From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001

From: Matej Tyc <matyc@redhat.com>

Date: Thu, 21 Jul 2022 16:42:41 +0200

Subject: [PATCH 1/3] Add platforms for partition existence

---

 shared/applicability/general.yml              | 14 +++++++++++++

 .../checks/oval/installed_env_mounts_tmp.xml  | 10 +++++++++

 .../oval/installed_env_mounts_var_tmp.xml     | 10 +++++++++

 shared/macros/10-ansible.jinja                |  5 +++++

 shared/macros/10-bash.jinja                   |  5 +++++

 shared/macros/10-oval.jinja                   | 21 +++++++++++++++++++

 6 files changed, 65 insertions(+)

 create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml

 create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml

diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml

index 2d23d753148..e2f5d04ce00 100644

--- a/shared/applicability/general.yml

+++ b/shared/applicability/general.yml

@@ -77,6 +77,20 @@ cpes:

       bash_conditional: {{{ bash_pkg_conditional("pam") }}}

       ansible_conditional: {{{ ansible_pkg_conditional("pam") }}}

+  - partition-var-tmp:

+      name: "cpe:/a:partition-var-tmp"

+      title: "There is a /var/tmp partition"

+      check_id: installed_env_mounts_var_tmp

+      bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}}

+      ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}}

+

+  - partition-tmp:

+      name: "cpe:/a:partition-tmp"

+      title: "There is a /tmp partition"

+      check_id: installed_env_mounts_tmp

+      bash_conditional: {{{ bash_partition_conditional("/tmp") }}}

+      ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}}

+

   - polkit:

       name: "cpe:/a:polkit"

       title: "Package polkit is installed"

diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml

new file mode 100644

index 00000000000..c1bcd6b2431

--- /dev/null

+++ b/shared/checks/oval/installed_env_mounts_tmp.xml

@@ -0,0 +1,10 @@

+<def-group>

+  <definition class="inventory" id="installed_env_mounts_tmp" version="1">

+    {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}}

+    <criteria>

+       {{{ partition_exists_criterion("/tmp") }}}

+    </criteria>

+  </definition>

+

+  {{{ partition_exists_tos("/tmp") }}}

+</def-group>

diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml

new file mode 100644

index 00000000000..a72f49c8a8f

--- /dev/null

+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml

@@ -0,0 +1,10 @@

+<def-group>

+  <definition class="inventory" id="installed_env_mounts_var_tmp" version="1">

+    {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}}

+    <criteria>

+       {{{ partition_exists_criterion("/var/tmp") }}}

+    </criteria>

+  </definition>

+

+  {{{ partition_exists_tos("/var/tmp") }}}

+</def-group>

diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja

index 2d24f730d3f..478f0072bc7 100644

--- a/shared/macros/10-ansible.jinja

+++ b/shared/macros/10-ansible.jinja

@@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template.

   when:

     - result_pam_file_present.stat.exists

 {{%- endmacro -%}}

+

+

+{{%- macro ansible_partition_conditional(path) -%}}

+"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1"

+{{%- endmacro -%}}

diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja

index 94c3c6f9570..6a7fb165fd2 100644

--- a/shared/macros/10-bash.jinja

+++ b/shared/macros/10-bash.jinja

@@ -2085,3 +2085,8 @@ else

     echo "{{{ pam_file }}} was not found" >&2

 fi

 {{%- endmacro -%}}

+

+

+{{%- macro bash_partition_conditional(path) -%}}

+'findmnt --mountpoint "{{{ path }}}" > /dev/null'

+{{%- endmacro -%}}

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja

index c8d7bbeffb7..1ec93b6ef7d 100644

--- a/shared/macros/10-oval.jinja

+++ b/shared/macros/10-oval.jinja

@@ -926,3 +926,24 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo

 {{%- else %}}

   {{%- set user_list="nobody" %}}

 {{%- endif %}}

+

+

+{{%- macro partition_exists_criterion(path) %}}

+{{%- set escaped_path = path | replace("/", "_") %}}

+      <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path  }}}_exists" />

+{{%- endmacro %}}

+

+{{%- macro partition_exists_tos(path) %}}

+{{%- set escaped_path = path | replace("/", "_") %}}

+  

+      comment="Partition {{{ path }}} exists"

+      id="test_partition_{{{ escaped_path }}}_exists"

+  version="1">

+    <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />

+    {{#- <linux:partition_state state_ref="" /> #}}

+  </linux:partition_test>

+

+  <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">

+    <linux:mount_point>{{{ path }}}</linux:mount_point>

+  </linux:partition_object>

+{{%- endmacro %}}

From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001

From: Matej Tyc <matyc@redhat.com>

Date: Thu, 21 Jul 2022 16:43:21 +0200

Subject: [PATCH 2/3] Use partition exist platforms on a real rule

---

 .../partitions/mount_option_var_tmp_nodev/rule.yml           | 3 ++-

 .../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh   | 5 +++++

 2 files changed, 7 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml

index 8ee8c8b12e0..741d0973283 100644

--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml

+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml

@@ -38,7 +38,8 @@ references:

     stigid@ol8: OL08-00-040132

     stigid@rhel8: RHEL-08-040132

-platform: machine

+platforms:

+  - machine and partition-var-tmp

 template:

     name: mount_option

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh

new file mode 100644

index 00000000000..241c0103d82

--- /dev/null

+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+

+. $SHARED/partition.sh

+

+clean_up_partition /var/tmp  # Remove the partition from the system, and unmount it

From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001

From: Matej Tyc <matyc@redhat.com>

Date: Wed, 10 Aug 2022 11:32:38 +0200

Subject: [PATCH 3/3] Improve code style

- Improve description of OVAL macro

- Use the escape_id filter to produce IDs

---

 shared/checks/oval/installed_env_mounts_tmp.xml     | 2 +-

 shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +-

 shared/macros/10-oval.jinja                         | 7 +++----

 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml

index c1bcd6b2431..edd8ad050f5 100644

--- a/shared/checks/oval/installed_env_mounts_tmp.xml

+++ b/shared/checks/oval/installed_env_mounts_tmp.xml

@@ -6,5 +6,5 @@

     </criteria>

   </definition>

-  {{{ partition_exists_tos("/tmp") }}}

+  {{{ partition_exists_test_object("/tmp") }}}

 </def-group>

diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml

index a72f49c8a8f..cf9aafbdb04 100644

--- a/shared/checks/oval/installed_env_mounts_var_tmp.xml

+++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml

@@ -6,5 +6,5 @@

     </criteria>

   </definition>

-  {{{ partition_exists_tos("/var/tmp") }}}

+  {{{ partition_exists_test_object("/var/tmp") }}}

 </def-group>

diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja

index 1ec93b6ef7d..f302091f7df 100644

--- a/shared/macros/10-oval.jinja

+++ b/shared/macros/10-oval.jinja

@@ -929,18 +929,17 @@ Generates the :code:`<affected>` tag for OVAL check using correct product platfo

 {{%- macro partition_exists_criterion(path) %}}

-{{%- set escaped_path = path | replace("/", "_") %}}

+{{%- set escaped_path = path | escape_id %}}

       <criterion comment="The path {{{ path }}} is a partition's mount point" test_ref="test_partition_{{{ escaped_path  }}}_exists" />

 {{%- endmacro %}}

-{{%- macro partition_exists_tos(path) %}}

-{{%- set escaped_path = path | replace("/", "_") %}}

+{{%- macro partition_exists_test_object(path) %}}

+{{%- set escaped_path = path | escape_id %}}

       comment="Partition {{{ path }}} exists"

       id="test_partition_{{{ escaped_path }}}_exists"

   version="1">

     <linux:object object_ref="object_partition_{{{ escaped_path }}}_exists" />

-    {{#- <linux:partition_state state_ref="" /> #}}

   </linux:partition_test>

   <linux:partition_object id="object_partition_{{{ escaped_path }}}_exists" version="1">