rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   ff1465361ce508f93601c5dcefe092ef09bc26bb
  2.   SOURCES
  3.   scap-security-guide-0.1.59-rsyslog_encrypt_offload_fix_7741-PR_7755.patch
Blob Blame History Raw 
From b8fd95776ce894006163b2bb5e34682e5844ca1e Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 21 Oct 2021 14:43:51 -0500
Subject: [PATCH 1/5] Always esacpe parameter in ansible_set_config_file

---
 .../ansible/shared.yml                          |  5 +++--
 .../ansible/shared.yml                          |  5 +++--
 .../ansible/shared.yml                          |  5 +++--
 shared/macros-ansible.jinja                     | 17 ++++++++++-------
 4 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
index 637f90003b2..ca5a405f877 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
@@ -5,5 +5,6 @@
 # disruption = low
 
 {{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf", 
-                                "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s', 
-                                value="x509/name", create='yes') }}}
+                                "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s',
+                                value="x509/name", create='yes')
+}}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
index 5d11103fc0f..1f001f47e07 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/ansible/shared.yml
@@ -4,6 +4,7 @@
 # complexity = low
 # disruption = low
 
-{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
-             parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ", separator_regex=" ")
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
+                                  parameter="$ActionSendStreamDriverMode", value="1", create=true, separator=" ",
+                                  separator_regex=" ")
 }}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
index 035ab152876..4016a08721e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
@@ -4,6 +4,7 @@
 # complexity = low
 # disruption = low
 
-{{{ ansible_set_config_file(file="/etc/rsyslog.d/encrypt.conf",
-                    parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" ", separator_regex=" ")
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
+                    parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" "
+                    , separator_regex=" ")
 }}}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 563350743fe..0f8dba56dab 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -25,14 +25,17 @@ value: "Setting={{ varname1 }}"
 
   Note that all string-like parameters are single quoted in the YAML.
 #}}
-{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False) -%}}
+{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False, escape_regex=False) -%}}
 - name: "{{{ msg or rule_title }}}"
   lineinfile:
     path: '{{{ path }}}'
     create: {{{ create }}}
-    {{%- if regex %}}
+    {{%- if regex and not escape_regex %}}
     regexp: '{{{ regex }}}'
     {{%- endif %}}
+    {{%- if regex and escape_regex %}}
+    regexp: '{{ {{{ regex }}} | regex_escape }}'
+    {{%- endif %}}
     {{%- if state == 'present' %}}
     line: '{{{ new_line }}}'
     state: present
@@ -121,7 +124,7 @@ value: "Setting={{ varname1 }}"
   ini configuration files are best served with the ini Ansible module
   instead of lineinfile-based solutions.
 #}}
-{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='') %}}
+{{%- macro ansible_set_config_file(msg, file, parameter, separator=' ', separator_regex='\s+', value='', prefix_regex='^\s*', create='no', validate='', insert_after='', insert_before='', escape_regex=False) %}}
 {{{ ansible_only_lineinfile(msg, file, prefix_regex + parameter + separator_regex, parameter + separator + value, create=create, block=True, validate=validate, insert_after=insert_after, insert_before=insert_before) }}}
 {{%- endmacro %}}
 
@@ -143,12 +146,12 @@ value: "Setting={{ varname1 }}"
 {{%- set new_line = parameter + separator + value -%}}
 - name: '{{{ msg or rule_title }}}'
   block:
-    {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True)|indent }}}
-    {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1')|indent }}}
+    {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True, escape_regex=True)|indent }}}
+    {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1', escape_regex=True)|indent }}}
     {{{ ansible_stat("Check if " + config_dir + " exists", path=config_dir, register=dir_exists)|indent }}}
     {{{ ansible_find("Check if the parameter " + parameter + " is present in " + config_dir, paths=config_dir, contains=line_regex, register=dir_parameter, when=find_when)|indent }}}
-    {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when)|indent }}}
-    {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before)|indent }}}
+    {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when, escape_regex=True)|indent }}}
+    {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before, escape_regex=True)|indent }}}
 {{%- endmacro %}}
 
 {{#

From 5635bf94c9274511e3d63feb8d4082c4ec9144f3 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 26 Oct 2021 13:01:27 -0500
Subject: [PATCH 2/5] Fix a couple items from reviewers on ansible_lineinfile
 escaping

---
 .../ansible/shared.yml                                        | 4 ++--
 shared/macros-ansible.jinja                                   | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
index 4016a08721e..3cc18d4476e 100644
--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_defaultnetstreamdriver/ansible/shared.yml
@@ -5,6 +5,6 @@
 # disruption = low
 
 {{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf",
-                    parameter="$DefaultNetstreamDriver", value="gtls", create=true, separator=" "
-                    , separator_regex=" ")
+                                parameter="$DefaultNetstreamDriver", value="gtls", create=true,
+                                separator=" ", separator_regex=" ")
 }}}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 0f8dba56dab..752d220bbfc 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -32,8 +32,7 @@ value: "Setting={{ varname1 }}"
     create: {{{ create }}}
     {{%- if regex and not escape_regex %}}
     regexp: '{{{ regex }}}'
-    {{%- endif %}}
-    {{%- if regex and escape_regex %}}
+    {{%- elif regex and escape_regex %}}
     regexp: '{{ {{{ regex }}} | regex_escape }}'
     {{%- endif %}}
     {{%- if state == 'present' %}}

From f6541126a4d19bfef8752028467659ab9d9f74ed Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 2 Nov 2021 08:32:18 -0500
Subject: [PATCH 3/5] Fix escaping in ansible_lineinfile macro

---
 shared/macros-ansible.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 752d220bbfc..1e0ba6260bb 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -33,7 +33,7 @@ value: "Setting={{ varname1 }}"
     {{%- if regex and not escape_regex %}}
     regexp: '{{{ regex }}}'
     {{%- elif regex and escape_regex %}}
-    regexp: '{{ {{{ regex }}} | regex_escape }}'
+    regexp: {{{ regex }}} | regex_escape
     {{%- endif %}}
     {{%- if state == 'present' %}}
     line: '{{{ new_line }}}'

From ef6d300a707dc272eaa9442ece135009287bfdf5 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 3 Nov 2021 11:15:11 -0500
Subject: [PATCH 4/5] Move regex_escape to ansible_set_config_file_dir

---
 shared/macros-ansible.jinja | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 1e0ba6260bb..8e7ce1a1206 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -25,15 +25,13 @@ value: "Setting={{ varname1 }}"
 
   Note that all string-like parameters are single quoted in the YAML.
 #}}
-{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False, escape_regex=False) -%}}
+{{%- macro ansible_lineinfile(msg='', path='', regex='', new_line='', create='no', state='present', with_items='', register='', when='', validate='', insert_after='', insert_before='', check_mode=False) -%}}
 - name: "{{{ msg or rule_title }}}"
   lineinfile:
     path: '{{{ path }}}'
     create: {{{ create }}}
-    {{%- if regex and not escape_regex %}}
+    {{%- if regex %}}
     regexp: '{{{ regex }}}'
-    {{%- elif regex and escape_regex %}}
-    regexp: {{{ regex }}} | regex_escape
     {{%- endif %}}
     {{%- if state == 'present' %}}
     line: '{{{ new_line }}}'
@@ -138,19 +136,19 @@ value: "Setting={{ varname1 }}"
 {{%- set var_dir = config_dir | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
 {{%- set dir_exists = var_dir + "_exists" -%}}
 {{%- set dir_parameter = var_dir + "_has_parameter" -%}}
-{{%- set line_regex = prefix_regex + parameter + separator_regex -%}}
+{{%- set line_regex = prefix_regex + "{{\"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
 {{%- set find_when = dir_exists + ".stat.isdir is defined and " + dir_exists + ".stat.isdir" -%}}
 {{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
 {{%- set lineinfile_when = dir_parameter + ".matched" -%}}
 {{%- set new_line = parameter + separator + value -%}}
 - name: '{{{ msg or rule_title }}}'
   block:
-    {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True, escape_regex=True)|indent }}}
-    {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1', escape_regex=True)|indent }}}
+    {{{ ansible_lineinfile("Check for duplicate values", config_file, regex=line_regex, create='no', state='absent', register='dupes', check_mode=True)|indent }}}
+    {{{ ansible_lineinfile("Deduplicate values from " + config_file, config_file, regex=line_regex, create='no', state='absent', when='dupes.found is defined and dupes.found > 1')|indent }}}
     {{{ ansible_stat("Check if " + config_dir + " exists", path=config_dir, register=dir_exists)|indent }}}
     {{{ ansible_find("Check if the parameter " + parameter + " is present in " + config_dir, paths=config_dir, contains=line_regex, register=dir_parameter, when=find_when)|indent }}}
-    {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when, escape_regex=True)|indent }}}
-    {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before, escape_regex=True)|indent }}}
+    {{{ ansible_lineinfile("Remove parameter from files in " + config_dir, path="{{ item.path }}", regex=line_regex, state="absent", with_items=lineinfile_items, when=lineinfile_when)|indent }}}
+    {{{ ansible_lineinfile("Insert correct line to " + set_file, set_file, regex=line_regex, new_line=new_line, create=create, state='present', validate=validate, insert_after=insert_after, insert_before=insert_before)|indent }}}
 {{%- endmacro %}}
 
 {{#

From c29550ef26fc283ce5e72038fddf70aa716f4d1c Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 4 Nov 2021 08:53:42 -0500
Subject: [PATCH 5/5] Fix ansible-lint lint issues

---
 shared/macros-ansible.jinja | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 8e7ce1a1206..76f05e76b88 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -136,7 +136,7 @@ value: "Setting={{ varname1 }}"
 {{%- set var_dir = config_dir | replace("/", "_") | replace("-", "_") | replace(".", "_") -%}}
 {{%- set dir_exists = var_dir + "_exists" -%}}
 {{%- set dir_parameter = var_dir + "_has_parameter" -%}}
-{{%- set line_regex = prefix_regex + "{{\"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
+{{%- set line_regex = prefix_regex + "{{ \"" + parameter + "\"| regex_escape }}" + separator_regex -%}}
 {{%- set find_when = dir_exists + ".stat.isdir is defined and " + dir_exists + ".stat.isdir" -%}}
 {{%- set lineinfile_items = "{{ " + dir_parameter + ".files }}" -%}}
 {{%- set lineinfile_when = dir_parameter + ".matched" -%}}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation