|
|
05062e |
From e826795667e319a336ccbfe0919c044766801cb8 Mon Sep 17 00:00:00 2001
|
|
|
05062e |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
05062e |
Date: Fri, 17 Jan 2020 10:49:36 +0100
|
|
|
05062e |
Subject: [PATCH 1/7] Added lineinfile shell assignment support to our macros.
|
|
|
05062e |
|
|
|
05062e |
---
|
|
|
05062e |
shared/macros-ansible.jinja | 20 +++++++++++++++++++
|
|
|
05062e |
shared/macros-bash.jinja | 26 +++++++++++++++++++++++++
|
|
|
05062e |
shared/macros-oval.jinja | 39 ++++++++++++++++++++++++++++++++-----
|
|
|
05062e |
3 files changed, 80 insertions(+), 5 deletions(-)
|
|
|
05062e |
|
|
|
05062e |
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
|
|
05062e |
index 3e4a441225..c42a5156ce 100644
|
|
|
05062e |
--- a/shared/macros-ansible.jinja
|
|
|
05062e |
+++ b/shared/macros-ansible.jinja
|
|
|
05062e |
@@ -141,6 +141,26 @@
|
|
|
05062e |
{{{ ansible_set_config_file(msg, "/etc/ssh/sshd_config", parameter, value=value, create="yes", prefix_regex='(?i)^\s*', validate="/usr/sbin/sshd -t -f %s", insert_before="^[#\s]*Match") }}}
|
|
|
05062e |
{{%- endmacro %}}
|
|
|
05062e |
|
|
|
05062e |
+{{#
|
|
|
05062e |
+ High level macro to set a value in a shell-related file that contains var assignments. This
|
|
|
05062e |
+ takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
|
|
|
05062e |
+ in the configuration file, and the value to set it to. We specify a case
|
|
|
05062e |
+ sensitive comparison in the prefix since this is used to deduplicate since
|
|
|
05062e |
+ We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
|
|
|
05062e |
+#}}
|
|
|
05062e |
+{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
|
|
|
05062e |
+{{% if no_quotes -%}}
|
|
|
05062e |
+{{%- else -%}}
|
|
|
05062e |
+{{%- set quotes = "\"'" -%}}
|
|
|
05062e |
+ {{% if "$" in value %}}
|
|
|
05062e |
+ {{% set value = '"%s"' % value %}}
|
|
|
05062e |
+ {{% else %}}
|
|
|
05062e |
+ {{% set value = "'%s'" % value %}}
|
|
|
05062e |
+ {{% endif %}}
|
|
|
05062e |
+{{%- endif -%}}
|
|
|
05062e |
+{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
|
|
|
05062e |
+{{%- endmacro %}}
|
|
|
05062e |
+
|
|
|
05062e |
{{#
|
|
|
05062e |
High level macro to set a command in tmux configuration file /etc/tmux.conf.
|
|
|
05062e |
Parameters:
|
|
|
05062e |
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
|
|
05062e |
index 43200bdd8a..6c0bb2facc 100644
|
|
|
05062e |
--- a/shared/macros-bash.jinja
|
|
|
05062e |
+++ b/shared/macros-bash.jinja
|
|
|
05062e |
@@ -1,5 +1,31 @@
|
|
|
05062e |
{{# ##### High level macros ##### #}}
|
|
|
05062e |
|
|
|
05062e |
+{{%- macro bash_shell_file_set(path, parameter, value, no_quotes=false) -%}}
|
|
|
05062e |
+{{% if no_quotes -%}}
|
|
|
05062e |
+ {{% if "$" in value %}}
|
|
|
05062e |
+ {{% set value = '%s' % value.replace("$", "\\$") %}}
|
|
|
05062e |
+ {{% endif %}}
|
|
|
05062e |
+{{%- else -%}}
|
|
|
05062e |
+ {{% if "$" in value %}}
|
|
|
05062e |
+ {{% set value = '\\"%s\\"' % value.replace("$", "\\$") %}}
|
|
|
05062e |
+ {{% else %}}
|
|
|
05062e |
+ {{% set value = "'%s'" % value %}}
|
|
|
05062e |
+ {{% endif %}}
|
|
|
05062e |
+{{%- endif -%}}
|
|
|
05062e |
+{{{ set_config_file(
|
|
|
05062e |
+ path=path,
|
|
|
05062e |
+ parameter=parameter,
|
|
|
05062e |
+ value=value,
|
|
|
05062e |
+ create=true,
|
|
|
05062e |
+ insert_after="",
|
|
|
05062e |
+ insert_before="^Match",
|
|
|
05062e |
+ insensitive=false,
|
|
|
05062e |
+ separator="=",
|
|
|
05062e |
+ separator_regex="=",
|
|
|
05062e |
+ prefix_regex="^\s*")
|
|
|
05062e |
+ }}}
|
|
|
05062e |
+{{%- endmacro -%}}
|
|
|
05062e |
+
|
|
|
05062e |
{{%- macro bash_sshd_config_set(parameter, value) -%}}
|
|
|
05062e |
{{{ set_config_file(
|
|
|
05062e |
path="/etc/ssh/sshd_config",
|
|
|
05062e |
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
|
|
05062e |
index 2049a24d6e..696cf36db0 100644
|
|
|
05062e |
--- a/shared/macros-oval.jinja
|
|
|
05062e |
+++ b/shared/macros-oval.jinja
|
|
|
05062e |
@@ -17,8 +17,9 @@
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
|
|
05062e |
- section (String): If set, the parameter will be checked only within the given section defined by [section].
|
|
|
05062e |
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
|
|
|
05062e |
#}}
|
|
|
05062e |
-{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='') -%}}
|
|
|
05062e |
+{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
|
|
|
05062e |
<def-group>
|
|
|
05062e |
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
05062e |
<metadata>
|
|
|
05062e |
@@ -60,7 +61,7 @@
|
|
|
05062e |
</definition>
|
|
|
05062e |
{{{ oval_line_in_file_test(path, parameter) }}}
|
|
|
05062e |
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, false, multi_value) }}}
|
|
|
05062e |
- {{{ oval_line_in_file_state(value, multi_value) }}}
|
|
|
05062e |
+ {{{ oval_line_in_file_state(value, multi_value, quotes) }}}
|
|
|
05062e |
{{%- if missing_parameter_pass %}}
|
|
|
05062e |
{{{ oval_line_in_file_test(path, parameter, missing_parameter_pass) }}}
|
|
|
05062e |
{{{ oval_line_in_file_object(path, section, prefix_regex, parameter, separator_regex, missing_parameter_pass, multi_value) }}}
|
|
|
05062e |
@@ -173,12 +174,21 @@
|
|
|
05062e |
This macro can take two parameters:
|
|
|
05062e |
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
+ - quotes (String): If non-empty, one level of matching quotes is considered when checking the value. Specify one or more quote types as a string.
|
|
|
05062e |
+ For example, for shell quoting, specify quotes="'\""), which will make sure that value, 'value' and "value" are matched, but 'value" or '"value"' won't be.
|
|
|
05062e |
#}}
|
|
|
05062e |
-{{%- macro oval_line_in_file_state(value='', multi_value='') -%}}
|
|
|
05062e |
+{{%- macro oval_line_in_file_state(value='', multi_value='', quotes='') -%}}
|
|
|
05062e |
+{{%- set regex = value -%}}
|
|
|
05062e |
+{{%- if quotes != "" %}}
|
|
|
05062e |
+{{%- if "\\1" in value > 0 %}}
|
|
|
05062e |
+{{{ raise("The regex for matching '%s' already references capturing groups, which doesn't go well with quoting that adds a capturing group to the beginning." % value) }}}
|
|
|
05062e |
+{{%- endif %}}
|
|
|
05062e |
+{{%- set regex = "((?:%s)?)%s\\1" % ("|".join(quotes), regex) -%}}
|
|
|
05062e |
+{{%- endif %}}
|
|
|
05062e |
{{%- if multi_value %}}
|
|
|
05062e |
-{{%- set regex = "^.*\\b"+value+"\\b.*$" -%}}
|
|
|
05062e |
+{{%- set regex = "^.*\\b"+regex+"\\b.*$" -%}}
|
|
|
05062e |
{{%- else %}}
|
|
|
05062e |
-{{%- set regex = "^"+value+"$" -%}}
|
|
|
05062e |
+{{%- set regex = "^"+regex+"$" -%}}
|
|
|
05062e |
{{%- endif %}}
|
|
|
05062e |
<ind:textfilecontent54_state id="state_{{{ rule_id }}}" version="1">
|
|
|
05062e |
<ind:subexpression datatype="string" operation="pattern match">{{{ regex }}}</ind:subexpression>
|
|
|
05062e |
@@ -232,6 +242,25 @@
|
|
|
05062e |
{{{ oval_check_config_file("/etc/ssh/sshd_config", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]+', value=value, missing_parameter_pass=missing_parameter_pass, application="sshd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
|
|
|
05062e |
{{%- endmacro %}}
|
|
|
05062e |
|
|
|
05062e |
+{{#
|
|
|
05062e |
+ High level macro to check if a particular shell variable is set.
|
|
|
05062e |
+ This macro can take five parameters:
|
|
|
05062e |
+ - path (String): Path to the file.
|
|
|
05062e |
+ - parameter (String): The shell variable name.
|
|
|
05062e |
+ - value (String): The variable value WITHOUT QUOTES.
|
|
|
05062e |
+ - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
|
|
05062e |
+ - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
|
|
05062e |
+#}}
|
|
|
05062e |
+{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
|
|
|
05062e |
+{{% if no_quotes -%}}
|
|
|
05062e |
+{{%- set quotes = "" -%}}
|
|
|
05062e |
+{{%- else -%}}
|
|
|
05062e |
+{{%- set quotes = "\"'" -%}}
|
|
|
05062e |
+{{%- endif -%}}
|
|
|
05062e |
+{{{ oval_check_config_file(path, prefix_regex="^[ \\t]*", parameter=parameter, separator_regex='=', value=value, missing_parameter_pass=missing_parameter_pass, application=application, multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, quotes=quotes) }}}
|
|
|
05062e |
+{{%- endmacro %}}
|
|
|
05062e |
+
|
|
|
05062e |
{{#
|
|
|
05062e |
High level macro to check if a particular combination of parameter and value in the Audit daemon configuration file is set.
|
|
|
05062e |
This function can take five parameters:
|
|
|
05062e |
|
|
|
05062e |
From a7281779e424a0b481e1b08ca01d2ebd1af2e834 Mon Sep 17 00:00:00 2001
|
|
|
05062e |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
05062e |
Date: Fri, 17 Jan 2020 10:50:16 +0100
|
|
|
05062e |
Subject: [PATCH 2/7] Added tests for shell lineinfile.
|
|
|
05062e |
|
|
|
05062e |
---
|
|
|
05062e |
tests/test_macros_oval.py | 142 ++++++++++++++++++
|
|
|
05062e |
.../unit/bash/test_set_config_file.bats.jinja | 56 +++++++
|
|
|
05062e |
2 files changed, 198 insertions(+)
|
|
|
05062e |
|
|
|
05062e |
diff --git a/tests/test_macros_oval.py b/tests/test_macros_oval.py
|
|
|
05062e |
index 65a88ba7b4..8acae8548b 100755
|
|
|
05062e |
--- a/tests/test_macros_oval.py
|
|
|
05062e |
+++ b/tests/test_macros_oval.py
|
|
|
05062e |
@@ -896,6 +896,148 @@ def main():
|
|
|
05062e |
"[vehicle]\nspeed =\n100",
|
|
|
05062e |
"false"
|
|
|
05062e |
)
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL commented out",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ "# SHELL=/bin/bash\n",
|
|
|
05062e |
+ "false"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL correct",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ " SHELL=/bin/bash\n",
|
|
|
05062e |
+ "true"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL single-quoted",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin"/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ " SHELL='/bin\"/bash'\n",
|
|
|
05062e |
+ "true"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL double-quoted",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value=' /bin/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ """ SHELL=" /bin/bash"\n""",
|
|
|
05062e |
+ "true"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL unwanted double-quoted",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value=' /bin/bash',
|
|
|
05062e |
+ no_quotes=true,
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ """ SHELL=" /bin/bash"\n""",
|
|
|
05062e |
+ "false"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL unwanted single-quoted",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin"/bash',
|
|
|
05062e |
+ no_quotes=true,
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ " SHELL='/bin\"/bash'\n",
|
|
|
05062e |
+ "false"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL double-quoted spaced",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ """ SHELL= "/bin/bash"\n""",
|
|
|
05062e |
+ "false"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL bad_var_case",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ """ Shell="/bin/bash"\n""",
|
|
|
05062e |
+ "false"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL bad_value_case",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ """ SHELL="/bin/Bash"\n""",
|
|
|
05062e |
+ "false"
|
|
|
05062e |
+ )
|
|
|
05062e |
+ tester.test(
|
|
|
05062e |
+ "SHELL badly quoted",
|
|
|
05062e |
+ r"""{{{ oval_check_shell_file(
|
|
|
05062e |
+ path='CONFIG_FILE',
|
|
|
05062e |
+ parameter='SHELL',
|
|
|
05062e |
+ value='/bin/bash',
|
|
|
05062e |
+ missing_parameter_pass=false,
|
|
|
05062e |
+ application='',
|
|
|
05062e |
+ multi_value=false,
|
|
|
05062e |
+ missing_config_file_fail=false,
|
|
|
05062e |
+ ) }}}""",
|
|
|
05062e |
+ """ SHELL="/bin/bash'\n""",
|
|
|
05062e |
+ "false"
|
|
|
05062e |
+ )
|
|
|
05062e |
|
|
|
05062e |
tester.finish()
|
|
|
05062e |
|
|
|
05062e |
diff --git a/tests/unit/bash/test_set_config_file.bats.jinja b/tests/unit/bash/test_set_config_file.bats.jinja
|
|
|
05062e |
index 3dc2c721d4..4126d0440e 100644
|
|
|
05062e |
--- a/tests/unit/bash/test_set_config_file.bats.jinja
|
|
|
05062e |
+++ b/tests/unit/bash/test_set_config_file.bats.jinja
|
|
|
05062e |
@@ -126,3 +126,59 @@ function call_set_config_file {
|
|
|
05062e |
|
|
|
05062e |
rm "$tmp_file"
|
|
|
05062e |
}
|
|
|
05062e |
+
|
|
|
05062e |
+@test "Basic Bash remediation" {
|
|
|
05062e |
+ tmp_file="$(mktemp)"
|
|
|
05062e |
+ printf "%s\n" "something=foo" > "$tmp_file"
|
|
|
05062e |
+ expected_output="something='va lue'\n"
|
|
|
05062e |
+
|
|
|
05062e |
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue") | indent(4) }}}
|
|
|
05062e |
+
|
|
|
05062e |
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
|
|
05062e |
+ echo "$output"
|
|
|
05062e |
+ [ "$status" -eq 0 ]
|
|
|
05062e |
+
|
|
|
05062e |
+ rm "$tmp_file"
|
|
|
05062e |
+}
|
|
|
05062e |
+
|
|
|
05062e |
+@test "Variable remediation - preserve dollar and use double quotes" {
|
|
|
05062e |
+ tmp_file="$(mktemp)"
|
|
|
05062e |
+ printf "%s\n" "something=bar" > "$tmp_file"
|
|
|
05062e |
+ expected_output='something="$value"'"\n"
|
|
|
05062e |
+
|
|
|
05062e |
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value') | indent(4) }}}
|
|
|
05062e |
+
|
|
|
05062e |
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
|
|
05062e |
+ echo "$output"
|
|
|
05062e |
+ [ "$status" -eq 0 ]
|
|
|
05062e |
+
|
|
|
05062e |
+ rm "$tmp_file"
|
|
|
05062e |
+}
|
|
|
05062e |
+
|
|
|
05062e |
+@test "Basic Bash remediation - don't quote" {
|
|
|
05062e |
+ tmp_file="$(mktemp)"
|
|
|
05062e |
+ printf "%s\n" "something=foo" > "$tmp_file"
|
|
|
05062e |
+ expected_output="something=va lue\n"
|
|
|
05062e |
+
|
|
|
05062e |
+ {{{ bash_shell_file_set("$tmp_file", "something", "va lue", no_quotes=true) | indent(4) }}}
|
|
|
05062e |
+
|
|
|
05062e |
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
|
|
05062e |
+ echo "$output"
|
|
|
05062e |
+ [ "$status" -eq 0 ]
|
|
|
05062e |
+
|
|
|
05062e |
+ rm "$tmp_file"
|
|
|
05062e |
+}
|
|
|
05062e |
+
|
|
|
05062e |
+@test "Variable remediation - don't quote" {
|
|
|
05062e |
+ tmp_file="$(mktemp)"
|
|
|
05062e |
+ printf "%s\n" "something=bar" > "$tmp_file"
|
|
|
05062e |
+ expected_output='something=$value'"\n"
|
|
|
05062e |
+
|
|
|
05062e |
+ {{{ bash_shell_file_set("$tmp_file", "something", '$value', no_quotes=true) | indent(4) }}}
|
|
|
05062e |
+
|
|
|
05062e |
+ run diff -U2 "$tmp_file" <(printf "$expected_output")
|
|
|
05062e |
+ echo "$output"
|
|
|
05062e |
+ [ "$status" -eq 0 ]
|
|
|
05062e |
+
|
|
|
05062e |
+ rm "$tmp_file"
|
|
|
05062e |
+}
|
|
|
05062e |
|
|
|
05062e |
From 347e7ab345a35fc3045a886d883d8efe7d9820b2 Mon Sep 17 00:00:00 2001
|
|
|
05062e |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
05062e |
Date: Fri, 17 Jan 2020 10:51:02 +0100
|
|
|
05062e |
Subject: [PATCH 3/7] Added the shell lineinfile template.
|
|
|
05062e |
|
|
|
05062e |
---
|
|
|
05062e |
docs/manual/developer_guide.adoc | 21 +++++++++++++++++
|
|
|
05062e |
.../template_ANSIBLE_shell_lineinfile | 21 +++++++++++++++++
|
|
|
05062e |
.../templates/template_BASH_shell_lineinfile | 6 +++++
|
|
|
05062e |
.../templates/template_OVAL_shell_lineinfile | 10 ++++++++
|
|
|
05062e |
ssg/templates.py | 23 +++++++++++++++++++
|
|
|
05062e |
5 files changed, 81 insertions(+)
|
|
|
05062e |
create mode 100644 shared/templates/template_ANSIBLE_shell_lineinfile
|
|
|
05062e |
create mode 100644 shared/templates/template_BASH_shell_lineinfile
|
|
|
05062e |
create mode 100644 shared/templates/template_OVAL_shell_lineinfile
|
|
|
05062e |
|
|
|
05062e |
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
|
|
|
05062e |
index aa0a7491c3..b5d22213b7 100644
|
|
|
05062e |
--- a/docs/manual/developer_guide.adoc
|
|
|
05062e |
+++ b/docs/manual/developer_guide.adoc
|
|
|
05062e |
@@ -1591,6 +1591,27 @@ service_enabled::
|
|
|
05062e |
** *daemonname* - name of the daemon. This argument is optional. If *daemonname* is not specified it means the name of the daemon is the same as the name of service.
|
|
|
05062e |
* Languages: Ansible, Bash, OVAL, Puppet
|
|
|
05062e |
|
|
|
05062e |
+shell_lineinfile::
|
|
|
05062e |
+* Checks shell variable assignments in files.
|
|
|
05062e |
+Remediations will paste assignments with single shell quotes unless there is the dollar sign in the value string, in which case double quotes are administered.
|
|
|
05062e |
+The OVAL checks for a match with either of no quotes, single quoted string, or double quoted string.
|
|
|
05062e |
+* Parameters:
|
|
|
05062e |
+** *path* - What file to check.
|
|
|
05062e |
+** *parameter* - name of the shell variable, eg. `SHELL`.
|
|
|
05062e |
+** *value* - value of the SSH configuration option specified by *parameter*, eg. `"/bin/bash"`. Don't pass extra shell quoting - that will be handled on the lower level.
|
|
|
05062e |
+** *no_quotes* - If set to `"true"`, the assigned value has to be without quotes during the check and remediation doesn't quote assignments either.
|
|
|
05062e |
+** *missing_parameter_pass* - If set to `"true"` the OVAL check will pass if the parameter is not present in the target file.
|
|
|
05062e |
+* Languages: Ansible, Bash, OVAL
|
|
|
05062e |
+* Example:
|
|
|
05062e |
+A template invocation specifying that parameter `HISTSIZE` should be set to value `500` in `/etc/profile` will produce a check that passes if any of the following lines are present in `/etc/profile`:
|
|
|
05062e |
+** `HISTSIZE=500`
|
|
|
05062e |
+** `HISTSIZE="500"`
|
|
|
05062e |
+** `HISTSIZE='500'`
|
|
|
05062e |
++
|
|
|
05062e |
+The remediation would insert one of the quoted forms if the line was not present.
|
|
|
05062e |
++
|
|
|
05062e |
+If the `no_quotes` would be set in the template, only the first form would be checked for, and the unquoted assignment would be inserted to the file by the remediation if not present.
|
|
|
05062e |
+
|
|
|
05062e |
sshd_lineinfile::
|
|
|
05062e |
* Checks SSH server configuration items in `/etc/ssh/sshd_config`.
|
|
|
05062e |
* Parameters:
|
|
|
05062e |
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..7d0a3ebcbd
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
|
|
|
05062e |
@@ -0,0 +1,21 @@
|
|
|
05062e |
+# platform = multi_platform_all
|
|
|
05062e |
+# reboot = false
|
|
|
05062e |
+# strategy = restrict
|
|
|
05062e |
+# complexity = low
|
|
|
05062e |
+# disruption = low
|
|
|
05062e |
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
|
|
|
05062e |
+{{%- if NO_QUOTES -%}}
|
|
|
05062e |
+ {{% set msg = "Setting unquoted " ~ msg %}}
|
|
|
05062e |
+{{%- else -%}}
|
|
|
05062e |
+ {{% set msg = "Setting shell-quoted " ~ msg %}}
|
|
|
05062e |
+{{%- endif -%}}
|
|
|
05062e |
+{{{
|
|
|
05062e |
+ ansible_shell_set(
|
|
|
05062e |
+ msg=msg,
|
|
|
05062e |
+ path=PATH,
|
|
|
05062e |
+ parameter=PARAMETER,
|
|
|
05062e |
+ value=VALUE,
|
|
|
05062e |
+ no_quotes=NO_QUOTES
|
|
|
05062e |
+ )
|
|
|
05062e |
+}}}
|
|
|
05062e |
+
|
|
|
05062e |
diff --git a/shared/templates/template_BASH_shell_lineinfile b/shared/templates/template_BASH_shell_lineinfile
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..6bf869d62b
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/shared/templates/template_BASH_shell_lineinfile
|
|
|
05062e |
@@ -0,0 +1,6 @@
|
|
|
05062e |
+# platform = multi_platform_all
|
|
|
05062e |
+# reboot = false
|
|
|
05062e |
+# strategy = restrict
|
|
|
05062e |
+# complexity = low
|
|
|
05062e |
+# disruption = low
|
|
|
05062e |
+{{{ bash_shell_file_set(path=PATH, parameter=PARAMETER, value=VALUE, no_quotes=NO_QUOTES) }}}
|
|
|
05062e |
diff --git a/shared/templates/template_OVAL_shell_lineinfile b/shared/templates/template_OVAL_shell_lineinfile
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..fd05b6b568
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/shared/templates/template_OVAL_shell_lineinfile
|
|
|
05062e |
@@ -0,0 +1,10 @@
|
|
|
05062e |
+{{{
|
|
|
05062e |
+oval_check_shell_file(
|
|
|
05062e |
+ path=PATH,
|
|
|
05062e |
+ parameter=PARAMETER,
|
|
|
05062e |
+ value=VALUE,
|
|
|
05062e |
+ no_quotes=NO_QUOTES,
|
|
|
05062e |
+ missing_parameter_pass=MISSING_PARAMETER_PASS
|
|
|
05062e |
+)
|
|
|
05062e |
+}}}
|
|
|
05062e |
+
|
|
|
05062e |
diff --git a/ssg/templates.py b/ssg/templates.py
|
|
|
05062e |
index f4f56c94e6..c2c82e6c29 100644
|
|
|
05062e |
--- a/ssg/templates.py
|
|
|
05062e |
+++ b/ssg/templates.py
|
|
|
05062e |
@@ -290,6 +290,29 @@ def sshd_lineinfile(data, lang):
|
|
|
05062e |
return data
|
|
|
05062e |
|
|
|
05062e |
|
|
|
05062e |
+@template(["ansible", "bash", "oval"])
|
|
|
05062e |
+def shell_lineinfile(data, lang):
|
|
|
05062e |
+ value = data["value"]
|
|
|
05062e |
+ if value[0] in ("'", '"') and value[0] == value[1]:
|
|
|
05062e |
+ msg = (
|
|
|
05062e |
+ "Value >>{value}<< of shell variable '{varname}' "
|
|
|
05062e |
+ "has been supplied with quotes, please fix the content - "
|
|
|
05062e |
+ "shell quoting is handled by the check/remediation code."
|
|
|
05062e |
+ .format(value=value, varname=data["parameter"]))
|
|
|
05062e |
+ raise Exception(msg)
|
|
|
05062e |
+ missing_parameter_pass = data.get("missing_parameter_pass", "false")
|
|
|
05062e |
+ if missing_parameter_pass == "true":
|
|
|
05062e |
+ missing_parameter_pass = True
|
|
|
05062e |
+ elif missing_parameter_pass == "false":
|
|
|
05062e |
+ missing_parameter_pass = False
|
|
|
05062e |
+ data["missing_parameter_pass"] = missing_parameter_pass
|
|
|
05062e |
+ no_quotes = False
|
|
|
05062e |
+ if data["no_quotes"] == "true":
|
|
|
05062e |
+ no_quotes = True
|
|
|
05062e |
+ data["no_quotes"] = no_quotes
|
|
|
05062e |
+ return data
|
|
|
05062e |
+
|
|
|
05062e |
+
|
|
|
05062e |
@template(["ansible", "bash", "oval"])
|
|
|
05062e |
def timer_enabled(data, lang):
|
|
|
05062e |
if "packagename" not in data:
|
|
|
05062e |
|
|
|
05062e |
From ac5d1a8ad511e828e652ce1ca58b06c18f8c083b Mon Sep 17 00:00:00 2001
|
|
|
05062e |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
05062e |
Date: Tue, 21 Jan 2020 14:13:01 +0100
|
|
|
05062e |
Subject: [PATCH 4/7] Fixed the templated string evaluation.
|
|
|
05062e |
|
|
|
05062e |
---
|
|
|
05062e |
ssg/templates.py | 2 +-
|
|
|
05062e |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
05062e |
|
|
|
05062e |
diff --git a/ssg/templates.py b/ssg/templates.py
|
|
|
05062e |
index c2c82e6c29..873f543f41 100644
|
|
|
05062e |
--- a/ssg/templates.py
|
|
|
05062e |
+++ b/ssg/templates.py
|
|
|
05062e |
@@ -293,7 +293,7 @@ def sshd_lineinfile(data, lang):
|
|
|
05062e |
@template(["ansible", "bash", "oval"])
|
|
|
05062e |
def shell_lineinfile(data, lang):
|
|
|
05062e |
value = data["value"]
|
|
|
05062e |
- if value[0] in ("'", '"') and value[0] == value[1]:
|
|
|
05062e |
+ if value[0] in ("'", '"') and value[0] == value[-1]:
|
|
|
05062e |
msg = (
|
|
|
05062e |
"Value >>{value}<< of shell variable '{varname}' "
|
|
|
05062e |
"has been supplied with quotes, please fix the content - "
|
|
|
05062e |
|
|
|
05062e |
From 8589574707c63eb3ac4c56674326b70dacfd2ee4 Mon Sep 17 00:00:00 2001
|
|
|
05062e |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
05062e |
Date: Tue, 21 Jan 2020 14:46:39 +0100
|
|
|
05062e |
Subject: [PATCH 5/7] Fixed jinja macros
|
|
|
05062e |
|
|
|
05062e |
- Fixed macro descriptions.
|
|
|
05062e |
- Fixed Ansible insert_after.
|
|
|
05062e |
---
|
|
|
05062e |
shared/macros-ansible.jinja | 18 ++++++++----------
|
|
|
05062e |
shared/macros-bash.jinja | 2 +-
|
|
|
05062e |
shared/macros-oval.jinja | 7 +++----
|
|
|
05062e |
3 files changed, 12 insertions(+), 15 deletions(-)
|
|
|
05062e |
|
|
|
05062e |
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
|
|
05062e |
index c42a5156ce..81e18e2d5c 100644
|
|
|
05062e |
--- a/shared/macros-ansible.jinja
|
|
|
05062e |
+++ b/shared/macros-ansible.jinja
|
|
|
05062e |
@@ -143,22 +143,20 @@
|
|
|
05062e |
|
|
|
05062e |
{{#
|
|
|
05062e |
High level macro to set a value in a shell-related file that contains var assignments. This
|
|
|
05062e |
- takes these values: msg (the name for the Ansible task), path to the file, a parameter to set
|
|
|
05062e |
- in the configuration file, and the value to set it to. We specify a case
|
|
|
05062e |
- sensitive comparison in the prefix since this is used to deduplicate since
|
|
|
05062e |
+ takes these values:
|
|
|
05062e |
+ - msg (the name for the Ansible task),
|
|
|
05062e |
+ - path to the file,
|
|
|
05062e |
+ - parameter to set in the configuration file, and
|
|
|
05062e |
+ - value to set it to.
|
|
|
05062e |
We also specify the validation program here; see 'bash -c "help set" | grep -e -n'
|
|
|
05062e |
#}}
|
|
|
05062e |
{{%- macro ansible_shell_set(msg, path, parameter, value='', no_quotes=false) %}}
|
|
|
05062e |
{{% if no_quotes -%}}
|
|
|
05062e |
{{%- else -%}}
|
|
|
05062e |
-{{%- set quotes = "\"'" -%}}
|
|
|
05062e |
- {{% if "$" in value %}}
|
|
|
05062e |
- {{% set value = '"%s"' % value %}}
|
|
|
05062e |
- {{% else %}}
|
|
|
05062e |
- {{% set value = "'%s'" % value %}}
|
|
|
05062e |
- {{% endif %}}
|
|
|
05062e |
+{{# Use the double quotes in all cases, as the underlying macro single-quotes the assignment line. #}}
|
|
|
05062e |
+{{% set value = '"%s"' % value %}}
|
|
|
05062e |
{{%- endif -%}}
|
|
|
05062e |
-{{{ ansible_set_config_file(msg, path, parameter, value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^[#\s]*Match") }}}
|
|
|
05062e |
+{{{ ansible_set_config_file(msg, path, parameter, separator="=", separator_regex="=", value=value, create="yes", prefix_regex='^\s*', validate="/usr/bin/bash -n %s", insert_before="^# " ~ parameter) }}}
|
|
|
05062e |
{{%- endmacro %}}
|
|
|
05062e |
|
|
|
05062e |
{{#
|
|
|
05062e |
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
|
|
05062e |
index 6c0bb2facc..dc7fd25588 100644
|
|
|
05062e |
--- a/shared/macros-bash.jinja
|
|
|
05062e |
+++ b/shared/macros-bash.jinja
|
|
|
05062e |
@@ -18,7 +18,7 @@
|
|
|
05062e |
value=value,
|
|
|
05062e |
create=true,
|
|
|
05062e |
insert_after="",
|
|
|
05062e |
- insert_before="^Match",
|
|
|
05062e |
+ insert_before="^#\s*" ~ parameter,
|
|
|
05062e |
insensitive=false,
|
|
|
05062e |
separator="=",
|
|
|
05062e |
separator_regex="=",
|
|
|
05062e |
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
|
|
05062e |
index 696cf36db0..cfa9de9d2d 100644
|
|
|
05062e |
--- a/shared/macros-oval.jinja
|
|
|
05062e |
+++ b/shared/macros-oval.jinja
|
|
|
05062e |
@@ -233,7 +233,7 @@
|
|
|
05062e |
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
|
|
05062e |
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
|
|
05062e |
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
|
|
05062e |
|
|
|
05062e |
We specify a case insensitive comparison in the prefix because
|
|
|
05062e |
sshd_config has case-insensitive parameters (but case-sensitive values).
|
|
|
05062e |
@@ -250,7 +250,7 @@
|
|
|
05062e |
- value (String): The variable value WITHOUT QUOTES.
|
|
|
05062e |
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
|
|
05062e |
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
|
|
05062e |
#}}
|
|
|
05062e |
{{%- macro oval_check_shell_file(path, parameter='', value='', application='', no_quotes=false, missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
|
|
|
05062e |
{{% if no_quotes -%}}
|
|
|
05062e |
@@ -268,8 +268,7 @@
|
|
|
05062e |
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
|
|
05062e |
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
- - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
|
|
05062e |
-
|
|
|
05062e |
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
|
|
05062e |
#}}
|
|
|
05062e |
{{%- macro oval_auditd_config(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
|
|
|
05062e |
{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
|
|
|
05062e |
|
|
|
05062e |
From af0e3ba8ef2d5b53dcffed4432ec0415a81ab2bc Mon Sep 17 00:00:00 2001
|
|
|
05062e |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
05062e |
Date: Wed, 22 Jan 2020 11:37:39 +0100
|
|
|
05062e |
Subject: [PATCH 6/7] Shell lineinfile macros and templates style fixes.
|
|
|
05062e |
|
|
|
05062e |
---
|
|
|
05062e |
shared/macros-ansible.jinja | 2 +-
|
|
|
05062e |
shared/macros-oval.jinja | 10 ++++++++--
|
|
|
05062e |
shared/templates/template_ANSIBLE_shell_lineinfile | 4 ++--
|
|
|
05062e |
3 files changed, 11 insertions(+), 5 deletions(-)
|
|
|
05062e |
|
|
|
05062e |
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
|
|
|
05062e |
index 81e18e2d5c..f752e7a2be 100644
|
|
|
05062e |
--- a/shared/macros-ansible.jinja
|
|
|
05062e |
+++ b/shared/macros-ansible.jinja
|
|
|
05062e |
@@ -25,7 +25,7 @@
|
|
|
05062e |
{{%- elif insert_before %}}
|
|
|
05062e |
insertbefore: '{{{ insert_before }}}'
|
|
|
05062e |
{{%- endif %}}
|
|
|
05062e |
- {{% else %}}
|
|
|
05062e |
+ {{%- else %}}
|
|
|
05062e |
state: '{{{ state }}}'
|
|
|
05062e |
{{%- endif %}}
|
|
|
05062e |
{{%- if validate %}}
|
|
|
05062e |
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
|
|
05062e |
index cfa9de9d2d..5f391efdcb 100644
|
|
|
05062e |
--- a/shared/macros-oval.jinja
|
|
|
05062e |
+++ b/shared/macros-oval.jinja
|
|
|
05062e |
@@ -13,13 +13,16 @@
|
|
|
05062e |
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
|
|
05062e |
- separator_regex (String): Regular expression to be used as the separator of parameter and value in a configuration file. If spaces are allowed, this should be included in the regular expression.
|
|
|
05062e |
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
|
|
05062e |
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
|
|
|
05062e |
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
|
|
05062e |
- section (String): If set, the parameter will be checked only within the given section defined by [section].
|
|
|
05062e |
- quotes (String): If non-empty, one level of matching quotes is considered when checking the value. See comment of oval_line_in_file_state for more info.
|
|
|
05062e |
#}}
|
|
|
05062e |
{{%- macro oval_check_config_file(path='', prefix_regex='^[ \\t]*', parameter='', separator_regex='[ \\t]+', value='', missing_parameter_pass=false, application='', multi_value=false, missing_config_file_fail=false, section='', quotes='') -%}}
|
|
|
05062e |
+{{%- if application == '' -%}}
|
|
|
05062e |
+ {{%- set application = "The respective application or service" -%}}
|
|
|
05062e |
+{{%- endif -%}}
|
|
|
05062e |
<def-group>
|
|
|
05062e |
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
05062e |
<metadata>
|
|
|
05062e |
@@ -248,6 +251,9 @@
|
|
|
05062e |
- path (String): Path to the file.
|
|
|
05062e |
- parameter (String): The shell variable name.
|
|
|
05062e |
- value (String): The variable value WITHOUT QUOTES.
|
|
|
05062e |
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
|
|
|
05062e |
+ - no_quotes (boolean): If set, the check will require that the RHS of the assignment is the literal value, without quotes.
|
|
|
05062e |
+ If no_quotes is false, then one level of single or double quotes won't be regarded as part of the value by the check.
|
|
|
05062e |
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
- missing_config_file_fail (boolean): If set, the check will fail if the configuration file doesn't exist in the system.
|
|
|
05062e |
@@ -342,7 +348,7 @@
|
|
|
05062e |
- parameter (String): The parameter to be checked in the configuration file.
|
|
|
05062e |
- value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
|
|
|
05062e |
- missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
|
|
|
05062e |
- - application (String): The application which the configuration file is being checked. Can be any value and does not affect the OVAL check.
|
|
|
05062e |
+ - application (String): The application which the configuration file is being checked. Can be any value and does not affect the actual OVAL check.
|
|
|
05062e |
- multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
|
|
|
05062e |
- missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
|
|
|
05062e |
#}}
|
|
|
05062e |
diff --git a/shared/templates/template_ANSIBLE_shell_lineinfile b/shared/templates/template_ANSIBLE_shell_lineinfile
|
|
|
05062e |
index 7d0a3ebcbd..3e6c5619ea 100644
|
|
|
05062e |
--- a/shared/templates/template_ANSIBLE_shell_lineinfile
|
|
|
05062e |
+++ b/shared/templates/template_ANSIBLE_shell_lineinfile
|
|
|
05062e |
@@ -3,7 +3,7 @@
|
|
|
05062e |
# strategy = restrict
|
|
|
05062e |
# complexity = low
|
|
|
05062e |
# disruption = low
|
|
|
05062e |
-{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'." -%}}
|
|
|
05062e |
+{{% set msg = "shell-style assignment of '" ~ PARAMETER ~ "' to '" ~ VALUE ~ "' in '" ~ PATH ~ "'" -%}}
|
|
|
05062e |
{{%- if NO_QUOTES -%}}
|
|
|
05062e |
{{% set msg = "Setting unquoted " ~ msg %}}
|
|
|
05062e |
{{%- else -%}}
|
|
|
05062e |
@@ -15,7 +15,7 @@
|
|
|
05062e |
path=PATH,
|
|
|
05062e |
parameter=PARAMETER,
|
|
|
05062e |
value=VALUE,
|
|
|
05062e |
- no_quotes=NO_QUOTES
|
|
|
05062e |
+ no_quotes=NO_QUOTES
|
|
|
05062e |
)
|
|
|
05062e |
}}}
|
|
|
05062e |
|
|
|
05062e |
|
|
|
05062e |
From a7779d2fae1086838daa1ded483decd499e8749f Mon Sep 17 00:00:00 2001
|
|
|
05062e |
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
|
|
05062e |
Date: Tue, 21 Jan 2020 16:43:23 +0100
|
|
|
05062e |
Subject: [PATCH 7/7] Add a shell_lineinfile template exemplary rule.
|
|
|
05062e |
|
|
|
05062e |
---
|
|
|
05062e |
.../ssh_server/sshd_use_strong_rng/rule.yml | 47 +++++++++++++++++++
|
|
|
05062e |
.../tests/bad_config.fail.sh | 3 ++
|
|
|
05062e |
.../tests/good_config.pass.sh | 3 ++
|
|
|
05062e |
.../tests/no_config.fail.sh | 3 ++
|
|
|
05062e |
.../sshd_use_strong_rng/tests/quoted.fail.sh | 3 ++
|
|
|
05062e |
rhel8/profiles/ospp.profile | 1 +
|
|
|
05062e |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
05062e |
7 files changed, 60 insertions(+), 1 deletion(-)
|
|
|
05062e |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
|
|
05062e |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
|
|
|
05062e |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
|
|
|
05062e |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
|
|
|
05062e |
create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
|
|
|
05062e |
|
|
|
05062e |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..4bfb72702b
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml
|
|
|
05062e |
@@ -0,0 +1,47 @@
|
|
|
05062e |
+documentation_complete: true
|
|
|
05062e |
+
|
|
|
05062e |
+# TODO: The plan is not to need this for RHEL>=8.4
|
|
|
05062e |
+# TODO: Compliant setting is SSH_USE_STRONG_RNG set to 32 or more
|
|
|
05062e |
+prodtype: rhel8
|
|
|
05062e |
+
|
|
|
05062e |
+title: 'SSH server uses strong entropy to seed'
|
|
|
05062e |
+
|
|
|
05062e |
+description: |-
|
|
|
05062e |
+ To set up SSH server to use entropy from a high-quality source, edit the <tt>/etc/sysconfig/sshd</tt> file.
|
|
|
05062e |
+ The <tt>SSH_USE_STRONG_RNG</tt> configuration value determines how many bytes of entropy to use, so
|
|
|
05062e |
+ make sure that the file contains line
|
|
|
05062e |
+ SSH_USE_STRONG_RNG=32
|
|
|
05062e |
+
|
|
|
05062e |
+rationale: |-
|
|
|
05062e |
+ SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default.
|
|
|
05062e |
+ Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors
|
|
|
05062e |
+ in encryption algorithms, and high-quality entropy elliminates the possibility that the output of
|
|
|
05062e |
+ the random number generator used by SSH would be known to potential attackers.
|
|
|
05062e |
+
|
|
|
05062e |
+severity: medium
|
|
|
05062e |
+
|
|
|
05062e |
+identifiers:
|
|
|
05062e |
+ cce@rhel8: 82462-3
|
|
|
05062e |
+
|
|
|
05062e |
+references:
|
|
|
05062e |
+ ospp: FIA_AFL.1
|
|
|
05062e |
+
|
|
|
05062e |
+ocil: |-
|
|
|
05062e |
+ To determine whether the SSH service is configured to use strong entropy seed,
|
|
|
05062e |
+ run $ sudo grep SSH_USE_STRONG_RNG /etc/sysconfig/sshd
|
|
|
05062e |
+ If a line indicating that SSH_USE_STRONG_RNG is set to 32 is returned,
|
|
|
05062e |
+ then the option is set correctly.
|
|
|
05062e |
+
|
|
|
05062e |
+ocil_clause: |-
|
|
|
05062e |
+ The SSH_USE_STRONG_RNG is not set to 32 in /etc/sysconfig/sshd
|
|
|
05062e |
+
|
|
|
05062e |
+warnings:
|
|
|
05062e |
+ - general: "This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available."
|
|
|
05062e |
+
|
|
|
05062e |
+template:
|
|
|
05062e |
+ name: shell_lineinfile
|
|
|
05062e |
+ vars:
|
|
|
05062e |
+ path: '/etc/sysconfig/sshd'
|
|
|
05062e |
+ parameter: 'SSH_USE_STRONG_RNG'
|
|
|
05062e |
+ value: '32'
|
|
|
05062e |
+ no_quotes: 'true'
|
|
|
05062e |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..f4f8c22f64
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/bad_config.fail.sh
|
|
|
05062e |
@@ -0,0 +1,3 @@
|
|
|
05062e |
+# platform = multi_platform_rhel
|
|
|
05062e |
+
|
|
|
05062e |
+echo 'SSH_USE_STRONG_RNG=1' > /etc/sysconfig/sshd
|
|
|
05062e |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..70f53ac22b
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/good_config.pass.sh
|
|
|
05062e |
@@ -0,0 +1,3 @@
|
|
|
05062e |
+# platform = multi_platform_rhel
|
|
|
05062e |
+
|
|
|
05062e |
+echo 'SSH_USE_STRONG_RNG=32' > /etc/sysconfig/sshd
|
|
|
05062e |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..1e5f0b2998
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/no_config.fail.sh
|
|
|
05062e |
@@ -0,0 +1,3 @@
|
|
|
05062e |
+# platform = multi_platform_rhel
|
|
|
05062e |
+
|
|
|
05062e |
+rm -f /etc/sysconfig/sshd
|
|
|
05062e |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
|
|
|
05062e |
new file mode 100644
|
|
|
05062e |
index 0000000000..a10d24a73b
|
|
|
05062e |
--- /dev/null
|
|
|
05062e |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/tests/quoted.fail.sh
|
|
|
05062e |
@@ -0,0 +1,3 @@
|
|
|
05062e |
+# platform = multi_platform_rhel
|
|
|
05062e |
+
|
|
|
05062e |
+echo 'SSH_USE_STRONG_RNG="32"' > /etc/sysconfig/sshd
|
|
|
05062e |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
05062e |
index f97527a914..63aea526b7 100644
|
|
|
05062e |
--- a/rhel8/profiles/ospp.profile
|
|
|
05062e |
+++ b/rhel8/profiles/ospp.profile
|
|
|
05062e |
@@ -58,6 +58,7 @@ selections:
|
|
|
05062e |
- sshd_set_keepalive
|
|
|
05062e |
- sshd_enable_warning_banner
|
|
|
05062e |
- sshd_rekey_limit
|
|
|
05062e |
+ - sshd_use_strong_rng
|
|
|
05062e |
|
|
|
05062e |
# Time Server
|
|
|
05062e |
- chronyd_client_only
|
|
|
05062e |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
05062e |
index b665fa1cea..1ff291c7df 100644
|
|
|
05062e |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
05062e |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
05062e |
@@ -1,4 +1,3 @@
|
|
|
05062e |
-CCE-82462-3
|
|
|
05062e |
CCE-82463-1
|
|
|
05062e |
CCE-82464-9
|
|
|
05062e |
CCE-82465-6
|