rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.41-bash_and_tests_for_grub2_audit_argument.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   28bffef986b6ca9568b967c5a33062b59bf8f513
  2.   SOURCES
  3.   scap-security-guide-0.1.41-bash_and_tests_for_grub2_audit_argument.patch
Blob History Raw
28bffe 
From fde8c630799aee5339076355be0812b64f89c733 Mon Sep 17 00:00:00 2001
28bffe 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
28bffe 
Date: Tue, 11 Sep 2018 10:27:48 +0200
28bffe 
Subject: [PATCH 1/3] Add bash for rule grub2_audit_argument
28bffe
28bffe 
---
28bffe 
 .../auditing/grub2_audit_argument/bash/shared.sh    | 13 +++++++++++++
28bffe 
 1 file changed, 13 insertions(+)
28bffe 
 create mode 100644 shared/fixes/bash/grub2_audit_argument.sh
28bffe
28bffe 
diff --git a/shared/fixes/bash/grub2_audit_argument.sh b/shared/fixes/bash/grub2_audit_argument.sh
28bffe 
new file mode 100644
28bffe 
index 0000000000..913ebd6788
28bffe 
--- /dev/null
28bffe 
+++ b/shared/fixes/bash/grub2_audit_argument.sh
28bffe 
@@ -0,0 +1,13 @@
28bffe 
+# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
28bffe 
+
28bffe 
+# Correct the form of default kernel command line in GRUB
28bffe 
+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
28bffe 
+	# modify the GRUB command-line if an audit= arg already exists
28bffe 
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/'  '/etc/default/grub'
28bffe 
+else
28bffe 
+	# no audit=arg is present, append it
28bffe 
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/'  '/etc/default/grub'
28bffe 
+fi
28bffe 
+
28bffe 
+# Correct the form of kernel command line for each installed kernel in the bootloader
28bffe 
+grubby --update-kernel=ALL --args="audit=1"
28bffe
28bffe 
From 3cb4d82b850c6b8a29a449a68ce30254508a6fd6 Mon Sep 17 00:00:00 2001
28bffe 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
28bffe 
Date: Tue, 11 Sep 2018 10:28:15 +0200
28bffe 
Subject: [PATCH 2/3] Add tests for grub2_audit_argument
28bffe
28bffe 
---
28bffe 
 .../rule_grub2_audit_argument/arg_not_there.fail.sh   |  9 +++++++++
28bffe 
 .../rule_grub2_audit_argument/correct_value.pass.sh   | 11 +++++++++++
28bffe 
 .../rule_grub2_audit_argument/wrong_value.fail.sh     | 11 +++++++++++
28bffe 
 3 files changed, 31 insertions(+)
28bffe 
 create mode 100644 tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh
28bffe 
 create mode 100644 tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh
28bffe 
 create mode 100644 tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh
28bffe
28bffe 
diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh
28bffe 
new file mode 100644
28bffe 
index 0000000000..04f07457b0
28bffe 
--- /dev/null
28bffe 
+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh
28bffe 
@@ -0,0 +1,9 @@
28bffe 
+#!/bin/bash
28bffe 
+
28bffe 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe 
+
28bffe 
+# Correct the form of default kernel command line in GRUB
28bffe 
+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
28bffe 
+	# Remove the audit arg from the GRUB command-line if an audit arg already exists
28bffe 
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
28bffe 
+fi
28bffe 
diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh
28bffe 
new file mode 100644
28bffe 
index 0000000000..320d979a9b
28bffe 
--- /dev/null
28bffe 
+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/correct_value.pass.sh
28bffe 
@@ -0,0 +1,11 @@
28bffe 
+#!/bin/bash
28bffe 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe 
+
28bffe 
+# Correct the form of default kernel command line in GRUB
28bffe 
+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
28bffe 
+	# modify the GRUB command-line if an audit= arg already exists
28bffe 
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/'  '/etc/default/grub'
28bffe 
+else
28bffe 
+	# no audit=arg is present, append it
28bffe 
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/'  '/etc/default/grub'
28bffe 
+fi
28bffe 
diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh
28bffe 
new file mode 100644
28bffe 
index 0000000000..4c3ce2c723
28bffe 
--- /dev/null
28bffe 
+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh
28bffe 
@@ -0,0 +1,11 @@
28bffe 
+#!/bin/bash
28bffe 
+# profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe 
+
28bffe 
+# Correct the form of default kernel command line in GRUB
28bffe 
+if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
28bffe 
+	# modify the GRUB command-line if an audit= arg already exists
28bffe 
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=0 \2/'  '/etc/default/grub'
28bffe 
+else
28bffe 
+	# no audit=arg is present, append it
28bffe 
+	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=0"/'  '/etc/default/grub'
28bffe 
+fi
28bffe
28bffe 
From b0cf50b476bd626b7cbf60e18726e02a6282f977 Mon Sep 17 00:00:00 2001
28bffe 
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
28bffe 
Date: Tue, 11 Sep 2018 13:10:16 +0200
28bffe 
Subject: [PATCH 3/3] Improve comments
28bffe
28bffe 
---
28bffe 
 .../rule_grub2_audit_argument/arg_not_there.fail.sh            | 3 +--
28bffe 
 .../rule_grub2_audit_argument/wrong_value.fail.sh              | 2 +-
28bffe 
 2 files changed, 2 insertions(+), 3 deletions(-)
28bffe
28bffe 
diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh
28bffe 
index 04f07457b0..0230da8045 100644
28bffe 
--- a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh
28bffe 
+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/arg_not_there.fail.sh
28bffe 
@@ -2,8 +2,7 @@
28bffe
28bffe 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
28bffe 
-# Correct the form of default kernel command line in GRUB
28bffe 
+# Removes audit argument from kernel command line
28bffe 
 if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
28bffe 
-	# Remove the audit arg from the GRUB command-line if an audit arg already exists
28bffe 
 	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 \2/'  '/etc/default/grub'
28bffe 
 fi
28bffe 
diff --git a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh
28bffe 
index 4c3ce2c723..21dc897d4a 100644
28bffe 
--- a/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh
28bffe 
+++ b/tests/data/group_system/group_auditing/rule_grub2_audit_argument/wrong_value.fail.sh
28bffe 
@@ -1,7 +1,7 @@
28bffe 
 #!/bin/bash
28bffe 
 # profiles = xccdf_org.ssgproject.content_profile_ospp
28bffe
28bffe 
-# Correct the form of default kernel command line in GRUB
28bffe 
+# Break the audit argument in kernel command line
28bffe 
 if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
28bffe 
 	# modify the GRUB command-line if an audit= arg already exists
28bffe 
 	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=0 \2/'  '/etc/default/grub'

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation