|
|
0b628f |
diff --git a/src/XCCDF_POLICY/xccdf_policy_remediate.c b/src/XCCDF_POLICY/xccdf_policy_remediate.c
|
|
|
0b628f |
index f59737727..19bb59f2e 100644
|
|
|
0b628f |
--- a/src/XCCDF_POLICY/xccdf_policy_remediate.c
|
|
|
0b628f |
+++ b/src/XCCDF_POLICY/xccdf_policy_remediate.c
|
|
|
0b628f |
@@ -139,11 +139,10 @@ static int _write_remediation_to_fd_and_free(int output_fd, const char* template
|
|
|
0b628f |
free(text);
|
|
|
0b628f |
return 1;
|
|
|
0b628f |
}
|
|
|
0b628f |
-
|
|
|
0b628f |
- if (_write_text_to_fd(output_fd, "\n") != 0) {
|
|
|
0b628f |
- free(text);
|
|
|
0b628f |
- return 1;
|
|
|
0b628f |
- }
|
|
|
0b628f |
+ }
|
|
|
0b628f |
+ if (_write_text_to_fd(output_fd, "\n") != 0) {
|
|
|
0b628f |
+ free(text);
|
|
|
0b628f |
+ return 1;
|
|
|
0b628f |
}
|
|
|
0b628f |
|
|
|
0b628f |
if (next_delim != NULL) {
|
|
|
0b628f |
diff --git a/tests/API/XCCDF/unittests/CMakeLists.txt b/tests/API/XCCDF/unittests/CMakeLists.txt
|
|
|
0b628f |
index 2a56d3cdc..05ddea219 100644
|
|
|
0b628f |
--- a/tests/API/XCCDF/unittests/CMakeLists.txt
|
|
|
0b628f |
+++ b/tests/API/XCCDF/unittests/CMakeLists.txt
|
|
|
0b628f |
@@ -18,6 +18,7 @@ if(PYTHONINTERP_FOUND)
|
|
|
0b628f |
add_oscap_test("all_python.sh")
|
|
|
0b628f |
endif()
|
|
|
0b628f |
|
|
|
0b628f |
+add_oscap_test("test_ansible_yaml_block_scalar.sh")
|
|
|
0b628f |
add_oscap_test("test_xccdf_shall_pass1.sh")
|
|
|
0b628f |
add_oscap_test("test_xccdf_shall_pass2.sh")
|
|
|
0b628f |
add_oscap_test("test_xccdf_shall_pass3.sh")
|
|
|
0b628f |
diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml
|
|
|
0b628f |
new file mode 100644
|
|
|
0b628f |
index 000000000..dd0276739
|
|
|
0b628f |
--- /dev/null
|
|
|
0b628f |
+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.playbook.yml
|
|
|
0b628f |
@@ -0,0 +1,37 @@
|
|
|
0b628f |
+---
|
|
|
0b628f |
+
|
|
|
0b628f |
+
|
|
|
0b628f |
+- hosts: all
|
|
|
0b628f |
+ vars:
|
|
|
0b628f |
+ tasks:
|
|
|
0b628f |
+ - name: Make sure contents of /etc/audit/rules.d/10-base-config.rules are as expected
|
|
|
0b628f |
+ copy:
|
|
|
0b628f |
+ dest: /etc/audit/rules.d/10-base-config.rules
|
|
|
0b628f |
+ content: |+
|
|
|
0b628f |
+ ## First rule - delete all
|
|
|
0b628f |
+ -D
|
|
|
0b628f |
+
|
|
|
0b628f |
+ ## Increase the buffers to survive stress events.
|
|
|
0b628f |
+ ## Make this bigger for busy systems
|
|
|
0b628f |
+ -b 8192
|
|
|
0b628f |
+
|
|
|
0b628f |
+ ## This determine how long to wait in burst of events
|
|
|
0b628f |
+ --backlog_wait_time 60000
|
|
|
0b628f |
+
|
|
|
0b628f |
+ ## Set failure mode to syslog
|
|
|
0b628f |
+ -f 1
|
|
|
0b628f |
+
|
|
|
0b628f |
+
|
|
|
0b628f |
+ force: true
|
|
|
0b628f |
+ when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
|
|
|
0b628f |
+ tags:
|
|
|
0b628f |
+ - audit_basic_configuration
|
|
|
0b628f |
+ - medium_severity
|
|
|
0b628f |
+ - restrict_strategy
|
|
|
0b628f |
+ - low_complexity
|
|
|
0b628f |
+ - low_disruption
|
|
|
0b628f |
+ - no_reboot_needed
|
|
|
0b628f |
+ - CCE-82462-3
|
|
|
0b628f |
+ - NIST-800-53-AU-2(a)
|
|
|
0b628f |
+
|
|
|
0b628f |
+
|
|
|
0b628f |
diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh
|
|
|
0b628f |
new file mode 100755
|
|
|
0b628f |
index 000000000..4ca5b3be5
|
|
|
0b628f |
--- /dev/null
|
|
|
0b628f |
+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.sh
|
|
|
0b628f |
@@ -0,0 +1,21 @@
|
|
|
0b628f |
+#!/bin/bash
|
|
|
0b628f |
+. $builddir/tests/test_common.sh
|
|
|
0b628f |
+
|
|
|
0b628f |
+set -e
|
|
|
0b628f |
+set -o pipefail
|
|
|
0b628f |
+
|
|
|
0b628f |
+profile="xccdf_moc.elpmaxe.www_profile_standard"
|
|
|
0b628f |
+
|
|
|
0b628f |
+name=$(basename $0 .sh)
|
|
|
0b628f |
+stderr=$(mktemp -t ${name}.err.XXXXXX)
|
|
|
0b628f |
+playbook=$(mktemp -t ${name}.yml.XXXXXX)
|
|
|
0b628f |
+playbook_without_header=$(mktemp -t ${name}.yml.XXXXXX)
|
|
|
0b628f |
+
|
|
|
0b628f |
+# Generate an Ansible playbook from a profile in SDS file
|
|
|
0b628f |
+$OSCAP xccdf generate fix --profile $profile --fix-type ansible "$srcdir/$name.xccdf.xml" >$playbook 2>$stderr
|
|
|
0b628f |
+sed '/^#/d' $playbook > $playbook_without_header
|
|
|
0b628f |
+diff -u $playbook_without_header $srcdir/$name.playbook.yml
|
|
|
0b628f |
+[ -f $stderr ]; [ ! -s $stderr ]; rm $stderr
|
|
|
0b628f |
+
|
|
|
0b628f |
+rm $playbook
|
|
|
0b628f |
+rm $playbook_without_header
|
|
|
0b628f |
diff --git a/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml
|
|
|
0b628f |
new file mode 100644
|
|
|
0b628f |
index 000000000..81b2adfd4
|
|
|
0b628f |
--- /dev/null
|
|
|
0b628f |
+++ b/tests/API/XCCDF/unittests/test_ansible_yaml_block_scalar.xccdf.xml
|
|
|
0b628f |
@@ -0,0 +1,48 @@
|
|
|
0b628f |
+
|
|
|
0b628f |
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_test">
|
|
|
0b628f |
+ <status>incomplete</status>
|
|
|
0b628f |
+ <title>Security Benchmark</title>
|
|
|
0b628f |
+ <description xml:lang="en-US">A sample benchmark</description>
|
|
|
0b628f |
+ <version>1.0</version>
|
|
|
0b628f |
+ <Profile id="xccdf_moc.elpmaxe.www_profile_standard">
|
|
|
0b628f |
+ <title xml:lang="en-US">Standard System Security Profile</title>
|
|
|
0b628f |
+ <description xml:lang="en-US">This profile contains rules to ensure standard security baseline of your system.</description>
|
|
|
0b628f |
+ <select idref="xccdf_moc.elpmaxe.www_rule_1" selected="true"/>
|
|
|
0b628f |
+ </Profile>
|
|
|
0b628f |
+ <Rule selected="false" id="xccdf_moc.elpmaxe.www_rule_1">
|
|
|
0b628f |
+ <title>Passing rule</title>
|
|
|
0b628f |
+ <fix id="ansible_fix_for_passing_rule" system="urn:xccdf:fix:script:ansible">- name: Make sure contents of /etc/audit/rules.d/10-base-config.rules are as expected
|
|
|
0b628f |
+ copy:
|
|
|
0b628f |
+ dest: /etc/audit/rules.d/10-base-config.rules
|
|
|
0b628f |
+ content: |+
|
|
|
0b628f |
+ ## First rule - delete all
|
|
|
0b628f |
+ -D
|
|
|
0b628f |
+
|
|
|
0b628f |
+ ## Increase the buffers to survive stress events.
|
|
|
0b628f |
+ ## Make this bigger for busy systems
|
|
|
0b628f |
+ -b 8192
|
|
|
0b628f |
+
|
|
|
0b628f |
+ ## This determine how long to wait in burst of events
|
|
|
0b628f |
+ --backlog_wait_time 60000
|
|
|
0b628f |
+
|
|
|
0b628f |
+ ## Set failure mode to syslog
|
|
|
0b628f |
+ -f 1
|
|
|
0b628f |
+
|
|
|
0b628f |
+
|
|
|
0b628f |
+ force: true
|
|
|
0b628f |
+ when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
|
|
|
0b628f |
+ tags:
|
|
|
0b628f |
+ - audit_basic_configuration
|
|
|
0b628f |
+ - medium_severity
|
|
|
0b628f |
+ - restrict_strategy
|
|
|
0b628f |
+ - low_complexity
|
|
|
0b628f |
+ - low_disruption
|
|
|
0b628f |
+ - no_reboot_needed
|
|
|
0b628f |
+ - CCE-82462-3
|
|
|
0b628f |
+ - NIST-800-53-AU-2(a)
|
|
|
0b628f |
+</fix>
|
|
|
0b628f |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
|
|
|
0b628f |
+ <check-content-ref href="oval/pass/oval.xml" name="oval:moc.elpmaxe.www:def:1"/>
|
|
|
0b628f |
+ </check>
|
|
|
0b628f |
+ </Rule>
|
|
|
0b628f |
+</Benchmark>
|