From c91d25e9398028bd9b0032a776456bf5ff6fdeed Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 31 Mar 2020 12:45:32 +0200
Subject: [PATCH 1/5] modify templates
---
shared/templates/template_OVAL_grub2_bootloader_argument | 2 +-
ssg/templates.py | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
index 77497d21bc..132e676cc5 100644
--- a/shared/templates/template_OVAL_grub2_bootloader_argument
+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
@@ -1,5 +1,5 @@
<def-group>
- <definition class="compliance" id="grub2_{{{ ARG_NAME }}}_argument" version="2">
+ <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
<metadata>
<title>Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
{{{- oval_affected(products) }}}
diff --git a/ssg/templates.py b/ssg/templates.py
index e5ed4890b4..7e4264d0e2 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -200,6 +200,9 @@ def file_permissions(data, lang):
@template(["ansible", "bash", "oval"])
def grub2_bootloader_argument(data, lang):
+ if lang == "oval":
+ # solve the case where argument contains dot
+ data["arg_name"].replace(".", "\\.")
data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
return data
From bd6ebf4ae6e579ef56c6420307e4c39fc5637258 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 31 Mar 2020 12:46:56 +0200
Subject: [PATCH 2/5] rename rule, add tests
---
.../rule.yml | 0
.../arg_not_there_etcdefaultgrub.fail.sh | 7 ++++++
...e_etcdefaultgrub_recovery_disabled.fail.sh | 17 +++++++++++++
.../tests/arg_not_there_rhel7.fail.sh | 8 +++++++
.../tests/arg_not_there_rhel8.fail.sh | 8 +++++++
.../tests/correct_grubby.pass.sh | 13 ++++++++++
.../tests/correct_grubenv.pass.sh | 4 ++++
.../tests/correct_recovery_disabled.pass.sh | 24 +++++++++++++++++++
.../tests/correct_value.pass.sh | 12 ++++++++++
.../tests/wrong_value_etcdefaultgrub.fail.sh | 11 +++++++++
...e_etcdefaultgrub_recovery_disabled.fail.sh | 22 +++++++++++++++++
.../tests/wrong_value_rhel7.fail.sh | 13 ++++++++++
.../tests/wrong_value_rhel8.fail.sh | 12 ++++++++++
13 files changed, 151 insertions(+)
rename linux_os/guide/system/network/network-ipv6/disabling_ipv6/{grub2_disable_ipv6 => grub2_ipv6_disable_argument}/rule.yml (100%)
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
similarity index 100%
rename from linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
rename to linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
new file mode 100644
index 0000000000..33f6be147e
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bas
+# platform = Red Hat Enterprise Linux 7
+
+# Removes ipv6.disable argument from kernel command line in /etc/default/grub
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+fi
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
new file mode 100644
index 0000000000..6163f9fbaa
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+# Removes ipv6.disable argument from kernel command line in /etc/default/grub
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+fi
+
+# removing the parameter from the no recovery kernel parameters as well
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+
+# disabling recovery
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
+
+#if the line is not present at all, add it
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
+ echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' >> /etc/default/grub
+fi
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh
new file mode 100644
index 0000000000..5becb561a6
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+# Removes ipv6.disable argument from kernel command line in /boot/grub2/grub.cfg
+file="/boot/grub2/grub.cfg"
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file"
+fi
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh
new file mode 100644
index 0000000000..5d8daaa6bc
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+# Removes ipv6.disable argument from kernel command line in /boot/grub2/grubenv
+file="/boot/grub2/grubenv"
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file"
+fi
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh
new file mode 100644
index 0000000000..59b18bd049
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub'
+else
+ # no ipv6.disable=arg is present, append it
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub'
+fi
+
+grubby --update-kernel=ALL --args="ipv6.disable=1"
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh
new file mode 100644
index 0000000000..0e84a458ca
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh
new file mode 100644
index 0000000000..e36f81903d
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub'
+else
+ # no ipv6.disable=arg is present, append it
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub'
+fi
+
+# removing the parameter from the no recovery kernel parameters as well
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+
+# disabling recovery
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
+
+#if the line is not present at all, add it
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
+ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"' >> /etc/default/grub
+fi
+
+grubby --update-kernel=ALL --args="ipv6.disable=1"
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..eb7c07ce7f
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub'
+else
+ # no ipv6.disable=arg is present, append it
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub'
+fi
+
+grubby --update-kernel=ALL --args="ipv6.disable=1"
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh
new file mode 100644
index 0000000000..4e7492b588
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+# Break the ipv6.disable argument in kernel command line in /etc/default/grub
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub'
+else
+ # no ipv6.disable=arg is present, append it
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub'
+fi
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
new file mode 100644
index 0000000000..85cc596ca8
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+# Break the ipv6.disable argument in kernel command line in /etc/default/grub
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub'
+else
+ # no ipv6\.disable=arg is present, append it
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub'
+fi
+
+# removing the parameter from the no recovery kernel parameters as well
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
+
+# disabling recovery
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
+
+#if the line is not present at all, add it
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
+ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=0"' >> /etc/default/grub
+fi
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh
new file mode 100644
index 0000000000..a37b45c4ad
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 7
+
+# Break the ipv6.disable argument in kernel command line in /boot/grub2/grub.cfg
+file="/boot/grub2/grub.cfg"
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file"
+else
+ # no ipv6.disable=arg is present, append it
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file"
+fi
+
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh
new file mode 100644
index 0000000000..db339c3534
--- /dev/null
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+# Break the ipv6.disable argument in kernel command line in /boot/grub2/grubenv
+file="/boot/grub2/grubenv"
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file"
+else
+ # no ipv6.disable=arg is present, append it
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file"
+fi
From b55cda3227d9fdcc1eac91e3e4cd22aaf03e80c5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 31 Mar 2020 12:47:20 +0200
Subject: [PATCH 3/5] adjust cis profiles
---
rhel7/profiles/cis.profile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index 76506c9369..739ed27200 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -351,7 +351,7 @@ selections:
- sysctl_net_ipv6_conf_default_accept_redirects
### 3.3.3 Ensure IPv6 is disabled (Not Scored)
- - grub2_disable_ipv6
+ - grub2_ipv6_disable_argument
## 3.4 TCP Wrappers
### 3.4.1 Ensure TCP Wrappers is installed (Scored)
From 7421ab585ec1e0314298a2dbb6b0b181daf53bce Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 31 Mar 2020 16:04:27 +0200
Subject: [PATCH 4/5] add escaped dot only in arg_name_value
---
ssg/templates.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssg/templates.py b/ssg/templates.py
index 7e4264d0e2..ba6d8dc7fe 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -200,10 +200,10 @@ def file_permissions(data, lang):
@template(["ansible", "bash", "oval"])
def grub2_bootloader_argument(data, lang):
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
if lang == "oval":
# solve the case where argument contains dot
- data["arg_name"].replace(".", "\\.")
- data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
+ data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
return data
From 3e41fffc62e50e771a2f410d43bd600c8e5849ee Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 1 Apr 2020 11:58:11 +0200
Subject: [PATCH 5/5] make oval ids use _ instead of .
---
.../template_OVAL_grub2_bootloader_argument | 44 +++++++++----------
ssg/templates.py | 6 ++-
2 files changed, 26 insertions(+), 24 deletions(-)
diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
index 132e676cc5..a18f85f5e8 100644
--- a/shared/templates/template_OVAL_grub2_bootloader_argument
+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
@@ -7,61 +7,61 @@
</metadata>
<criteria operator="AND">
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
- <criterion test_ref="test_grub2_{{{ ARG_NAME }}}_argument_grub_cfg"
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/grub2/grub.cfg for all kernels" />
<criteria operator="OR">
- <criterion test_ref="test_grub2_{{{ ARG_NAME }}}_argument"
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
<criteria operator="AND">
- <criterion test_ref="test_grub2_{{{ ARG_NAME }}}_argument_default"
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_default"
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
<extend_definition definition_ref="bootloader_disable_recovery_set_to_true"
comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
</criteria>
</criteria>
{{% else %}}
- <criterion test_ref="test_grub2_{{{ ARG_NAME }}}_argument_grub_env"
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in /boot/grub2/grubenv" />
{{% endif %}}
</criteria>
</definition>
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
- <ind:textfilecontent54_test id="test_grub2_{{{ ARG_NAME }}}_argument"
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
check="all" check_existence="all_exist" version="1">
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument" />
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_grub2_{{{ ARG_NAME }}}_argument" version="1">
+ <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" version="1">
<ind:filepath>/etc/default/grub</ind:filepath>
<ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_test id="test_grub2_{{{ ARG_NAME }}}_argument_default"
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_default"
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
check="all" check_existence="all_exist" version="1">
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_default" />
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_default" />
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_grub2_{{{ ARG_NAME }}}_argument_default"
+ <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_default"
version="1">
<ind:filepath>/etc/default/grub</ind:filepath>
<ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_test id="test_grub2_{{{ ARG_NAME }}}_argument_grub_cfg"
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in /boot/grub2/grub.cfg for all kernels"
check="all" check_existence="all_exist" version="1">
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_grub_cfg" />
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg" />
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_grub2_{{{ ARG_NAME }}}_argument_grub_cfg"
+ <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
version="1">
<ind:filepath>/boot/grub2/grub.cfg</ind:filepath>
{{% if product == "rhel7" %}}
@@ -74,14 +74,14 @@
{{% else %}}
- <ind:textfilecontent54_test id="test_grub2_{{{ ARG_NAME }}}_argument_grub_env"
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
comment="check forkernel command line parameters {{{ ARG_NAME_VALUE }}} in /boot/grub2/grubenv for all kernels"
check="all" check_existence="all_exist" version="1">
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_grub_env" />
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_grub2_{{{ ARG_NAME }}}_argument_grub_env"
+ <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
version="1">
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
<ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
@@ -90,9 +90,9 @@
{{% endif %}}
- <ind:textfilecontent54_state id="state_grub2_{{{ ARG_NAME }}}_argument"
+ <ind:textfilecontent54_state id="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
version="1">
- <ind:subexpression datatype="string" operation="pattern match">^.*{{{ ARG_NAME_VALUE }}}.*$</ind:subexpression>
+ <ind:subexpression datatype="string" operation="pattern match">^.*{{{ ESCAPED_ARG_NAME_VALUE }}}.*$</ind:subexpression>
</ind:textfilecontent54_state>
</def-group>
diff --git a/ssg/templates.py b/ssg/templates.py
index ba6d8dc7fe..3f12968b66 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -202,8 +202,10 @@ def file_permissions(data, lang):
def grub2_bootloader_argument(data, lang):
data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
if lang == "oval":
- # solve the case where argument contains dot
- data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+ # escape dot, this is used in oval regex
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+ # replace . with _, this is used in test / object / state ids
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
return data