Merge pull request #10482 from teacup-on-rockingchair/sle_dropin_cfg_…

…emergency_target_auth SLE add ability to configure emergency via dropin
ComplianceAsCode · May 10, 2023 · 5827fbe · 5827fbe
2 parents 8b2c5b9 + 02f4dc8
commit 5827fbe
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 13 deletions.
diff --git a/.../guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/.../guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
@@ -4,13 +4,23 @@
 # complexity = low
 # disruption = low
 
+{{% if 'sle' in product %}}
+- name: Require emergency mode password
+  ansible.builtin.blockinfile:
+      create: yes
+      dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
+      block: |
+        [Service]
+        ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+{{% else %}}
 - name: Require emergency mode password
   lineinfile:
       create: yes
       dest: /usr/lib/systemd/system/emergency.service
       regexp: "^#?ExecStart="
-      {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9","sle12", "sle15"] -%}}
+      {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] -%}}
       line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency"
       {{%- else -%}}
       line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
       {{%- endif %}}
+{{% endif %}}
diff --git a/...x_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/...x_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
@@ -1,15 +1,26 @@
 # platform = multi_platform_all
 
+{{% if 'sle' in product %}}
+service_dropin_cfg_dir="/etc/systemd/system/emergency.service.d"
+service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf"
+{{% else %}}
 service_file="/usr/lib/systemd/system/emergency.service"
+{{% endif %}}
 
 {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
 sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"
 {{%- else -%}}
 sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
 {{%- endif %}}
 
+{{% if 'sle' in product %}}
+mkdir -p "${service_dropin_cfg_dir}"
+echo "[Service]" >> "${service_dropin_file}"
+echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
+{{% else %}}
 if grep "^ExecStart=.*" "$service_file" ; then
     sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
 else
     echo "ExecStart=-$sulogin" >> "$service_file"
 fi
+{{% endif %}}
diff --git a/..._os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/..._os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
@@ -2,13 +2,25 @@
   <definition class="compliance" id="require_emergency_target_auth" version="1">
     {{{ oval_metadata("The requirement for a password to boot into emergency mode
       should be configured correctly.") }}}
-    <criteria operator="AND">
-      <criterion comment="Conditions are satisfied"
-      test_ref="test_require_emergency_service" />
-      <criterion test_ref="test_require_emergency_service_emergency_target" />
-      <criterion test_ref="test_no_custom_emergency_target" negate="true"/>
-      <criterion test_ref="test_no_custom_emergency_service" negate="true"/>
+{{% if 'sle' in product %}}
+    <criteria operator="OR">
+{{% endif %}}
+      <criteria operator="AND">
+        <criterion comment="Conditions are satisfied"
+          test_ref="test_require_emergency_service" />
+        <criterion test_ref="test_require_emergency_service_emergency_target" />
+        <criterion test_ref="test_no_custom_emergency_target" negate="true"/>
+        <criterion test_ref="test_no_custom_emergency_service" negate="true"/>
+      </criteria>
+{{% if 'sle' in product %}}
+      <criteria operator="OR">
+        <criterion comment="Check /usr/lib/* configuration"
+          test_ref="test_require_emergency_service" />
+        <criterion comment="Check drop-in configuration"
+          test_ref="test_require_emergency_service_dropin" />
+      </criteria>
     </criteria>
+{{% endif %}}
   </definition>
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     comment="Tests that
@@ -18,8 +30,8 @@
     /sbin/sulogin
     {{%- endif %}}
     was not removed from the default systemd emergency.service to ensure that a
-  password must be entered to access single user mode"
-  id="test_require_emergency_service" version="1">
+    password must be entered to access single user mode"
+    id="test_require_emergency_service" version="1">
     <ind:object object_ref="obj_require_emergency_service" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
@@ -32,6 +44,23 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+{{% if 'sle' in product %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+    comment="Tests that
+    /usr/lib/systemd/systemd-sulogin-shell
+    was not removed from the default systemd emergency.service to ensure that a
+    password must be entered to access single user mode"
+    id="test_require_emergency_service_dropin" version="1">
+    <ind:object object_ref="obj_require_emergency_service_dropin" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_require_emergency_service_dropin" version="1">
+    <ind:path>/etc/systemd/system/emergency.service.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     comment="Tests that the systemd emergency.service is in the emergency.target"
     id="test_require_emergency_service_emergency_target" version="1">
@@ -49,19 +78,19 @@
     <unix:object object_ref="object_no_custom_emergency_service" />
   </unix:file_test>
   <unix:file_object comment="look for emergency.service in /etc/systemd/system"
-  id="object_no_custom_emergency_service" version="1">
+    id="object_no_custom_emergency_service" version="1">
     <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all" />
     <unix:path operation="equals">/etc/systemd/system</unix:path>
     <unix:filename operation="pattern match">^emergency.service$</unix:filename>
   </unix:file_object>
 
   <unix:file_test check="all" check_existence="at_least_one_exists"
-  comment="look for emergency.target in /etc/systemd/system"
-  id="test_no_custom_emergency_target" version="1">
+    comment="look for emergency.target in /etc/systemd/system"
+    id="test_no_custom_emergency_target" version="1">
     <unix:object object_ref="object_no_custom_emergency_target" />
   </unix:file_test>
   <unix:file_object comment="look for emergency.target in /etc/systemd/system"
-  id="object_no_custom_emergency_target" version="1">
+    id="object_no_custom_emergency_target" version="1">
     <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all" />
     <unix:path operation="equals">/etc/systemd/system</unix:path>
     <unix:filename operation="pattern match">^emergency.target$</unix:filename>