
<criteria operator="XOR">
<!-- these tests are designed to be mutually exclusive; either no nfs mounts exist in /etc/fstab -->
- <!-- or all of the nfs mounts defined in /etc/fstab have the nodev mount option specified -->
- <criterion comment="remote nfs filesystems" test_ref="test_no_nfs_defined_etc_fstab_nodev" />
- <criterion comment="remote nfs filesystems" test_ref="test_nfs_nodev_etc_fstab" />
+ <!-- or all of the nfs mounts defined in /etc/fstab have the %MOUNTOPTION% mount option specified -->
+ <criterion comment="remote nfs filesystems" test_ref="test_no_nfs_defined_etc_fstab_%MOUNTOPTION%" />
+ <criterion comment="remote nfs filesystems" test_ref="test_nfs_%MOUNTOPTION%_etc_fstab" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="all nfs has nodev" id="test_nfs_nodev_etc_fstab" version="1">
- <ind:object object_ref="object_nfs_nodev_etc_fstab" />
- <ind:state state_ref="state_remote_filesystem_nodev" />
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="all nfs has %MOUNTOPTION%" id="test_nfs_%MOUNTOPTION%_etc_fstab" version="1">
+ <ind:object object_ref="object_nfs_%MOUNTOPTION%_etc_fstab" />
+ <ind:state state_ref="state_remote_filesystem_%MOUNTOPTION%" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_nfs_nodev_etc_fstab" version="1">
+ <ind:textfilecontent54_object id="object_nfs_%MOUNTOPTION%_etc_fstab" version="1">
<ind:filepath>/etc/fstab</ind:filepath>
<ind:pattern operation="pattern match">^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$</ind:pattern>
<!-- the "not equal" operation essentially means all instances of the regexp -->
<ind:instance datatype="int" operation="not equal">0</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_state id="state_remote_filesystem_nodev" version="1">
- <ind:subexpression operation="pattern match">^.*nodev.*$</ind:subexpression>
+ <ind:textfilecontent54_state id="state_remote_filesystem_%MOUNTOPTION%" version="1">
+ <ind:subexpression operation="pattern match">^.*%MOUNTOPTION%.*$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="no nfs" id="test_no_nfs_defined_etc_fstab_nodev" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="no nfs" id="test_no_nfs_defined_etc_fstab_%MOUNTOPTION%" version="1">
<!-- this test returns 'true' if /etc/fstab does not contain nfs/nfs4 mounts -->
- <ind:object object_ref="object_no_nfs_defined_etc_fstab_nodev" />
+ <ind:object object_ref="object_no_nfs_defined_etc_fstab_%MOUNTOPTION%" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_no_nfs_defined_etc_fstab_nodev" version="1">
+ <ind:textfilecontent54_object id="object_no_nfs_defined_etc_fstab_%MOUNTOPTION%" version="1">
<ind:filepath>/etc/fstab</ind:filepath>
<ind:pattern operation="pattern match">^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$</ind:pattern>
<!-- the "not equal" operation below essentially means all instances of the regexp -->
From 974ffce0628723e29a32e8d154a307815f032013 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 19 Apr 2018 16:53:57 +0200
Subject: [PATCH 17/17] Fixed test cases.
---
.../group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh | 2 --
.../group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh | 3 +++
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
index d72018ed8f..b1124ab75e 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/fstab.fail.sh
@@ -7,6 +7,4 @@ create_partition
make_fstab_given_partition_line /tmp nodev
-cat /etc/fstab
-
mount_partition /tmp
diff --git a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh
index d04184af45..98bdf514e0 100644
--- a/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh
+++ b/tests/data/group_system/group_permissions/group_partitions/rule_mount_option_tmp_noexec/separate.fail.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# profiles = xccdf_org.ssgproject.content_profile_C2S
+# Remediating would mount /tmp, which would break the test environment.
+# remediation = none
+
. partition.sh
create_partition