Fix kernel.core_pattern with empty string rule
#9396
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel9 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffOCIL for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern_empty_string' differs:
--- old datastream
+++ new datastream
@@ -1,7 +1,7 @@
The runtime status of the kernel.core_pattern kernel parameter can be queried
by running the following command:
-$ sysctl kernel.core_pattern
-''.
+$ sysctl kernel.core_pattern | cat -A
+kernel.core_pattern = $
- Is it the case that the returned line does not have a value of ''.?
+ Is it the case that the returned line does not have an empty string?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern_empty_string' differs:
--- old datastream
+++ new datastream
@@ -1,3 +1,6 @@
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
@@ -18,11 +21,11 @@
#
# Set runtime for kernel.core_pattern
#
-/sbin/sysctl -q -n -w kernel.core_pattern="''"
+/sbin/sysctl -q -n -w kernel.core_pattern=""
#
-# If kernel.core_pattern present in /etc/sysctl.conf, change value to "''"
-# else, add "kernel.core_pattern = ''" to /etc/sysctl.conf
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
+# else, add "kernel.core_pattern =" to /etc/sysctl.conf
#
# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
@@ -36,7 +39,7 @@
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
# shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "''"
+printf -v formatted_output "%s=" "$stripped_key"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
@@ -46,11 +49,14 @@
"${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
else
# \n is precaution for case where file ends without trailing newline
- cce="CCE-86005-6"
- printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "/etc/sysctl.conf" >> "/etc/sysctl.conf"
+
printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern_empty_string' differs:
--- old datastream
+++ new datastream
@@ -34,10 +34,26 @@
- reboot_required
- sysctl_kernel_core_pattern_empty_string
-- name: Ensure sysctl kernel.core_pattern is set to ''
+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf
+ files
+ replace:
+ path: /etc/sysctl.conf
+ regexp: ^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)
+ replace: '#kernel.core_pattern\1'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-86005-6
+ - disable_strategy
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+ - sysctl_kernel_core_pattern_empty_string
+
+- name: Ensure sysctl kernel.core_pattern is set to empty
sysctl:
name: kernel.core_pattern
- value: ''''''
+ value: ' '
state: present
reload: true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"] |
ggbecker
force-pushed
the
fix-core-pattern-empty-string
branch
from
43f59ae
to
796d363
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
Mab879
previously requested changes
Aug 24, 2022
vojtapolasek
previously requested changes
Aug 25, 2022
...e/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
Show resolved
Hide resolved
...guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
Show resolved
Hide resolved
...uide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
Show resolved
Hide resolved
...uide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
Outdated
Show resolved
Hide resolved
...e/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
Show resolved
Hide resolved
...guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
Outdated
Show resolved
Hide resolved
|
For some reason, the test "validate-parse-affected" expects only one tag in OVAL checks. We need to either rewrite the test or rewrite this particular OVAL. I am more for rewriting of the test because the sysctl template generates basically the same OVAL check you write here. |
The new rule empty is applicable only to RHEL9 and if there would not be the restriction, then dangling references would be produced.
…ore_pattern_empty_string.
Comment out any offending line.
ggbecker
force-pushed
the
fix-core-pattern-empty-string
branch
from
ef8503d
to
8d6176c
Compare
ggbecker
force-pushed
the
fix-core-pattern-empty-string
branch
from
6e47df8
to
c5bcea3
Compare
...permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
Show resolved
Hide resolved
ggbecker
force-pushed
the
fix-core-pattern-empty-string
branch
from
7358c0f
to
243347a
Compare
|
Code Climate has analyzed commit 243347a and detected 1 issue on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.5% (0.0% change). View more on Code Climate. |
matusmarhefka
approved these changes
Aug 25, 2022
matusmarhefka
dismissed stale reviews from vojtapolasek and Mab879
Feedback has been addressed
|
@ggbecker While looking at the generated # Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
...
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fiNot a big deal, but, if possible, consider looking into it. Thanks! |
I'll fix on a follow up PR, thanks for noticing it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
kernel.core_patternwith empty string rule