rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-add_field_support_macro_syscall_PR_5724.patch
Blob History Raw
dac76a 
From 66b01d9b55ee6b1d791383467827a6444673a51c Mon Sep 17 00:00:00 2001
dac76a 
From: Watson Sato <wsato@redhat.com>
dac76a 
Date: Wed, 29 Apr 2020 18:36:39 +0200
dac76a 
Subject: [PATCH 1/6] Add fields arg to ansbile audit syscall macros
dac76a
dac76a 
The field arg allows one to specify syscall fields for the audit rule.
dac76a 
These fields can be auid, exit, argument, or any field used by audit.
dac76a 
Reference:
dac76a 
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events#field-names
dac76a 
---
dac76a 
 shared/macros-ansible.jinja | 32 +++++++++++++++++++++++++-------
dac76a 
 1 file changed, 25 insertions(+), 7 deletions(-)
dac76a
dac76a 
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
dac76a 
index 03e4306051..7674c290fa 100644
dac76a 
--- a/shared/macros-ansible.jinja
dac76a 
+++ b/shared/macros-ansible.jinja
dac76a 
@@ -352,9 +352,11 @@ The macro requires following parameters:
dac76a 
 - arch: an architecture to be used in the Audit rule (b32, b64)
dac76a 
 - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
dac76a 
 - key: a key to use as rule identifier.
dac76a 
+- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100);
dac76a 
+  Add them in the order you expect them to be in the audit rule.
dac76a 
 Note that if there  already exists a rule wit the same key in the /etc/audit/rules.d directory, the rule will be placed in the same file.
dac76a 
 #}}
dac76a 
-{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="") -%}}
dac76a 
+{{% macro ansible_audit_augenrules_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}}
dac76a 
 - name: Declare list of syscals
dac76a 
   set_fact:
dac76a 
     syscalls: {{{ syscalls }}}
dac76a 
@@ -362,10 +364,17 @@ Note that if there  already exists a rule wit the same key in the /etc/audit/rul
dac76a 
 - name: Declare number of syscalls
dac76a 
   set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
dac76a
dac76a 
+{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}}
dac76a 
+{{% set fields_data = { 'regex' : "", 'list': "" } %}}
dac76a 
+{{% for field in fields %}}
dac76a 
+    {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}}
dac76a 
+    {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}}
dac76a 
+{{% endfor %}}
dac76a 
+
dac76a 
 - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
dac76a 
   find:
dac76a 
     paths: "/etc/audit/rules.d"
dac76a 
-    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
+    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
     patterns: "*.rules"
dac76a 
   register: audit_syscalls_found_{{{ arch }}}_rules_d
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -401,7 +410,7 @@ Note that if there  already exists a rule wit the same key in the /etc/audit/rul
dac76a 
       loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add key"
dac76a 
-      set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
dac76a 
+      set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}"
dac76a 
     - name: "Insert the line in {{ all_files[0] }}"
dac76a 
       lineinfile:
dac76a 
         path: "{{ all_files[0] }}"
dac76a 
@@ -417,8 +426,10 @@ The macro requires following parameters:
dac76a 
 - arch: an architecture to be used in the Audit rule (b32, b64)
dac76a 
 - syscalls: list of syscalls supplied as a list ["syscall1", "syscall2"] etc.
dac76a 
 - key: a key to use as rule identifier.
dac76a 
+- fields (optional): list of syscall fields to add (e.g.: auid=unset, exit=-EPERM, a0&0100);
dac76a 
+  Add them in the order you expect them to be in the audit rule.
dac76a 
 #}}
dac76a 
-{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="") -%}}
dac76a 
+{{% macro ansible_audit_auditctl_add_syscall_rule(arch="", syscalls=[], key="", fields=[]) -%}}
dac76a 
 - name: Declare list of syscals
dac76a 
   set_fact:
dac76a 
     syscalls: {{{ syscalls }}}
dac76a 
@@ -426,10 +437,17 @@ The macro requires following parameters:
dac76a 
 - name: Declare number of syscalls
dac76a 
   set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
dac76a
dac76a 
+{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}}
dac76a 
+{{% set fields_data = { 'regex' : "", 'list': "" } %}}
dac76a 
+{{% for field in fields %}}
dac76a 
+    {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}}
dac76a 
+    {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}}
dac76a 
+{{% endfor %}}
dac76a 
+
dac76a 
 - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
dac76a 
   find:
dac76a 
     paths: "/etc/audit"
dac76a 
-    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
+    contains: '^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch={{{ arch }}}[\s]+)(?:.*(-S[\s]+{{ item }}[\s]+|([\s]+|[,]){{ item }}([\s]+|[,]))).*{{{ fields_data.regex }}}(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$'
dac76a 
     patterns: "audit.rules"
dac76a 
   register: audit_syscalls_found_{{{ arch }}}_audit_rules
dac76a 
   loop: "{{ syscalls }}"
dac76a 
@@ -445,8 +463,8 @@ The macro requires following parameters:
dac76a 
       set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
       loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
-    - name: "Construct rule: add key"
dac76a 
-      set_fact: tmpline="{{ tmpline + '-k {{{ key }}}' }}"
dac76a 
+    - name: "Construct rule: add fields and key"
dac76a 
+      set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}"
dac76a 
     - name: Insert the line in /etc/audit/audit.rules
dac76a 
       lineinfile:
dac76a 
         path: "/etc/audit/audit.rules"
dac76a
dac76a 
From 5de069a558c4456d0610764d8fc9da23f0ba294e Mon Sep 17 00:00:00 2001
dac76a 
From: Watson Sato <wsato@redhat.com>
dac76a 
Date: Wed, 29 Apr 2020 18:43:08 +0200
dac76a 
Subject: [PATCH 2/6] Fix spacing between syscalls and fields
dac76a
dac76a 
By having the white space at the beginning of the token, it is easy to
dac76a 
concatenate them without worries.
dac76a 
---
dac76a 
 shared/macros-ansible.jinja | 10 +++++-----
dac76a 
 1 file changed, 5 insertions(+), 5 deletions(-)
dac76a
dac76a 
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
dac76a 
index 7674c290fa..2aaf0c366b 100644
dac76a 
--- a/shared/macros-ansible.jinja
dac76a 
+++ b/shared/macros-ansible.jinja
dac76a 
@@ -404,12 +404,12 @@ Note that if there  already exists a rule wit the same key in the /etc/audit/rul
dac76a 
 - name: "Insert the syscall rule in {{ all_files[0] }}"
dac76a 
   block:
dac76a 
     - name: "Construct rule: add rule list, action and arch"
dac76a 
-      set_fact: tmpline="-a always,exit -F arch={{{ arch }}} "
dac76a 
+      set_fact: tmpline="-a always,exit -F arch={{{ arch }}}"
dac76a 
     - name: "Construct rule: add syscalls"
dac76a 
-      set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
+      set_fact: tmpline="{{tmpline + ' -S ' + item.item }}"
dac76a 
       loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
-    - name: "Construct rule: add key"
dac76a 
+    - name: "Construct rule: add fields and key"
dac76a 
       set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}"
dac76a 
     - name: "Insert the line in {{ all_files[0] }}"
dac76a 
       lineinfile:
dac76a 
@@ -458,9 +458,9 @@ The macro requires following parameters:
dac76a 
 - name: Insert the syscall rule in /etc/audit/audit.rules
dac76a 
   block:
dac76a 
     - name: "Construct rule: add rule list, action and arch"
dac76a 
-      set_fact: tmpline="-a always,exit -F arch={{{ arch }}} "
dac76a 
+      set_fact: tmpline="-a always,exit -F arch={{{ arch }}}"
dac76a 
     - name: "Construct rule: add syscalls"
dac76a 
-      set_fact: tmpline="{{tmpline + '-S ' + item.item + ' ' }}"
dac76a 
+      set_fact: tmpline="{{tmpline + ' -S ' + item.item }}"
dac76a 
       loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add fields and key"
dac76a
dac76a 
From 80a3b0cca2b3af62e1a7cff578a45e844bd12fb4 Mon Sep 17 00:00:00 2001
dac76a 
From: Watson Sato <wsato@redhat.com>
dac76a 
Date: Thu, 30 Apr 2020 09:10:41 +0200
dac76a 
Subject: [PATCH 3/6] Add tests for audit_rules_time_clock_settime
dac76a
dac76a 
---
dac76a 
 .../tests/correct_syscall.pass.sh                          | 7 +++++++
dac76a 
 .../tests/incorrect_arg_field.fail.sh                      | 7 +++++++
dac76a 
 .../tests/incorrect_syscall.fail.sh                        | 7 +++++++
dac76a 
 3 files changed, 21 insertions(+)
dac76a 
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh
dac76a 
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh
dac76a 
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..b71cc454bc
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/correct_syscall.pass.sh
dac76a 
@@ -0,0 +1,7 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+# profiles = xccdf_org.ssgproject.content_profile_cis
dac76a 
+
dac76a 
+rm -rf /etc/audit/rules.d/*.rules
dac76a 
+echo "-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules
dac76a 
+echo "-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..add0722747
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_arg_field.fail.sh
dac76a 
@@ -0,0 +1,7 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+# profiles = xccdf_org.ssgproject.content_profile_cis
dac76a 
+
dac76a 
+rm -rf /etc/audit/rules.d/*.rules
dac76a 
+echo "-a always,exit -F arch=b32 -S clock_settime -F a0=0x1 -k time-change" >> /etc/audit/rules.d/time.rules
dac76a 
+echo "-a always,exit -F arch=b64 -S clock_settime -F a0=0x1 -k time-change" >> /etc/audit/rules.d/time.rules
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh
dac76a 
new file mode 100644
dac76a 
index 0000000000..9ab5cc3bc4
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/tests/incorrect_syscall.fail.sh
dac76a 
@@ -0,0 +1,7 @@
dac76a 
+#!/bin/bash
dac76a 
+
dac76a 
+# profiles = xccdf_org.ssgproject.content_profile_cis
dac76a 
+
dac76a 
+rm -rf /etc/audit/rules.d/*.rules
dac76a 
+echo "-a always,exit -F arch=b32 -S stime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules
dac76a 
+echo "-a always,exit -F arch=b64 -S stime -F a0=0x0 -k time-change" >> /etc/audit/rules.d/time.rules
dac76a
dac76a 
From a5b36f8400f821e35fc5a7e77b36a9fee0124702 Mon Sep 17 00:00:00 2001
dac76a 
From: Watson Sato <wsato@redhat.com>
dac76a 
Date: Thu, 30 Apr 2020 09:34:35 +0200
dac76a 
Subject: [PATCH 4/6] Add Ansible for audit syscall clock_settime
dac76a
dac76a 
Also demonstrates how to use the fields parameter in ansible audit
dac76a 
syscall macro.
dac76a 
---
dac76a 
 .../ansible/shared.yml                        | 22 +++++++++++++++++++
dac76a 
 1 file changed, 22 insertions(+)
dac76a 
 create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml
dac76a
dac76a 
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml
dac76a 
new file mode 100644
dac76a 
index 0000000000..e77850fa25
dac76a 
--- /dev/null
dac76a 
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/ansible/shared.yml
dac76a 
@@ -0,0 +1,22 @@
dac76a 
+# platform = multi_platform_all
dac76a 
+# reboot = false
dac76a 
+# strategy = restrict
dac76a 
+# complexity = low
dac76a 
+# disruption = low
dac76a 
+
dac76a 
+# What architecture are we on?
dac76a 
+#
dac76a 
+- name: Set architecture for audit tasks
dac76a 
+  set_fact:
dac76a 
+    audit_arch: "b{{ ansible_architecture | regex_replace('.*(\\d\\d$)','\\1') }}"
dac76a 
+
dac76a 
+- name: Perform remediation of Audit rules for clock_settime for x86 platform
dac76a 
+  block:
dac76a 
+    {{{ ansible_audit_augenrules_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
dac76a 
+    {{{ ansible_audit_auditctl_add_syscall_rule(arch="b32", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
dac76a 
+
dac76a 
+- name: Perform remediation of Audit rules for clock_settime for x86_64 platform
dac76a 
+  block:
dac76a 
+    {{{ ansible_audit_augenrules_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
dac76a 
+    {{{ ansible_audit_auditctl_add_syscall_rule(arch="b64", syscalls=["clock_settime"], key="time-change", fields=["a0=0x0"])|indent(4) }}}
dac76a 
+  when: audit_arch == "b64"
dac76a
dac76a 
From fe179d4d870878d29b603e7ab5a8bc79cb8eb05c Mon Sep 17 00:00:00 2001
dac76a 
From: Watson Sato <wsato@redhat.com>
dac76a 
Date: Thu, 30 Apr 2020 11:54:03 +0200
dac76a 
Subject: [PATCH 5/6] Fix regex spacing between fields and the key
dac76a
dac76a 
There needs to be a space between them.
dac76a 
Change syntax to be consistent with rest of regex.
dac76a 
---
dac76a 
 shared/macros-ansible.jinja | 4 ++--
dac76a 
 1 file changed, 2 insertions(+), 2 deletions(-)
dac76a
dac76a 
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
dac76a 
index 2aaf0c366b..eeafe5f6d5 100644
dac76a 
--- a/shared/macros-ansible.jinja
dac76a 
+++ b/shared/macros-ansible.jinja
dac76a 
@@ -367,7 +367,7 @@ Note that if there  already exists a rule wit the same key in the /etc/audit/rul
dac76a 
 {{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}}
dac76a 
 {{% set fields_data = { 'regex' : "", 'list': "" } %}}
dac76a 
 {{% for field in fields %}}
dac76a 
-    {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}}
dac76a 
+    {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}}
dac76a 
     {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}}
dac76a 
 {{% endfor %}}
dac76a
dac76a 
@@ -440,7 +440,7 @@ The macro requires following parameters:
dac76a 
 {{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}}
dac76a 
 {{% set fields_data = { 'regex' : "", 'list': "" } %}}
dac76a 
 {{% for field in fields %}}
dac76a 
-    {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F\s+' + field + ')'}) %}}
dac76a 
+    {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}}
dac76a 
     {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}}
dac76a 
 {{% endfor %}}
dac76a
dac76a
dac76a 
From 5e13b1a6698d4403cf4108664fd2c33be5ee9109 Mon Sep 17 00:00:00 2001
dac76a 
From: Watson Sato <wsato@redhat.com>
dac76a 
Date: Thu, 30 Apr 2020 14:41:59 +0200
dac76a 
Subject: [PATCH 6/6] Improve macro documenation and clarify var name
dac76a
dac76a 
---
dac76a 
 shared/macros-ansible.jinja | 22 ++++++++++++++--------
dac76a 
 1 file changed, 14 insertions(+), 8 deletions(-)
dac76a
dac76a 
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
dac76a 
index eeafe5f6d5..7b64341fb7 100644
dac76a 
--- a/shared/macros-ansible.jinja
dac76a 
+++ b/shared/macros-ansible.jinja
dac76a 
@@ -364,11 +364,14 @@ Note that if there  already exists a rule wit the same key in the /etc/audit/rul
dac76a 
 - name: Declare number of syscalls
dac76a 
   set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
dac76a
dac76a 
-{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}}
dac76a 
-{{% set fields_data = { 'regex' : "", 'list': "" } %}}
dac76a 
+{{#
dac76a 
+This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope.
dac76a 
+See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments
dac76a 
+#}}
dac76a 
+{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}}
dac76a 
 {{% for field in fields %}}
dac76a 
     {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}}
dac76a 
-    {{% set not_used = fields_data.update({'list': fields_data.list+ ' -F ' + field }) %}}
dac76a 
+    {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}}
dac76a 
 {{% endfor %}}
dac76a
dac76a 
 - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/
dac76a 
@@ -410,7 +413,7 @@ Note that if there  already exists a rule wit the same key in the /etc/audit/rul
dac76a 
       loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add fields and key"
dac76a 
-      set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}"
dac76a 
+      set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}"
dac76a 
     - name: "Insert the line in {{ all_files[0] }}"
dac76a 
       lineinfile:
dac76a 
         path: "{{ all_files[0] }}"
dac76a 
@@ -437,11 +440,14 @@ The macro requires following parameters:
dac76a 
 - name: Declare number of syscalls
dac76a 
   set_fact: audit_syscalls_number_of_syscalls="{{ syscalls|length|int }}"
dac76a
dac76a 
-{{# This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope #}}
dac76a 
-{{% set fields_data = { 'regex' : "", 'list': "" } %}}
dac76a 
+{{#
dac76a 
+This dictionary is a Jinja2 trick to allow loops to change variables defined out of its scope.
dac76a 
+See official documentation: https://jinja.palletsprojects.com/en/2.11.x/templates/#assignments
dac76a 
+#}}
dac76a 
+{{% set fields_data = { 'regex' : "", 'plain_text': "" } %}}
dac76a 
 {{% for field in fields %}}
dac76a 
     {{% set not_used = fields_data.update({'regex': fields_data.regex + '(?:-F[\s]+' + field + '[\s]+)'}) %}}
dac76a 
-    {{% set not_used = fields_data.update({'list': fields_data.list + ' -F ' + field }) %}}
dac76a 
+    {{% set not_used = fields_data.update({'plain_text': fields_data.plain_text + ' -F ' + field }) %}}
dac76a 
 {{% endfor %}}
dac76a
dac76a 
 - name: Check existence of syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules
dac76a 
@@ -464,7 +470,7 @@ The macro requires following parameters:
dac76a 
       loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}"
dac76a 
       when: item.matched is defined and item.matched == 0
dac76a 
     - name: "Construct rule: add fields and key"
dac76a 
-      set_fact: tmpline="{{ tmpline + '{{{ fields_data.list }}} -k {{{ key }}}' }}"
dac76a 
+      set_fact: tmpline="{{ tmpline + '{{{ fields_data.plain_text }}} -k {{{ key }}}' }}"
dac76a 
     - name: Insert the line in /etc/audit/audit.rules
dac76a 
       lineinfile:
dac76a 
         path: "/etc/audit/audit.rules"

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation