-
Notifications
You must be signed in to change notification settings - Fork 673
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sysctl improvements #10534
Sysctl improvements #10534
Commits on May 12, 2023
-
feature: ssg: add escape_regex_all and escape_regex_sq
Use str.translate method like python does.
Configuration menu - View commit details
-
Copy full SHA for e4353d4 - Browse repository at this point
Copy the full SHA e4353d4View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5d5821e - Browse repository at this point
Copy the full SHA 5d5821eView commit details -
feature: bash: add bash_sed_escape_*
bash_sed_escape_regexp is for s regexp and bash_sed_escape_replacement is for replacement
Configuration menu - View commit details
-
Copy full SHA for d0c432b - Browse repository at this point
Copy the full SHA d0c432bView commit details -
feature: bash: add bash_sysctl_*
/etc/sysctl.conf or any related directories might not exist. Implement `bash_sysctl_test_clean` to ensure all sysctl directories and files do exist, and there can only be configuration at `/etc/sysctl.conf`. Implement `bash_sysctl_set_remediate_file_name`. Only one place to set where file used to set `sysctl` remediation variables. Implement `bash_sysctl_set_config_directories`. Per product list of directories we are managing. Not all products manage all directories. If there is some reason to modify this phase, now there is shared place to do it. Use it in all `sysctl` template tests. Also match documentation to implementation. From: sysctl.conf(5) ... FILES /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf ...
Configuration menu - View commit details
-
Copy full SHA for eca3fc7 - Browse repository at this point
Copy the full SHA eca3fc7View commit details -
fix: bash_replace_or_append: use bash_sed_escape_replacement
Use bash pattern to strip key from undesirables instead of invoking sed. Some style fixes.
Configuration menu - View commit details
-
Copy full SHA for 95f6a3e - Browse repository at this point
Copy the full SHA 95f6a3eView commit details -
Configuration menu - View commit details
-
Copy full SHA for de77cd1 - Browse repository at this point
Copy the full SHA de77cd1View commit details -
feature: bash_replace_or_append: add key_regex
Baseline function striped_key just does not support complex enough regexps for key.
Configuration menu - View commit details
-
Copy full SHA for 6807cb4 - Browse repository at this point
Copy the full SHA 6807cb4View commit details -
feature: bash_replace_or_append: add ignore_case
Sometimes data is not case insensitive and case can not be ignored.
Configuration menu - View commit details
-
Copy full SHA for a9d8a7d - Browse repository at this point
Copy the full SHA a9d8a7dView commit details -
feature: bash_replace_or_append: add word_boundary
Sometimes data does not end at word boundary as regexp word boundary \> understands it.
Configuration menu - View commit details
-
Copy full SHA for fe359f9 - Browse repository at this point
Copy the full SHA fe359f9View commit details -
Configuration menu - View commit details
-
Copy full SHA for c3632e2 - Browse repository at this point
Copy the full SHA c3632e2View commit details -
Configuration menu - View commit details
-
Copy full SHA for b2b78bf - Browse repository at this point
Copy the full SHA b2b78bfView commit details -
fix: sysctl/bash: follow sysctl quirks more
Try to implement support for all quirks from manuals. Use slightly changed logic, `bash_sed_escape_regexp`, and `quote` to achieve this. Avoid per product quirks here by using `bash_sysctl_set_config_directories` and `bash_sysctl_set_remediate_file_name`. Add LC_ALL=C to checks. Assume sysctl values can never contain \n. Most probably bad OVAL with too broad regex capture, or no capture at all, so it gets all whitespace around. sed does not allow multiline regexps and you get errors like: sed: -e expression ComplianceAsCode#1, char 67: unterminated `s' command use set -epu to fail if there is any issues. Try to minimize unnecessary newlines in created files.
Configuration menu - View commit details
-
Copy full SHA for a3f8558 - Browse repository at this point
Copy the full SHA a3f8558View commit details -
fix: sysctl/tests: change wrong_value_d_directory.fail.sh to test all…
… directories And thus wrong_value_usr_local_lib.fail.sh is not needed any more. Now wrong_value_d_directory.fail.sh tests OVAL that it finds all relevant wrong values. During remediation test that all relevant wrong values are fixed. I believe testing one directory at a time is not benefical usage of testing resources. As we want to test one item, it is to test if list of directories implemented in OVAL or in remediation are not in sync.
Configuration menu - View commit details
-
Copy full SHA for 82624ff - Browse repository at this point
Copy the full SHA 82624ffView commit details -
fix: sysctl: allow template to set correct_sysctlval_for_testing, wro…
…ng_sysctlval_for_testing Implemented heuristics might not work always, especially with multivalue settings like `net.ipv4.ip_local_port_range`. Also handle 'E226 missing whitespace around arithmetic operator'.
Configuration menu - View commit details
-
Copy full SHA for 5af086b - Browse repository at this point
Copy the full SHA 5af086bView commit details -
change: sysctl_kernel_perf_event_paranoid: allow 3 too
There is patchset to enable this: https://patchwork.kernel.org/project/linux-hardening/patch/1469630746-32279-1-git-send-email-jeffv@google.com/ Some distros might have this enabled. Add variable sysctl_kernel_perf_event_paranoid_value as variable is required when multiple values possible.
Configuration menu - View commit details
-
Copy full SHA for 7591877 - Browse repository at this point
Copy the full SHA 7591877View commit details -
feature: oval: add oval_list_to_set
Oval set can have only up to 2 items. This converts list to one set as it can get quite tedious if done by hand.
Configuration menu - View commit details
-
Copy full SHA for af46ce0 - Browse repository at this point
Copy the full SHA af46ce0View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9a6b2a2 - Browse repository at this point
Copy the full SHA 9a6b2a2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3d77266 - Browse repository at this point
Copy the full SHA 3d77266View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4267427 - Browse repository at this point
Copy the full SHA 4267427View commit details -
Configuration menu - View commit details
-
Copy full SHA for a85e3f6 - Browse repository at this point
Copy the full SHA a85e3f6View commit details -
change: sysctl/oval: sysctl quirks
Handle sysctl_dirs as a list. Rename elements according to Style Guide. Try to minimize extra newlines and use indentation as per Style Guide. Use oval_list_to_set to create <set> for 'unfiltered'. Try to handle sysctl quirks. Check sysctlval type. This helps logic.
Configuration menu - View commit details
-
Copy full SHA for e647e3c - Browse repository at this point
Copy the full SHA e647e3cView commit details -
change: sysctl/ansible: ensure sysctl value is actually set
ansible-doc sysctl ... - sysctl_set Verify token value with the sysctl command and set with -w if necessary. ...
Configuration menu - View commit details
-
Copy full SHA for ce39fa2 - Browse repository at this point
Copy the full SHA ce39fa2View commit details -
Configuration menu - View commit details
-
Copy full SHA for 49c99fc - Browse repository at this point
Copy the full SHA 49c99fcView commit details -
Configuration menu - View commit details
-
Copy full SHA for 9458487 - Browse repository at this point
Copy the full SHA 9458487View commit details -
Configuration menu - View commit details
-
Copy full SHA for c985906 - Browse repository at this point
Copy the full SHA c985906View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5ed3057 - Browse repository at this point
Copy the full SHA 5ed3057View commit details -
change: sysctl_net_ipv4_ip_local_port_range: add variable support
When you combine xccdf variables and other format than simple int / string, there is no generict way to implement comparison. So I decided just to use per name comparison method.
Configuration menu - View commit details
-
Copy full SHA for 779e30b - Browse repository at this point
Copy the full SHA 779e30bView commit details -
fix: sysctl: remove unnecessary tests/shared/sysctl.sh
Function sysctl_set_kernel_setting_to is not used anywhere.
Configuration menu - View commit details
-
Copy full SHA for e751de4 - Browse repository at this point
Copy the full SHA e751de4View commit details -
Configuration menu - View commit details
-
Copy full SHA for ee35e94 - Browse repository at this point
Copy the full SHA ee35e94View commit details -
fix: sysctl: allow to handle empty values
Previously SYSCTLVAL == "" was variable and this did not allow to handle empty values. Change SYSCTLVAL to be not defined if having variable and this issue is solved.
Configuration menu - View commit details
-
Copy full SHA for 7463627 - Browse repository at this point
Copy the full SHA 7463627View commit details -
change: sysctl_kernel_core_pattern_empty_string: use sysctl template
Handle emtpy string in ansible because `sysctl` module does not handle empty string.
Configuration menu - View commit details
-
Copy full SHA for 8de43b2 - Browse repository at this point
Copy the full SHA 8de43b2View commit details -
bugfix: aide_check_audit_tools: Ensure no suffix prefix
Change state_aide_check_attributes to ensure no prefix/suffix for pattern. Fix correct_with_selinux.pass.sh Also use packages to ensure aide package is installed in tests.
Configuration menu - View commit details
-
Copy full SHA for 1d4a663 - Browse repository at this point
Copy the full SHA 1d4a663View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3f951f1 - Browse repository at this point
Copy the full SHA 3f951f1View commit details -
bugfix: rsyslog_remote_loghost: word_boundary is space or tab
Default word_boundary in bash_replace_or_append \> does not work with *.* and like. Replace regexp in all types to be the same. Avoid copy-paste in OVAL. rsyslog.conf(5) ... Rules (selector + action) Every rule line consists of two fields, a selector field and an action field. These two fields are separated by one or more spaces or tabs. The selector field specifies a pattern of facilities and priorities belonging to the specified action. ...
Configuration menu - View commit details
-
Copy full SHA for fe0930f - Browse repository at this point
Copy the full SHA fe0930fView commit details -
fix: rsyslog_logfiles_attributes_modify/bash: handle conf w/o paths
Also drop comment or empty lines with whitespace start of line.
Configuration menu - View commit details
-
Copy full SHA for 17c6d50 - Browse repository at this point
Copy the full SHA 17c6d50View commit details
Commits on May 14, 2023
-
Configuration menu - View commit details
-
Copy full SHA for e2b701f - Browse repository at this point
Copy the full SHA e2b701fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 4972177 - Browse repository at this point
Copy the full SHA 4972177View commit details -
Configuration menu - View commit details
-
Copy full SHA for b906e08 - Browse repository at this point
Copy the full SHA b906e08View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9e31c29 - Browse repository at this point
Copy the full SHA 9e31c29View commit details -
Configuration menu - View commit details
-
Copy full SHA for d773b16 - Browse repository at this point
Copy the full SHA d773b16View commit details -
Configuration menu - View commit details
-
Copy full SHA for 054b3d3 - Browse repository at this point
Copy the full SHA 054b3d3View commit details -
Configuration menu - View commit details
-
Copy full SHA for d3565e2 - Browse repository at this point
Copy the full SHA d3565e2View commit details -
fix: sysctl/ansible: FQDN ansible.posix.sysctl not in 2.9
Newer ansible (mine 2.14) has sysctl at ansible.posix.sysctl. But build system does not accept it: Found module which is not allowed: {'tags', 'name', 'when', 'ansible.posix.sysctl'} and ERROR! couldn't resolve module/action 'ansible.posix.sysctl'. This often indicates a misspelling, missing collection, or incorrect module path.
Configuration menu - View commit details
-
Copy full SHA for 63fe82c - Browse repository at this point
Copy the full SHA 63fe82cView commit details -
the replacement string in double-quoted pattern substitution does not undergo quote removal, as it does in versions after bash-4.2
Configuration menu - View commit details
-
Copy full SHA for a89d834 - Browse repository at this point
Copy the full SHA a89d834View commit details