From 48a361a41eff571e8c0d6f8c759c56d41cec5c5a Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Tue, 2 Aug 2022 13:21:45 +0200 Subject: [PATCH 3/8] Merge pull request #9147 from jan-cerny/rhbz2081728 Patch-name: scap-security-guide-0.1.64-update_sysctl_template_with_multivalue_compliance-PR_9147.patch Patch-status: Refresh BPF related rules in RHEL 9 OSPP profile --- docs/templates/template_reference.md | 24 +- .../rule.yml | 82 +++++++ .../tests/system_default.pass.sh | 5 + .../tests/test_config.yml | 6 + .../tests/value_0.fail.sh | 11 + .../tests/value_1.pass.sh | 11 + .../tests/value_2.pass.sh | 11 + ...kernel_unprivileged_bpf_disabled_value.var | 18 ++ products/rhel9/profiles/ospp.profile | 4 +- .../oval/sysctl_kernel_ipv6_disable.xml | 4 +- shared/references/cce-redhat-avail.txt | 1 - shared/templates/sysctl/ansible.template | 2 +- shared/templates/sysctl/bash.template | 2 +- shared/templates/sysctl/oval.template | 213 +++++++++++------- shared/templates/sysctl/template.py | 24 +- 15 files changed, 316 insertions(+), 102 deletions(-) create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index a439e3dca9..e73b95450f 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -815,8 +815,28 @@ The selected value can be changed in the profile (consult the actual variable fo - **datatype** - data type of the sysctl value, eg. `int`. - - **sysctlval** - value of the sysctl value, eg. `'1'`. If this - parameter is not specified, XCCDF Value is used instead. + - **sysctlval** - value of the sysctl value. This can be either not + specified, or an atomic value, eg. `'1'`, or a list of values, + eg. `['1','2']`. + - If this parameter is not specified, an XCCDF Value is used instead + in OVAL check and remediations. The XCCDF Value should have a file + name in the form `"sysctl_" + $escaped_sysctlvar + "_value.var"`, + where the `escaped_sysctlvar` is a value of the **sysctlvar** + parameter in which all characters that don't match the `\w` regular + expression are replaced by an underscore (`_`). + - If this parameter is set to an atomic value, this atomic value + will be used in OVAL check and remediations. + - If this parameter is set to a list of values, the list will be used + in the OVAL check, but won't be used in the remediations. + All remediations will use an XCCDF value instead. + + - **wrong_sysctlval_for_testing** - the value that is always wrong. This + will be used in templated test scenarios when **sysctlval** is a list. + + - **missing_parameter_pass** - if set to `true` the check will pass if the + setting for the given **sysctlvar** is not present in sysctl + configuration files. In other words, the check will pass if the system + default isn't overriden by configuration. Default value: `false`. - **operation** - operation used for comparison of collected object with **sysctlval**. Default value: `equals`. diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml new file mode 100644 index 0000000000..259d1f901c --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/rule.yml @@ -0,0 +1,82 @@ +documentation_complete: true + +prodtype: rhel9 + +title: 'Disable Access to Network bpf() Syscall From Unprivileged Processes' + +description: |- + To prevent unprivileged processes from using the bpf() syscall + the kernel.unprivileged_bpf_disabled kernel parameter must + be set to 1 or 2. + + Writing 1 to this entry will disable unprivileged calls to bpf(); once + disabled, calling bpf() without CAP_SYS_ADMIN or CAP_BPF will return -EPERM. + Once set to 1, this can't be cleared from the running kernel anymore. + + {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} + + Writing 2 to this entry will also disable unprivileged calls to bpf(), + however, an admin can still change this setting later on, if needed, by + writing 0 or 1 to this entry. + + {{{ describe_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="2") }}} + +rationale: |- + Loading and accessing the packet filters programs and maps using the bpf() + syscall has the potential of revealing sensitive information about the kernel state. + +severity: medium + +identifiers: + cce@rhel9: CCE-87712-6 + +references: + disa: CCI-000366 + nist: AC-6,SC-7(10) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227 + +ocil: |- + The runtime status of the kernel.unprivileged_bpf_disabled + kernel parameter can be queried by running the following command: +
$ sysctl kernel.unprivileged_bpf_disabled
+ The output of the command should indicate either: + kernel.unprivileged_bpf_disabled = 1 + or: + kernel.unprivileged_bpf_disabled = 2 + The output of the command should not indicate: + kernel.unprivileged_bpf_disabled = 0 + + The preferable way how to assure the runtime compliance is to have + correct persistent configuration, and rebooting the system. + + The persistent kernel parameter configuration is performed by specifying the appropriate + assignment in any file located in the
/etc/sysctl.d
directory. + Verify that there is not any existing incorrect configuration by executing the following command: +
$ grep -r '^\s*{{{ sysctl }}}\s*=' /etc/sysctl.conf /etc/sysctl.d
+ The command should not find any assignments other than: + kernel.unprivileged_bpf_disabled = 1 + or: + kernel.unprivileged_bpf_disabled = 2 + + Duplicate assignments are not allowed. Empty output is allowed, because the system default is 2. + +ocil_clause: "the kernel.unprivileged_bpf_disabled is not set to 1 or 2 or is configured to be 0" + +fixtext: |- + Configure {{{ full_name }}} to prevent privilege escalation through the kernel by disabling access to the bpf syscall. + +srg_requirement: '{{{ full_name }}} must disable access to network bpf syscall from unprivileged processes.' + +platform: machine + +template: + name: sysctl + vars: + sysctlvar: kernel.unprivileged_bpf_disabled + sysctlval: + - '1' + - '2' + wrong_sysctlval_for_testing: "0" + missing_parameter_pass: "true" + datatype: int diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh new file mode 100644 index 0000000000..b9776227bd --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/system_default.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 9 + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml new file mode 100644 index 0000000000..5cf6807405 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/test_config.yml @@ -0,0 +1,6 @@ +deny_templated_scenarios: + # this rule uses missing_parameter_pass: true which means the check should pass + # if the configuration is missing (or commented out) therefore we disable + # line_not_there.fail.sh and comment.fail.sh test scenarios + - line_not_there.fail.sh + - comment.fail.sh diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh new file mode 100644 index 0000000000..9f19e0140b --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_0.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 9 + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* + +sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf +echo "kernel.unprivileged_bpf_disabled = 0" >> /etc/sysctl.conf + +# set correct runtime value to check if the filesystem configuration is evaluated properly +sysctl -w kernel.unprivileged_bpf_disabled="0" diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh new file mode 100644 index 0000000000..e976db594c --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_1.pass.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 9 + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* + +sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf +echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.conf + +# set correct runtime value to check if the filesystem configuration is evaluated properly +sysctl -w kernel.unprivileged_bpf_disabled="1" diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh new file mode 100644 index 0000000000..b1537175eb --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_accept_default/tests/value_2.pass.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 9 + +# Clean sysctl config directories +rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* + +sed -i "/kernel.unprivileged_bpf_disabled/d" /etc/sysctl.conf +echo "kernel.unprivileged_bpf_disabled = 2" >> /etc/sysctl.conf + +# set correct runtime value to check if the filesystem configuration is evaluated properly +sysctl -w kernel.unprivileged_bpf_disabled="2" diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var new file mode 100644 index 0000000000..b8bf965a25 --- /dev/null +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled_value.var @@ -0,0 +1,18 @@ +documentation_complete: true + +title: kernel.unprivileged_bpf_disabled + +description: |- + Prevent unprivileged processes from using the bpf() syscall. + +type: number + +operator: equals + +interactive: false + +options: + default: 2 + 0: "0" + 1: "1" + 2: "2" diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index feb96501a9..f27f961a7a 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -74,8 +74,8 @@ selections: - sysctl_kernel_yama_ptrace_scope - sysctl_kernel_perf_event_paranoid - sysctl_user_max_user_namespaces - - sysctl_kernel_unprivileged_bpf_disabled - - sysctl_net_core_bpf_jit_harden + - sysctl_kernel_unprivileged_bpf_disabled_accept_default + - sysctl_kernel_unprivileged_bpf_disabled_value=2 - service_kdump_disabled ### Audit diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml index 1195cea518..f971d28a04 100644 --- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml @@ -19,8 +19,8 @@ - - + + diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index fb2f59fd09..a613a152ae 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1443,7 +1443,6 @@ CCE-87708-4 CCE-87709-2 CCE-87710-0 CCE-87711-8 -CCE-87712-6 CCE-87713-4 CCE-87714-2 CCE-87715-9 diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index c13bb6637f..edc4d3fb66 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -21,7 +21,7 @@ replace: '#{{{ SYSCTLVAR }}}' loop: "{{ find_sysctl_d.files }}" -{{%- if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} - (xccdf-var sysctl_{{{ SYSCTLID }}}_value) - name: Ensure sysctl {{{ SYSCTLVAR }}} is set diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index d67a59c388..cd3424b022 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -20,7 +20,7 @@ for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do fi done -{{%- if SYSCTLVAL == "" %}} +{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} {{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}} # diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template index 74583dbee1..1a7c4979bb 100644 --- a/shared/templates/sysctl/oval.template +++ b/shared/templates/sysctl/oval.template @@ -1,12 +1,20 @@ {{%- if SYSCTLVAL == "" %}} {{%- set COMMENT_VALUE="the appropriate value" %}} +{{%- elif SYSCTLVAL is sequence %}} +{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} {{%- else %}} {{%- set COMMENT_VALUE=SYSCTLVAL %}} {{%- endif %}} {{% macro state_static_sysctld(prefix) -%}} - - + +{{% if SYSCTLVAL is string %}} + +{{% elif SYSCTLVAL is sequence %}} +{{% for x in SYSCTLVAL %}} + +{{% endfor %}} +{{% endif %}} {{%- endmacro -%}} {{%- macro sysctl_match() -%}} {{%- if SYSCTLVAL == "" -%}} @@ -20,13 +28,13 @@ {{%- if "P" in FLAGS -%}} - + {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}} + definition_ref="{{{ rule_id }}}_static"/> + definition_ref="{{{ rule_id }}}_runtime"/> @@ -34,7 +42,7 @@ {{%- elif "I" in FLAGS -%}} - + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}} {{% if product in ["ubuntu1604", "ubuntu1804"] %}} @@ -46,9 +54,9 @@ {{% endif %}} + definition_ref="{{{ rule_id }}}_static"/> + definition_ref="{{{ rule_id }}}_runtime"/> @@ -58,33 +66,41 @@ {{%- if "R" in FLAGS -%}} - + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} + test_ref="test_{{{ rule_id }}}_runtime"/> - - - + check="all" check_existence="all_exist" state_operator="OR"> + +{{% if SYSCTLVAL is string %}} + +{{% elif SYSCTLVAL is sequence %}} +{{% for x in SYSCTLVAL %}} + +{{% endfor %}} +{{% endif %}} - + {{{ SYSCTLVAR }}} +{{% if SYSCTLVAL is string %}} {{% if SYSCTLVAL == "" %}} - + + var_ref="{{{ rule_id }}}_value"/> - {{%- else %}} - + {{% if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} @@ -94,133 +110,156 @@ {{% endif %}} {{%- endif %}} +{{% elif SYSCTLVAL is sequence %}} +{{% for x in SYSCTLVAL %}} + + {{{ x }}} + +{{% endfor %}} +{{% endif %}} {{%- endif -%}} {{%- if "S" in FLAGS -%}} - + {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} +{{% if MISSING_PARAMETER_PASS == "true" %}} + +{{% endif %}} + test_ref="test_{{{ rule_id }}}_static"/> + test_ref="test_{{{ rule_id }}}_static_etc_sysctld"/> + test_ref="test_{{{ rule_id }}}_static_run_sysctld"/> {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} + test_ref="test_{{{ rule_id }}}_static_usr_lib_sysctld"/> {{% endif %}} {{% if target_oval_version >= [5, 11] %}} - + {{% endif %}} +{{% if MISSING_PARAMETER_PASS == "true" %}} + + +{{% endif %}} - + + +{{% endif %}} + + {{{ state_static_sysctld("sysctl") }}} - + {{{ state_static_sysctld("etc_sysctld") }}} - + {{{ state_static_sysctld("run_sysctld") }}} {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - + comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> {{{ state_static_sysctld("usr_lib_sysctld") }}} {{% endif %}} {{% if target_oval_version >= [5, 11] %}} - - + id="test_{{{ rule_id }}}_defined_in_one_file" version="1"> + + - - local_var_unique_sysctl_{{{ SYSCTLID }}}_counter + + local_var_{{{ rule_id }}}_counter - + 1 - + - + - + - object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}} - state_{{{ SYSCTLID }}}_filepath_is_symlink + object_{{{ rule_id }}}_static_set_sysctls_unfiltered + state_{{{ rule_id }}}_filepath_is_symlink - - + + - + - + - + - + - var_obj_symlink_{{{ SYSCTLID }}} - var_obj_blank_{{{ SYSCTLID }}} + var_obj_symlink_{{{ rule_id }}} + var_obj_blank_{{{ rule_id }}} - - local_var_blank_path_{{{ SYSCTLID }}} + + local_var_blank_path_{{{ rule_id }}} - + - - local_var_symlinks_{{{ SYSCTLID }}} + + local_var_symlinks_{{{ rule_id }}} - + - + - + - - - state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}} + + + state_symlink_points_outside_usual_dirs_{{{ rule_id }}} - + ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ {{% endif %}} - - + + - + - object_static_etc_sysctls_{{{ SYSCTLID }}} - object_static_run_usr_sysctls_{{{ SYSCTLID }}} + object_static_etc_sysctls_{{{ rule_id }}} + object_static_run_usr_sysctls_{{{ rule_id }}} - + - object_static_sysctl_{{{ SYSCTLID }}} - object_static_etc_sysctld_{{{ SYSCTLID }}} + object_static_sysctl_{{{ rule_id }}} + object_static_etc_sysctld_{{{ rule_id }}} - + - object_static_run_sysctld_{{{ SYSCTLID }}} + object_static_run_sysctld_{{{ rule_id }}} {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - object_static_usr_lib_sysctld_{{{ SYSCTLID }}} + object_static_usr_lib_sysctld_{{{ rule_id }}} {{% endif %}} - + /etc/sysctl.conf {{{ sysctl_match() }}} - + /etc/sysctl.d ^.*\.conf$ {{{ sysctl_match() }}} - + /run/sysctl.d ^.*\.conf$ {{{ sysctl_match() }}} {{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} - + /usr/lib/sysctl.d ^.*\.conf$ {{{ sysctl_match() }}} {{% endif %}} +{{% if SYSCTLVAL is string %}} {{% if SYSCTLVAL == "" %}} - - + - {{% else %}} - + {{% if OPERATION == "pattern match" %}} {{{ SYSCTLVAL_REGEX }}} {{% else %}} @@ -304,5 +344,12 @@ {{% endif %}} {{% endif %}} +{{% elif SYSCTLVAL is sequence %}} +{{% for x in SYSCTLVAL %}} + + {{{ x }}} + +{{% endfor %}} +{{% endif %}} {{%- endif -%}} diff --git a/shared/templates/sysctl/template.py b/shared/templates/sysctl/template.py index fa981a9dce..9083a6a418 100644 --- a/shared/templates/sysctl/template.py +++ b/shared/templates/sysctl/template.py @@ -11,8 +11,19 @@ def preprocess(data, lang): data["flags"] = "SR" + ipv6_flag if "operation" not in data: data["operation"] = "equals" + if isinstance(data["sysctlval"], list) and len(data["sysctlval"]) == 0: + raise ValueError( + "The sysctlval parameter of {0} is an empty list".format( + data["_rule_id"])) # Configure data for test scenarios + if data["datatype"] not in ["string", "int"]: + raise ValueError( + "Test scenarios for data type '{0}' are not implemented yet.\n" + "Please check if rule '{1}' has correct data type and edit " + "{2} to add tests for it.".format( + data["datatype"], data["_rule_id"], __file__)) + if data["sysctlval"] == "": if data["datatype"] == "int": data["sysctl_correct_value"] = "0" @@ -20,20 +31,13 @@ def preprocess(data, lang): elif data["datatype"] == "string": data["sysctl_correct_value"] = "correct_value" data["sysctl_wrong_value"] = "wrong_value" - else: - raise ValueError( - "Test scenarios for data type '{0}' are not implemented yet.\n" - "Please check if rule '{1}' has correct data type and edit " - "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) + elif isinstance(data["sysctlval"], list): + data["sysctl_correct_value"] = data["sysctlval"][0] + data["sysctl_wrong_value"] = data["wrong_sysctlval_for_testing"] else: data["sysctl_correct_value"] = data["sysctlval"] if data["datatype"] == "int": data["sysctl_wrong_value"] = "1" + data["sysctlval"] elif data["datatype"] == "string": data["sysctl_wrong_value"] = "wrong_value" - else: - raise ValueError( - "Test scenarios for data type '{0}' are not implemented yet.\n" - "Please check if rule '{1}' has correct data type and edit " - "{2} to add tests for it.".format(data["datatype"], data["_rule_id"], __file__)) return data -- 2.37.1