From b4291642f301c18b33ad9b722f0f26490bb55047 Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Thu, 21 Jul 2022 16:42:41 +0200 Subject: [PATCH 1/3] Add platforms for partition existence --- shared/applicability/general.yml | 14 +++++++++++++ .../checks/oval/installed_env_mounts_tmp.xml | 10 +++++++++ .../oval/installed_env_mounts_var_tmp.xml | 10 +++++++++ shared/macros/10-ansible.jinja | 5 +++++ shared/macros/10-bash.jinja | 5 +++++ shared/macros/10-oval.jinja | 21 +++++++++++++++++++ 6 files changed, 65 insertions(+) create mode 100644 shared/checks/oval/installed_env_mounts_tmp.xml create mode 100644 shared/checks/oval/installed_env_mounts_var_tmp.xml diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml index 2d23d753148..e2f5d04ce00 100644 --- a/shared/applicability/general.yml +++ b/shared/applicability/general.yml @@ -77,6 +77,20 @@ cpes: bash_conditional: {{{ bash_pkg_conditional("pam") }}} ansible_conditional: {{{ ansible_pkg_conditional("pam") }}} + - partition-var-tmp: + name: "cpe:/a:partition-var-tmp" + title: "There is a /var/tmp partition" + check_id: installed_env_mounts_var_tmp + bash_conditional: {{{ bash_partition_conditional("/var/tmp") }}} + ansible_conditional: {{{ ansible_partition_conditional("/var/tmp") }}} + + - partition-tmp: + name: "cpe:/a:partition-tmp" + title: "There is a /tmp partition" + check_id: installed_env_mounts_tmp + bash_conditional: {{{ bash_partition_conditional("/tmp") }}} + ansible_conditional: {{{ ansible_partition_conditional("/tmp") }}} + - polkit: name: "cpe:/a:polkit" title: "Package polkit is installed" diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml new file mode 100644 index 00000000000..c1bcd6b2431 --- /dev/null +++ b/shared/checks/oval/installed_env_mounts_tmp.xml @@ -0,0 +1,10 @@ + + + {{{ oval_metadata("", title="Partition /tmp exists", affected_platforms=[full_name]) }}} + + {{{ partition_exists_criterion("/tmp") }}} + + + + {{{ partition_exists_tos("/tmp") }}} + diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml new file mode 100644 index 00000000000..a72f49c8a8f --- /dev/null +++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml @@ -0,0 +1,10 @@ + + + {{{ oval_metadata("", title="Partition /var/tmp exists", affected_platforms=[full_name]) }}} + + {{{ partition_exists_criterion("/var/tmp") }}} + + + + {{{ partition_exists_tos("/var/tmp") }}} + diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 2d24f730d3f..478f0072bc7 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -1439,3 +1439,8 @@ Part of the grub2_bootloader_argument_absent template. when: - result_pam_file_present.stat.exists {{%- endmacro -%}} + + +{{%- macro ansible_partition_conditional(path) -%}} +"ansible_facts.ansible_mounts | json_query(\"[?mount=='{{{ path }}}'].mount\") | length == 1" +{{%- endmacro -%}} diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 94c3c6f9570..6a7fb165fd2 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2085,3 +2085,8 @@ else echo "{{{ pam_file }}} was not found" >&2 fi {{%- endmacro -%}} + + +{{%- macro bash_partition_conditional(path) -%}} +'findmnt --mountpoint "{{{ path }}}" > /dev/null' +{{%- endmacro -%}} diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index c8d7bbeffb7..1ec93b6ef7d 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -926,3 +926,24 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- else %}} {{%- set user_list="nobody" %}} {{%- endif %}} + + +{{%- macro partition_exists_criterion(path) %}} +{{%- set escaped_path = path | replace("/", "_") %}} + +{{%- endmacro %}} + +{{%- macro partition_exists_tos(path) %}} +{{%- set escaped_path = path | replace("/", "_") %}} + + + {{#- #}} + + + + {{{ path }}} + +{{%- endmacro %}} From 704da46c44f50c93acbfe172212f1687763013b0 Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Thu, 21 Jul 2022 16:43:21 +0200 Subject: [PATCH 2/3] Use partition exist platforms on a real rule --- .../partitions/mount_option_var_tmp_nodev/rule.yml | 3 ++- .../mount_option_var_tmp_nodev/tests/notapplicable.pass.sh | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml index 8ee8c8b12e0..741d0973283 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml @@ -38,7 +38,8 @@ references: stigid@ol8: OL08-00-040132 stigid@rhel8: RHEL-08-040132 -platform: machine +platforms: + - machine and partition-var-tmp template: name: mount_option diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh new file mode 100644 index 00000000000..241c0103d82 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/tests/notapplicable.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +. $SHARED/partition.sh + +clean_up_partition /var/tmp # Remove the partition from the system, and unmount it From 7b3c9eb40d362ffcfda542cc2b267bce13e25d5a Mon Sep 17 00:00:00 2001 From: Matej Tyc Date: Wed, 10 Aug 2022 11:32:38 +0200 Subject: [PATCH 3/3] Improve code style - Improve description of OVAL macro - Use the escape_id filter to produce IDs --- shared/checks/oval/installed_env_mounts_tmp.xml | 2 +- shared/checks/oval/installed_env_mounts_var_tmp.xml | 2 +- shared/macros/10-oval.jinja | 7 +++---- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/shared/checks/oval/installed_env_mounts_tmp.xml b/shared/checks/oval/installed_env_mounts_tmp.xml index c1bcd6b2431..edd8ad050f5 100644 --- a/shared/checks/oval/installed_env_mounts_tmp.xml +++ b/shared/checks/oval/installed_env_mounts_tmp.xml @@ -6,5 +6,5 @@ - {{{ partition_exists_tos("/tmp") }}} + {{{ partition_exists_test_object("/tmp") }}} diff --git a/shared/checks/oval/installed_env_mounts_var_tmp.xml b/shared/checks/oval/installed_env_mounts_var_tmp.xml index a72f49c8a8f..cf9aafbdb04 100644 --- a/shared/checks/oval/installed_env_mounts_var_tmp.xml +++ b/shared/checks/oval/installed_env_mounts_var_tmp.xml @@ -6,5 +6,5 @@ - {{{ partition_exists_tos("/var/tmp") }}} + {{{ partition_exists_test_object("/var/tmp") }}} diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 1ec93b6ef7d..f302091f7df 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -929,18 +929,17 @@ Generates the :code:`` tag for OVAL check using correct product platfo {{%- macro partition_exists_criterion(path) %}} -{{%- set escaped_path = path | replace("/", "_") %}} +{{%- set escaped_path = path | escape_id %}} {{%- endmacro %}} -{{%- macro partition_exists_tos(path) %}} -{{%- set escaped_path = path | replace("/", "_") %}} +{{%- macro partition_exists_test_object(path) %}} +{{%- set escaped_path = path | escape_id %}} - {{#- #}}