Blame SOURCES/scap-security-guide-0.1.48-fix_grub2_enable_fips_mode.patch

44eea6
From 77a21063367337b874e9396547b3d1439eef2754 Mon Sep 17 00:00:00 2001
44eea6
From: Alexander Scheel <ascheel@redhat.com>
44eea6
Date: Fri, 6 Sep 2019 11:44:49 -0400
44eea6
Subject: [PATCH] Rename disable_prelink -> bash_disable_prelink
44eea6
44eea6
Per conversation in #4746, we should probably prefix bash remediation
44eea6
helpers with the bash_ prefix. This lets us quickly identify which
44eea6
language a particular macro is for, especially when macros with similar
44eea6
functionality behave differently across languages.
44eea6
44eea6
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
44eea6
---
44eea6
 .../system/software/integrity/disable_prelink/bash/shared.sh    | 2 +-
44eea6
 .../integrity/fips/grub2_enable_fips_mode/bash/shared.sh        | 2 +-
44eea6
 shared/macros-bash.jinja                                        | 2 +-
44eea6
 4 files changed, 4 insertions(+), 4 deletions(-)
44eea6
44eea6
diff --git a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh
44eea6
index a79bd71ab0..ed6a388d0a 100644
44eea6
--- a/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh
44eea6
+++ b/linux_os/guide/system/software/integrity/disable_prelink/bash/shared.sh
44eea6
@@ -1,2 +1,2 @@
44eea6
 # platform = multi_platform_all
44eea6
-{{{ disable_prelink() }}}
44eea6
+{{{ bash_disable_prelink() }}}
44eea6
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
44eea6
index 2b99be11a7..18b57e6f87 100644
44eea6
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
44eea6
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/bash/shared.sh
44eea6
@@ -3,7 +3,7 @@
44eea6
 # include remediation functions library
44eea6
 . /usr/share/scap-security-guide/remediation_functions
44eea6
 
44eea6
-{{{ disable_prelink() }}}
44eea6
+{{{ bash_disable_prelink() }}}
44eea6
 
44eea6
 if grep -q -m1 -o aes /proc/cpuinfo; then
44eea6
 	{{{ bash_package_install("dracut-fips-aesni") }}}
44eea6
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
44eea6
index 1af0143805..8a6b9b5099 100644
44eea6
--- a/shared/macros-bash.jinja
44eea6
+++ b/shared/macros-bash.jinja
44eea6
@@ -87,7 +87,7 @@ apt-get remove -y "{{{ package }}}"
44eea6
 {{%- endif -%}}
44eea6
 {{%- endmacro -%}}
44eea6
 
44eea6
-{{%- macro disable_prelink() -%}}
44eea6
+{{%- macro bash_disable_prelink() -%}}
44eea6
 # prelink not installed
44eea6
 if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then
44eea6
     return 0
44eea6
From 747a407d54a4c3549795fbf2a484092d175a39a4 Mon Sep 17 00:00:00 2001
44eea6
From: Gabriel Becker <ggasparb@redhat.com>
44eea6
Date: Wed, 6 Nov 2019 15:45:47 +0100
44eea6
Subject: [PATCH 1/2] Invert logic when testing for prelink package presence.
44eea6
44eea6
Since this piece of code is not a bash function anymore, it is not
44eea6
possible to use the return statement, so inverting the logic of the test
44eea6
did the trick.
44eea6
---
44eea6
 shared/macros-bash.jinja | 26 ++++++++++++--------------
44eea6
 1 file changed, 12 insertions(+), 14 deletions(-)
44eea6
44eea6
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
44eea6
index 49ef874f0b..62b1b165a8 100644
44eea6
--- a/shared/macros-bash.jinja
44eea6
+++ b/shared/macros-bash.jinja
44eea6
@@ -89,21 +89,19 @@ apt-get remove -y "{{{ package }}}"
44eea6
 
44eea6
 {{%- macro bash_disable_prelink() -%}}
44eea6
 # prelink not installed
44eea6
-if test ! -e /etc/sysconfig/prelink -a ! -e /usr/sbin/prelink; then
44eea6
-    return 0
44eea6
-fi
44eea6
-
44eea6
-if grep -q ^PRELINKING /etc/sysconfig/prelink
44eea6
-then
44eea6
-    sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
44eea6
-else
44eea6
-    printf '\n' >> /etc/sysconfig/prelink
44eea6
-    printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
44eea6
-fi
44eea6
+if test -e /etc/sysconfig/prelink -o -e /usr/sbin/prelink; then
44eea6
+    if grep -q ^PRELINKING /etc/sysconfig/prelink
44eea6
+    then
44eea6
+        sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink
44eea6
+    else
44eea6
+        printf '\n' >> /etc/sysconfig/prelink
44eea6
+        printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink
44eea6
+    fi
44eea6
 
44eea6
-# Undo previous prelink changes to binaries if prelink is available.
44eea6
-if test -x /usr/sbin/prelink; then
44eea6
-    /usr/sbin/prelink -ua
44eea6
+    # Undo previous prelink changes to binaries if prelink is available.
44eea6
+    if test -x /usr/sbin/prelink; then
44eea6
+        /usr/sbin/prelink -ua
44eea6
+    fi
44eea6
 fi
44eea6
 {{%- endmacro -%}}
44eea6
 
44eea6
44eea6
From 6c7182016b956d53ac5cf306da6d1b4efda953ab Mon Sep 17 00:00:00 2001
44eea6
From: Gabriel Becker <ggasparb@redhat.com>
44eea6
Date: Wed, 6 Nov 2019 17:15:47 +0100
44eea6
Subject: [PATCH 2/2] Add dracut-fips-aesni package to grub2_enable_fips_mode
44eea6
 anaconda remediation.
44eea6
44eea6
---
44eea6
 .../fips/grub2_enable_fips_mode/anaconda/shared.anaconda        | 2 +-
44eea6
 1 file changed, 1 insertion(+), 1 deletion(-)
44eea6
44eea6
diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda
44eea6
index 4a329df8f4..2dd06202b3 100644
44eea6
--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda
44eea6
+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/anaconda/shared.anaconda
44eea6
@@ -1,3 +1,3 @@
44eea6
 # platform = Red Hat Enterprise Linux 7,Oracle Linux 7
44eea6
 
44eea6
-package --add=dracut-fips
44eea6
+package --add=dracut-fips --add=dracut-fips-aesni