Handle XCCDF variable in key_value_pair_in_file template

[vojtapolasek]

Description:

• modify the template so that it can handle also XCCDF variables
• demonstrate that it works on the rule selinux_policytype
• also switch the rule configure_usbguard_auditbackend to the template... because I chose it first and realized too late that it does not use XCCDF variable

Rationale:

• this removes duplicate code and makes future rule authoring easier

Review Hints:

• I recommend building the content without this PR and comparing ovals and remediations of two rules mentioned above with the content built with this PR

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- oval:ssg-selinux_policytype:def:1
+++ oval:ssg-selinux_policytype:def:1
@@ -1,2 +1,4 @@
 criteria AND
-criterion oval:ssg-test_selinux_policy:tst:1
+criteria OR
+criterion oval:ssg-test_selinux_policytype:tst:1
+criterion oval:ssg-test_selinux_policytype_config_file_exists:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -2,7 +2,6 @@
 if rpm --quiet -q kernel; then
 
 var_selinux_policy_name=''
-
 
 if [ -e "/etc/selinux/config" ] ; then
     

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -12,11 +12,11 @@
   - NIST-800-53-SC-7(21)
   - PCI-DSSv4-1.2
   - PCI-DSSv4-1.2.6
+  - configure_strategy
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
-  - restrict_strategy
+  - no_reboot_needed
   - selinux_policytype
 - name: XCCDF Value var_selinux_policy_name # promote to variable
   set_fact:
@@ -64,9 +64,9 @@
   - NIST-800-53-SC-7(21)
   - PCI-DSSv4-1.2
   - PCI-DSSv4-1.2.6
+  - configure_strategy
   - low_complexity
   - low_disruption
   - medium_severity
-  - reboot_required
-  - restrict_strategy
+  - no_reboot_needed
   - selinux_policytype

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -3,7 +3,7 @@
 
 if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then
     
-    LC_ALL=C sed -i "/^\s*AuditBackend=/d" "/etc/usbguard/usbguard-daemon.conf"
+    LC_ALL=C sed -i "/^[ \\t]*AuditBackend=/Id" "/etc/usbguard/usbguard-daemon.conf"
 else
     touch "/etc/usbguard/usbguard-daemon.conf"
 fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -7,12 +7,12 @@
   - NIST-800-53-AU-2
   - NIST-800-53-CM-8(3)
   - NIST-800-53-IA-3
+  - configure_strategy
   - configure_usbguard_auditbackend
   - low_complexity
   - low_disruption
   - low_severity
   - no_reboot_needed
-  - restrict_strategy
 
 - name: Log USBGuard daemon audit events using Linux Audit
   block:
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/usbguard/usbguard-daemon.conf
       create: true
-      regexp: (?i)^\s*AuditBackend=
+      regexp: (?i)^[ \\t]*AuditBackend=
       state: absent
     check_mode: true
     changed_when: false
@@ -31,7 +31,7 @@
     lineinfile:
       path: /etc/usbguard/usbguard-daemon.conf
       create: true
-      regexp: (?i)^\s*AuditBackend=
+      regexp: (?i)^[ \\t]*AuditBackend=
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -39,7 +39,7 @@
     lineinfile:
       path: /etc/usbguard/usbguard-daemon.conf
       create: true
-      regexp: (?i)^\s*AuditBackend=
+      regexp: (?i)^[ \\t]*AuditBackend=
       line: AuditBackend=LinuxAudit
       state: present
   when:
@@ -51,9 +51,9 @@
   - NIST-800-53-AU-2
   - NIST-800-53-CM-8(3)
   - NIST-800-53-IA-3
+  - configure_strategy
   - configure_usbguard_auditbackend
   - low_complexity
   - low_disruption
   - low_severity
   - no_reboot_needed
-  - restrict_strategy

[jan-cerny]

Why do you disable the templated scenarios? I can see that you modified the templated scenarios to make them work also if the XCCDF value is provided, but on this rule where you want to demonstrate it you disabled them.

[jan-cerny]

I don't like that this macro generates a local variable that references an external variable. Also, I don't like that the generated local variable has a comment: Regex that matches exact value represented by var_selinux_policy_name XCCDF variable. That is misleading, at least for the OVAL in rule selinux_policytype, the XCCDF value isn't a regular expression and the local variable isn't used in a pattern match operation but in a equals operation.

[codeclimate]

Code Climate has analyzed commit 568982f and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Duplication	2

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 62.0% (0.1% change).

View more on Code Climate.