Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some new rules and mostly related fixes #10409

Closed
wants to merge 37 commits into from
Closed

Some new rules and mostly related fixes #10409

wants to merge 37 commits into from

Conversation

maage
Copy link
Contributor

@maage maage commented Apr 2, 2023
edited
Loading

Description:

Support init_on_free, more rules to disable rarely used kernel module, subsystems not usually in use in servers, and some newer sysctls.

Rationale:

Just expand rules to match my view.

Review Hints:

Docustrings should be checked for validity and readability.

I enabled most new features only on fedora and there is no linkage to any external documents.

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Used by openshift-ci bot. needs-ok-to-test Used by openshift-ci bot. labels Apr 2, 2023
@openshift-ci
Copy link

openshift-ci bot commented Apr 2, 2023

Hi @maage. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

github-actions bot commented Apr 2, 2023

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Apr 2, 2023
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff 
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6%0A@@ -50,6 +50,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-85904-1%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6%0A@@ -50,6 +50,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-86004-9%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra%0A@@ -56,6 +56,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81006-9%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84272-4%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84280-7%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84288-0%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects%0A@@ -61,6 +61,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81009-3%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route%0A@@ -57,6 +57,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81013-5%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf%0A@@ -46,6 +46,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84266-6%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding%0A@@ -58,6 +58,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-82863-2%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84259-1%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84109-8%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra%0A@@ -57,6 +57,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81007-7%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84268-2%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84051-2%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84291-4%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects%0A@@ -57,6 +57,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81010-1%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route%0A@@ -63,6 +63,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81015-0%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84264-1%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84257-5%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-83477-0%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local%0A@@ -42,6 +42,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-88789-3%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects%0A@@ -61,6 +61,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-80917-8%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route%0A@@ -61,6 +61,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81011-9%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter%0A@@ -46,6 +46,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-88555-8%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore%0A@@ -46,6 +46,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-88889-1%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp%0A@@ -42,6 +42,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-88001-3%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding%0A@@ -50,6 +50,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-86220-1%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians%0A@@ -55,6 +55,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81018-4%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet%0A@@ -42,6 +42,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-88023-7%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter%0A@@ -60,6 +60,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81021-8%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects%0A@@ -59,6 +59,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81016-8%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-88333-0%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects%0A@@ -63,6 +63,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-80919-4%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route%0A@@ -61,6 +61,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-80920-2%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians%0A@@ -55,6 +55,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81020-0%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter%0A@@ -57,6 +57,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81022-6%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects%0A@@ -57,6 +57,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81017-6%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-88444-5%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts%0A@@ -61,6 +61,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-80922-8%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses%0A@@ -57,6 +57,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81023-4%0A%0ANew content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range'.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range%0A@@ -3,8 +3,8 @@%0A Set Kernel Parameter to Increase Local Port Range%0A %0A [description]:%0A-To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535%0A-To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 32768 65535%0A+To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_local_port_range='xccdf_org.ssgproject.content_value_sysctl_net_ipv4_ip_local_port_range_value'%0A+To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_local_port_range = 'xccdf_org.ssgproject.content_value_sysctl_net_ipv4_ip_local_port_range_value'%0A %0A [reference]:%0A BP28(R22)%0A%0AOCIL for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs.%0A--- ocil:ssg-sysctl_net_ipv4_ip_local_port_range_ocil:questionnaire:1%0A+++ ocil:ssg-sysctl_net_ipv4_ip_local_port_range_ocil:questionnaire:1%0A@@ -1,7 +1,7 @@%0A The runtime status of the net.ipv4.ip_local_port_range kernel parameter can be queried%0A by running the following command:%0A $ sysctl net.ipv4.ip_local_port_range%0A-32768 65535.%0A+.%0A %0A       Is it the case that the correct value is not returned?%0A       %0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range%0A@@ -21,15 +21,17 @@%0A %0A SYSCONFIG_FILE="/etc/sysctl.conf"%0A %0A+sysctl_net_ipv4_ip_local_port_range_value=''%0A+%0A %0A #%0A # Set runtime for net.ipv4.ip_local_port_range%0A #%0A-/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535"%0A+/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="$sysctl_net_ipv4_ip_local_port_range_value"%0A %0A #%0A-# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to "32768 65535"%0A-#	else, add "net.ipv4.ip_local_port_range = 32768 65535" to /etc/sysctl.conf%0A+# If net.ipv4.ip_local_port_range present in /etc/sysctl.conf, change value to appropriate value%0A+#	else, add "net.ipv4.ip_local_port_range = value" to /etc/sysctl.conf%0A #%0A %0A # Strip any search characters in the key arg so that the key can be replaced without%0A@@ -37,7 +39,7 @@%0A stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^net.ipv4.ip_local_port_range")%0A %0A # shellcheck disable=SC2059%0A-printf -v formatted_output "%25s = %25s" "$stripped_key" "32768 65535"%0A+printf -v formatted_output "%25s = %25s" "$stripped_key" "$sysctl_net_ipv4_ip_local_port_range_value"%0A %0A # If the key exists, change it. Otherwise, add it to the config_file.%0A # We search for the key string followed by a word boundary (matched by \>),%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range%0A@@ -33,14 +33,20 @@%0A   - medium_severity%0A   - reboot_required%0A   - sysctl_net_ipv4_ip_local_port_range%0A+- name: XCCDF Value sysctl_net_ipv4_ip_local_port_range_value # promote to variable%0A+  set_fact:%0A+    sysctl_net_ipv4_ip_local_port_range_value: !!str %0A+  tags:%0A+    - always%0A %0A-- name: Ensure sysctl net.ipv4.ip_local_port_range is set to 32768 65535%0A+- name: Ensure sysctl net.ipv4.ip_local_port_range is set%0A   sysctl:%0A     name: net.ipv4.ip_local_port_range%0A-    value: 32768 65535%0A+    value: '{{ sysctl_net_ipv4_ip_local_port_range_value }}'%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84277-3%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit%0A@@ -47,6 +47,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - NIST-800-53-SC-5%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337%0A@@ -46,6 +46,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-84270-8%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies%0A@@ -64,6 +64,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-80923-6%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects%0A@@ -60,6 +60,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-80918-6%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects%0A@@ -58,6 +58,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-80921-0%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs.%0A--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward%0A+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward%0A@@ -59,6 +59,7 @@%0A     sysctl_file: /etc/sysctl.conf%0A     state: present%0A     reload: true%0A+    sysctl_set: true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A   - CCE-81024-2%0A%0AOVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.%0A--- oval:ssg-kernel_module_atm_disabled:def:1%0A+++ oval:ssg-kernel_module_atm_disabled:def:1%0A@@ -1,4 +1,19 @@%0A criteria OR%0A criteria AND%0A criterion oval:ssg-test_kernmod_atm_blacklisted:tst:1%0A+criteria OR%0A+extend_definition oval:ssg-package_dracut_installed:def:1%0A+criteria AND%0A+criteria OR%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_force_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_force_drivers:tst:1%0A criterion oval:ssg-test_kernmod_atm_disabled:tst:1%0A+criterion oval:ssg-test_kernmod_atm_in_modules_load:tst:1%0A+criterion oval:ssg-test_kernmod_atm_runtime:tst:1%0A+criterion oval:ssg-test_kernmod_atm_cmdline:tst:1%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled%0A@@ -1,16 +1,58 @@%0A # Remediation is applicable only in certain platforms%0A if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then%0A %0A-if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then%0A-	%0A-	sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf%0A+set -u%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+kernmodule=atm%0A+kernmodule_rx=atm%0A+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf%0A+rx="^install\s+${kernmodule_rx}(\s|$)"%0A+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then%0A+    sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"%0A else%0A-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf%0A-	echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf%0A+    printf "\n# Disable per security requirements\ninstall %25s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"%0A fi%0A %0A-if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then%0A-	echo "blacklist atm" >> /etc/modprobe.d/atm.conf%0A+rx="^\s*${kernmodule_rx}\s*$"%0A+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then%0A+    printf "blacklist %25s\n" "${kernmodule}" >> "${modprobe_file}"%0A+fi%0A+%0A+%0A+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf%0A+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then%0A+    printf 'omit_drivers+=" %25s "\n' "${kernmodule}" >> "${dracut_file}"%0A+fi%0A+%0A+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$'%0A+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+# Try to unload, this might fail for various reasons%0A+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then%0A+    modprobe -r "${kernmodule}" || :%0A fi%0A %0A else%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled%0A@@ -5,6 +5,91 @@%0A     regexp: install\s+atm%0A     line: install atm /bin/true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82028-2%0A+  - DISA-STIG-RHEL-08-040021%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_atm_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Find modules-load.d files with atm load%0A+  find:%0A+    paths:%0A+    - /etc/modules-load.d%0A+    - /lib/modules-load.d%0A+    - /run/modules-load.d%0A+    - /usr/lib/modules-load.d%0A+    - /usr/local/lib/modules-load.d%0A+    patterns: '*.conf'%0A+    contains: ^\s*atm\s*$%0A+  register: r_modules_load_d_to_modify%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82028-2%0A+  - DISA-STIG-RHEL-08-040021%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_atm_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Remove atm load from modules-load.d files%0A+  lineinfile:%0A+    path: '{{ item.path }}'%0A+    state: absent%0A+    regexp: ^\s*atm\s*$%0A+  loop: '{{ r_modules_load_d_to_modify.files }}'%0A+  loop_control:%0A+    label: '{{ item.path }}'%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82028-2%0A+  - DISA-STIG-RHEL-08-040021%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_atm_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Is atm as loaded module%0A+  lineinfile:%0A+    path: /proc/modules%0A+    regexp: ^atm\s%0A+    state: absent%0A+  check_mode: true%0A+  changed_when: false%0A+  register: r_in_modules%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82028-2%0A+  - DISA-STIG-RHEL-08-040021%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_atm_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Try to remove atm, might fail%0A+  when:%0A+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  - r_in_modules.found is defined%0A+  - r_in_modules.found >= 1%0A+  command:%0A+    argv:%0A+    - modprobe%0A+    - -r%0A+    - atm%0A+  failed_when: false%0A   tags:%0A   - CCE-82028-2%0A   - DISA-STIG-RHEL-08-040021%0A@@ -33,3 +118,69 @@%0A   - medium_disruption%0A   - medium_severity%0A   - reboot_required%0A+%0A+- name: Block dracut configuration%0A+  block:%0A+%0A+  - name: Gather the package facts%0A+    package_facts:%0A+      manager: auto%0A+%0A+  - name: Block dracut package%0A+    when:%0A+    - ('dracut' in ansible_facts.packages)%0A+    block:%0A+%0A+    - name: Find dracut configs with atm load%0A+      find:%0A+        paths:%0A+        - /etc/dracut.conf.d%0A+        - /usr/lib/dracut/dracut.conf.d%0A+        patterns: '*.conf'%0A+        contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\satm\s[^"]*"\s*$%0A+      register: r_dracut_configs_to_modify%0A+%0A+    - name: Replace dracut configs with atm load%0A+      replace:%0A+        path: '{{ item.path }}'%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$%0A+        replace: \g<1> \g<2>%0A+      loop: '{{ r_dracut_configs_to_modify.files }}'%0A+      loop_control:%0A+        label: '{{ item.path }}'%0A+%0A+    - name: Is atm as loaded module%0A+      lineinfile:%0A+        path: /etc/dracut.conf%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$%0A+        state: absent%0A+      check_mode: true%0A+      changed_when: false%0A+      register: r_in_dracut_conf%0A+%0A+    - name: Try to remove atm, might fail%0A+      when:%0A+      - r_in_dracut_conf.found is defined%0A+      - r_in_dracut_conf.found >= 1%0A+      replace:%0A+        path: '{{ item.path }}'%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$%0A+        replace: \g<1> \g<2>%0A+%0A+    - name: Ensure kernel module 'atm' is in dracut.conf omit_drivers%0A+      lineinfile:%0A+        create: true%0A+        dest: /etc/dracut.conf.d/omit-atm.conf%0A+        regexp: ^omit_drivers\+=" atm "$%0A+        line: omit_drivers+=" atm "%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82028-2%0A+  - DISA-STIG-RHEL-08-040021%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_atm_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A%0AOVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.%0A--- oval:ssg-kernel_module_can_disabled:def:1%0A+++ oval:ssg-kernel_module_can_disabled:def:1%0A@@ -1,4 +1,19 @@%0A criteria OR%0A criteria AND%0A criterion oval:ssg-test_kernmod_can_blacklisted:tst:1%0A+criteria OR%0A+extend_definition oval:ssg-package_dracut_installed:def:1%0A+criteria AND%0A+criteria OR%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_d_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_d_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_d_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_force_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_can_dracut_conf_d_force_drivers:tst:1%0A criterion oval:ssg-test_kernmod_can_disabled:tst:1%0A+criterion oval:ssg-test_kernmod_can_in_modules_load:tst:1%0A+criterion oval:ssg-test_kernmod_can_runtime:tst:1%0A+criterion oval:ssg-test_kernmod_can_cmdline:tst:1%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled%0A@@ -1,16 +1,58 @@%0A # Remediation is applicable only in certain platforms%0A if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then%0A %0A-if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then%0A-	%0A-	sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf%0A+set -u%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+kernmodule=can%0A+kernmodule_rx=can%0A+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf%0A+rx="^install\s+${kernmodule_rx}(\s|$)"%0A+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then%0A+    sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"%0A else%0A-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf%0A-	echo "install can /bin/true" >> /etc/modprobe.d/can.conf%0A+    printf "\n# Disable per security requirements\ninstall %25s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"%0A fi%0A %0A-if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then%0A-	echo "blacklist can" >> /etc/modprobe.d/can.conf%0A+rx="^\s*${kernmodule_rx}\s*$"%0A+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then%0A+    printf "blacklist %25s\n" "${kernmodule}" >> "${modprobe_file}"%0A+fi%0A+%0A+%0A+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf%0A+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then%0A+    printf 'omit_drivers+=" %25s "\n' "${kernmodule}" >> "${dracut_file}"%0A+fi%0A+%0A+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$'%0A+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+# Try to unload, this might fail for various reasons%0A+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then%0A+    modprobe -r "${kernmodule}" || :%0A fi%0A %0A else%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled%0A@@ -5,6 +5,91 @@%0A     regexp: install\s+can%0A     line: install can /bin/true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82059-7%0A+  - DISA-STIG-RHEL-08-040022%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_can_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Find modules-load.d files with can load%0A+  find:%0A+    paths:%0A+    - /etc/modules-load.d%0A+    - /lib/modules-load.d%0A+    - /run/modules-load.d%0A+    - /usr/lib/modules-load.d%0A+    - /usr/local/lib/modules-load.d%0A+    patterns: '*.conf'%0A+    contains: ^\s*can\s*$%0A+  register: r_modules_load_d_to_modify%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82059-7%0A+  - DISA-STIG-RHEL-08-040022%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_can_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Remove can load from modules-load.d files%0A+  lineinfile:%0A+    path: '{{ item.path }}'%0A+    state: absent%0A+    regexp: ^\s*can\s*$%0A+  loop: '{{ r_modules_load_d_to_modify.files }}'%0A+  loop_control:%0A+    label: '{{ item.path }}'%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82059-7%0A+  - DISA-STIG-RHEL-08-040022%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_can_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Is can as loaded module%0A+  lineinfile:%0A+    path: /proc/modules%0A+    regexp: ^can\s%0A+    state: absent%0A+  check_mode: true%0A+  changed_when: false%0A+  register: r_in_modules%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82059-7%0A+  - DISA-STIG-RHEL-08-040022%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_can_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Try to remove can, might fail%0A+  when:%0A+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  - r_in_modules.found is defined%0A+  - r_in_modules.found >= 1%0A+  command:%0A+    argv:%0A+    - modprobe%0A+    - -r%0A+    - can%0A+  failed_when: false%0A   tags:%0A   - CCE-82059-7%0A   - DISA-STIG-RHEL-08-040022%0A@@ -33,3 +118,69 @@%0A   - medium_disruption%0A   - medium_severity%0A   - reboot_required%0A+%0A+- name: Block dracut configuration%0A+  block:%0A+%0A+  - name: Gather the package facts%0A+    package_facts:%0A+      manager: auto%0A+%0A+  - name: Block dracut package%0A+    when:%0A+    - ('dracut' in ansible_facts.packages)%0A+    block:%0A+%0A+    - name: Find dracut configs with can load%0A+      find:%0A+        paths:%0A+        - /etc/dracut.conf.d%0A+        - /usr/lib/dracut/dracut.conf.d%0A+        patterns: '*.conf'%0A+        contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\scan\s[^"]*"\s*$%0A+      register: r_dracut_configs_to_modify%0A+%0A+    - name: Replace dracut configs with can load%0A+      replace:%0A+        path: '{{ item.path }}'%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$%0A+        replace: \g<1> \g<2>%0A+      loop: '{{ r_dracut_configs_to_modify.files }}'%0A+      loop_control:%0A+        label: '{{ item.path }}'%0A+%0A+    - name: Is can as loaded module%0A+      lineinfile:%0A+        path: /etc/dracut.conf%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$%0A+        state: absent%0A+      check_mode: true%0A+      changed_when: false%0A+      register: r_in_dracut_conf%0A+%0A+    - name: Try to remove can, might fail%0A+      when:%0A+      - r_in_dracut_conf.found is defined%0A+      - r_in_dracut_conf.found >= 1%0A+      replace:%0A+        path: '{{ item.path }}'%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$%0A+        replace: \g<1> \g<2>%0A+%0A+    - name: Ensure kernel module 'can' is in dracut.conf omit_drivers%0A+      lineinfile:%0A+        create: true%0A+        dest: /etc/dracut.conf.d/omit-can.conf%0A+        regexp: ^omit_drivers\+=" can "$%0A+        line: omit_drivers+=" can "%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82059-7%0A+  - DISA-STIG-RHEL-08-040022%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_can_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A%0AOVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.%0A--- oval:ssg-kernel_module_dccp_disabled:def:1%0A+++ oval:ssg-kernel_module_dccp_disabled:def:1%0A@@ -1,4 +1,19 @@%0A criteria OR%0A criteria AND%0A criterion oval:ssg-test_kernmod_dccp_blacklisted:tst:1%0A+criteria OR%0A+extend_definition oval:ssg-package_dracut_installed:def:1%0A+criteria AND%0A+criteria OR%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_force_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_force_drivers:tst:1%0A criterion oval:ssg-test_kernmod_dccp_disabled:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_in_modules_load:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_runtime:tst:1%0A+criterion oval:ssg-test_kernmod_dccp_cmdline:tst:1%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled%0A@@ -1,16 +1,58 @@%0A # Remediation is applicable only in certain platforms%0A if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then%0A %0A-if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then%0A-	%0A-	sed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf%0A+set -u%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+kernmodule=dccp%0A+kernmodule_rx=dccp%0A+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf%0A+rx="^install\s+${kernmodule_rx}(\s|$)"%0A+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then%0A+    sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"%0A else%0A-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf%0A-	echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf%0A+    printf "\n# Disable per security requirements\ninstall %25s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"%0A fi%0A %0A-if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then%0A-	echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf%0A+rx="^\s*${kernmodule_rx}\s*$"%0A+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then%0A+    printf "blacklist %25s\n" "${kernmodule}" >> "${modprobe_file}"%0A+fi%0A+%0A+%0A+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf%0A+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then%0A+    printf 'omit_drivers+=" %25s "\n' "${kernmodule}" >> "${dracut_file}"%0A+fi%0A+%0A+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$'%0A+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+# Try to unload, this might fail for various reasons%0A+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then%0A+    modprobe -r "${kernmodule}" || :%0A fi%0A %0A else%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled%0A@@ -21,6 +21,111 @@%0A   - medium_severity%0A   - reboot_required%0A %0A+- name: Find modules-load.d files with dccp load%0A+  find:%0A+    paths:%0A+    - /etc/modules-load.d%0A+    - /lib/modules-load.d%0A+    - /run/modules-load.d%0A+    - /usr/lib/modules-load.d%0A+    - /usr/local/lib/modules-load.d%0A+    patterns: '*.conf'%0A+    contains: ^\s*dccp\s*$%0A+  register: r_modules_load_d_to_modify%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-80833-7%0A+  - CJIS-5.10.1%0A+  - NIST-800-171-3.4.6%0A+  - NIST-800-53-CM-6(a)%0A+  - NIST-800-53-CM-7(a)%0A+  - NIST-800-53-CM-7(b)%0A+  - PCI-DSS-Req-1.4.2%0A+  - PCI-DSSv4-1.4.2%0A+  - disable_strategy%0A+  - kernel_module_dccp_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Remove dccp load from modules-load.d files%0A+  lineinfile:%0A+    path: '{{ item.path }}'%0A+    state: absent%0A+    regexp: ^\s*dccp\s*$%0A+  loop: '{{ r_modules_load_d_to_modify.files }}'%0A+  loop_control:%0A+    label: '{{ item.path }}'%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-80833-7%0A+  - CJIS-5.10.1%0A+  - NIST-800-171-3.4.6%0A+  - NIST-800-53-CM-6(a)%0A+  - NIST-800-53-CM-7(a)%0A+  - NIST-800-53-CM-7(b)%0A+  - PCI-DSS-Req-1.4.2%0A+  - PCI-DSSv4-1.4.2%0A+  - disable_strategy%0A+  - kernel_module_dccp_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Is dccp as loaded module%0A+  lineinfile:%0A+    path: /proc/modules%0A+    regexp: ^dccp\s%0A+    state: absent%0A+  check_mode: true%0A+  changed_when: false%0A+  register: r_in_modules%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-80833-7%0A+  - CJIS-5.10.1%0A+  - NIST-800-171-3.4.6%0A+  - NIST-800-53-CM-6(a)%0A+  - NIST-800-53-CM-7(a)%0A+  - NIST-800-53-CM-7(b)%0A+  - PCI-DSS-Req-1.4.2%0A+  - PCI-DSSv4-1.4.2%0A+  - disable_strategy%0A+  - kernel_module_dccp_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A+- name: Try to remove dccp, might fail%0A+  when:%0A+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  - r_in_modules.found is defined%0A+  - r_in_modules.found >= 1%0A+  command:%0A+    argv:%0A+    - modprobe%0A+    - -r%0A+    - dccp%0A+  failed_when: false%0A+  tags:%0A+  - CCE-80833-7%0A+  - CJIS-5.10.1%0A+  - NIST-800-171-3.4.6%0A+  - NIST-800-53-CM-6(a)%0A+  - NIST-800-53-CM-7(a)%0A+  - NIST-800-53-CM-7(b)%0A+  - PCI-DSS-Req-1.4.2%0A+  - PCI-DSSv4-1.4.2%0A+  - disable_strategy%0A+  - kernel_module_dccp_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A+%0A - name: Ensure kernel module 'dccp' is blacklisted%0A   lineinfile:%0A     create: true%0A@@ -43,3 +148,74 @@%0A   - medium_disruption%0A   - medium_severity%0A   - reboot_required%0A+%0A+- name: Block dracut configuration%0A+  block:%0A+%0A+  - name: Gather the package facts%0A+    package_facts:%0A+      manager: auto%0A+%0A+  - name: Block dracut package%0A+    when:%0A+    - ('dracut' in ansible_facts.packages)%0A+    block:%0A+%0A+    - name: Find dracut configs with dccp load%0A+      find:%0A+        paths:%0A+        - /etc/dracut.conf.d%0A+        - /usr/lib/dracut/dracut.conf.d%0A+        patterns: '*.conf'%0A+        contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\sdccp\s[^"]*"\s*$%0A+      register: r_dracut_configs_to_modify%0A+%0A+    - name: Replace dracut configs with dccp load%0A+      replace:%0A+        path: '{{ item.path }}'%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$%0A+        replace: \g<1> \g<2>%0A+      loop: '{{ r_dracut_configs_to_modify.files }}'%0A+      loop_control:%0A+        label: '{{ item.path }}'%0A+%0A+    - name: Is dccp as loaded module%0A+      lineinfile:%0A+        path: /etc/dracut.conf%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$%0A+        state: absent%0A+      check_mode: true%0A+      changed_when: false%0A+      register: r_in_dracut_conf%0A+%0A+    - name: Try to remove dccp, might fail%0A+      when:%0A+      - r_in_dracut_conf.found is defined%0A+      - r_in_dracut_conf.found >= 1%0A+      replace:%0A+        path: '{{ item.path }}'%0A+        regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$%0A+        replace: \g<1> \g<2>%0A+%0A+    - name: Ensure kernel module 'dccp' is in dracut.conf omit_drivers%0A+      lineinfile:%0A+        create: true%0A+        dest: /etc/dracut.conf.d/omit-dccp.conf%0A+        regexp: ^omit_drivers\+=" dccp "$%0A+        line: omit_drivers+=" dccp "%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-80833-7%0A+  - CJIS-5.10.1%0A+  - NIST-800-171-3.4.6%0A+  - NIST-800-53-CM-6(a)%0A+  - NIST-800-53-CM-7(a)%0A+  - NIST-800-53-CM-7(b)%0A+  - PCI-DSS-Req-1.4.2%0A+  - PCI-DSSv4-1.4.2%0A+  - disable_strategy%0A+  - kernel_module_dccp_disabled%0A+  - low_complexity%0A+  - medium_disruption%0A+  - medium_severity%0A+  - reboot_required%0A%0AOVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.%0A--- oval:ssg-kernel_module_firewire-core_disabled:def:1%0A+++ oval:ssg-kernel_module_firewire-core_disabled:def:1%0A@@ -1,4 +1,19 @@%0A criteria OR%0A criteria AND%0A criterion oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1%0A+criteria OR%0A+extend_definition oval:ssg-package_dracut_installed:def:1%0A+criteria AND%0A+criteria OR%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_omit_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_add_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_force_drivers:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_force_drivers:tst:1%0A criterion oval:ssg-test_kernmod_firewire-core_disabled:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_in_modules_load:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_runtime:tst:1%0A+criterion oval:ssg-test_kernmod_firewire-core_cmdline:tst:1%0A%0Abash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled%0A@@ -1,16 +1,58 @@%0A # Remediation is applicable only in certain platforms%0A if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then%0A %0A-if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then%0A-	%0A-	sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf%0A+set -u%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+%0A+kernmodule=firewire-core%0A+kernmodule_rx='firewire[_-]core'%0A+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf%0A+rx="^install\s+${kernmodule_rx}(\s|$)"%0A+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then%0A+    sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"%0A else%0A-	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf%0A-	echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf%0A+    printf "\n# Disable per security requirements\ninstall %25s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"%0A fi%0A %0A-if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then%0A-	echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf%0A+rx="^\s*${kernmodule_rx}\s*$"%0A+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then%0A+    printf "blacklist %25s\n" "${kernmodule}" >> "${modprobe_file}"%0A+fi%0A+%0A+%0A+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf%0A+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then%0A+    printf 'omit_drivers+=" %25s "\n' "${kernmodule}" >> "${dracut_file}"%0A+fi%0A+%0A+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sfirewire[_-]core\s([^"]*")\s*$'%0A+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do%0A+    [ -f "${f}" ] || continue%0A+    if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then%0A+        LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"%0A+    fi%0A+done%0A+%0A+%0A+# Try to unload, this might fail for various reasons%0A+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then%0A+    modprobe -r "${kernmodule}" || :%0A fi%0A %0A else%0A%0Aansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.%0A--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled%0A+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled%0A@@ -2,9 +2,94 @@%0A   lineinfile:%0A     create: true%0A     dest: /etc/modprobe.d/firewire-core.conf%0A-    regexp: install\s+firewire-core%0A+    regexp: install\s+firewire[_-]core%0A     line: install firewire-core /bin/true%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82005-0%0A+  - DISA-STIG-RHEL-08-040026%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_firewire-core_disabled%0A+  - low_complexity%0A+  - low_severity%0A+  - medium_disruption%0A+  - reboot_required%0A+%0A+- name: Find modules-load.d files with firewire-core load%0A+  find:%0A+    paths:%0A+    - /etc/modules-load.d%0A+    - /lib/modules-load.d%0A+    - /run/modules-load.d%0A+    - /usr/lib/modules-load.d%0A+    - /usr/local/lib/modules-load.d%0A+    patterns: '*.conf'%0A+    contains: ^\s*firewire[_-]core\s*$%0A+  register: r_modules_load_d_to_modify%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82005-0%0A+  - DISA-STIG-RHEL-08-040026%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_firewire-core_disabled%0A+  - low_complexity%0A+  - low_severity%0A+  - medium_disruption%0A+  - reboot_required%0A+%0A+- name: Remove firewire-core load from modules-load.d files%0A+  lineinfile:%0A+    path: '{{ item.path }}'%0A+    state: absent%0A+    regexp: ^\s*firewire[_-]core\s*$%0A+  loop: '{{ r_modules_load_d_to_modify.files }}'%0A+  loop_control:%0A+    label: '{{ item.path }}'%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82005-0%0A+  - DISA-STIG-RHEL-08-040026%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_firewire-core_disabled%0A+  - low_complexity%0A+  - low_severity%0A+  - medium_disruption%0A+  - reboot_required%0A+%0A+- name: Is firewire-core as loaded module%0A+  lineinfile:%0A+    path: /proc/modules%0A+    regexp: ^firewire[_-]core\s%0A+    state: absent%0A+  check_mode: true%0A+  changed_when: false%0A+  register: r_in_modules%0A+  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  tags:%0A+  - CCE-82005-0%0A+  - DISA-STIG-RHEL-08-040026%0A+  - NIST-800-53-AC-18%0A+  - disable_strategy%0A+  - kernel_module_firewire-core_disabled%0A+  - low_complexity%0A+  - low_severity%0A+  - medium_disruption%0A+  - reboot_required%0A+%0A+- name: Try to remove firewire-core, might fail%0A+  when:%0A+  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A+  - r_in_modules.found is defined%0A+  - r_in_modules.found >= 1%0A+  command:%0A+    argv:%0A+    - modprobe%0A+    - -r%0A+    - firewire-core%0A+  failed_when: false%0A   tags:%0A   - CCE-82005-0%0A   - DISA-STIG-RHEL-08-040026%0A@@ -20,7 +105,7 @@%0A   lineinfile:%0A     create: true%0A     dest: /etc/modprobe.d/firewire-core.conf%0A-    regexp: ^blacklist firewire-core$%0A+    regexp: ^blacklist firewire[_-]core$%0A     line: blacklist firewire-core%0A   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]%0A   tags:%0A@@ -33,3 +118,69 @@%0A   - low_severity%0A   - medium_disruption%0A   - reboot_required%0A+%0A+- name: Block dracut configuration%0A+  block:%0A+%0A+  - name: Gather the package facts%0A+    package_facts:%0A+      manager: auto%0A+%0A+  - name: Block dracut package%0A+    when:%0A+    - ('dracut' in ansible_facts.packages)%0A+    block:%0A+%0A+    - name: Find dracut configs with firewire-core load%0A+      find:%0A+        paths:%0A+        - /etc/dracut.conf.d%0A+        - /usr/lib/dracut/dracut.conf.d%0A+        patterns: '*.conf'%0A+        contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\sfirewire[_-]core\s[^"]*"\s*$%0A+      register: r_dracut_configs_to_modify%0A+%0A+    - name: Replace dracut configs with firewire-core load%0A+      replace:%0A+        path: '{{ item.path }}'%0A+        regexp: ^\s*((?:drivers|add_driver

... The diff is trimmed here ...

@maage
Copy link
Contributor Author

maage commented Apr 2, 2023
edited
Loading

Automatus tests fail because those tests are not going to work under podman based test envs. Again my proposal to fix this #10387

This situation is not fixed after my additional features.

@maage
Copy link
Contributor Author

maage commented Apr 29, 2023

Added more new features and rebased.

@maage maage force-pushed the features-1 branch 3 times, most recently from 4724432 to 126b618 Compare May 1, 2023 19:25
@maage
Copy link
Contributor Author

maage commented May 1, 2023

Moved some stuff to #10519.
Added local_port_range handling with variable.
Moved n_hdlc to proper place.

I'm not so sure about current status where about the same rules are sprinked over 3(?) branches based on assumed subsystem.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label May 19, 2023
maage added 17 commits May 21, 2023 18:06
@maage
change: .editorconfig: shell style
a459565
@maage
change: package_dracut_installed: add
b6899e2
@maage
style: kernel_module_disable: oval template indent
dab22a2
@maage
change: kernel_module_disable: oval: use local_id
c15152e
@maage
change: kernel_module_disabled: simplify oval
dcfce5a 
There is no need to optimize one AND away but duplicate _disabled rule
criterion.
@maage
change: kernel_module_disabled: only do product comparison once per type
957d009
@maage
bugfix: kernel_module_disabled: check both -_ in names
2ae1923 
This avoids false positives when there is perfectly working rule, but
check only variant.

From: modprobe(8)
...
       modprobe intelligently adds or removes a module from the Linux
       kernel: note that for convenience, there is no difference between
       _ and - in module names (automatic underscore conversion is
       performed).
...

Add test for this in firewire-core.

There is no need to change ansible/bash remediations as if they are run,
in worst case there is effectively duplicate entry only. Functionality
is the same.
@maage
feature: kernel_module_disabled: add fedora support
cd1effc
@maage
change: kernel_module_disabled: move install rx to variable
5fcce40
@maage
bugfix: kernel_module_disabled: modules-load.d fix
4c33a30 
modules-load.d was implemented as same as modprobe.d, but they are
different.

This leads wrong pass for rule.

modules-load.d(5)
...
       modules-load.d - Configure kernel modules to load at boot
...
CONFIGURATION FORMAT
       The configuration files should simply contain a list of kernel module names to load, separated by newlines. Empty
       lines and lines whose first non-whitespace character is # or ; are ignored.
...
@maage
feature: kernel_module_disabled: dracut and runtime support
7154186 
For example:

https://access.redhat.com/solutions/41278

Note document has at this time typo when it references
omit_dracutmodules.

Greatly modify testing as no there is multiple new dimensions too.

Removed unnecessary tests.

/proc/cmdline feature is not tested.

Keep product inferring the same. Each template type and tesing in
10-bash.jinja gets one.
@maage
feature: grub2_init_on_free: add support
2a15bce 
Add `grub2_init_on_free_argument`.

`init_on_free` replaces generally `slub_debug=P page_poison=1` in newer
5.3 Linux kernels.
@maage
change: sysctl_kernel_perf_event_paranoid: allow 3 too
c6183a1 
There is patchset to enable this:

	https://patchwork.kernel.org/project/linux-hardening/patch/1469630746-32279-1-git-send-email-jeffv@google.com/

Some distros might have this enabled.

Add variable sysctl_kernel_perf_event_paranoid_value as variable is
required when multiple values possible.
@maage
feature: kernel_module_appletalk_disabled: add
9c8f26d
@maage
feature: kernel_module_ax25_disabled: add
aef3882
@maage
feature: kernel_module_decnet_disabled: add
0a463fe
@maage
feature: kernel_module_econet_disabled: add
844a84d
maage added 20 commits May 21, 2023 18:10
@maage
feature: kernel_module_*802154_disabled: add
da2d376
@maage
feature: kernel_module_n_hdlc_disabled: add
52c3d5c
@maage
feature: kernel_module_netrom_disabled: add
f896cd1
@maage
feature: kernel_module_nfc_disabled: add
00da7c9
@maage
feature: kernel_module_p8022_disabled: add
0b003ee
@maage
feature: kernel_module_p8023_disabled: add
dba47cb
@maage
feature: kernel_module_psnap_disabled: add
ee8f923
@maage
feature: kernel_module_rose_disabled: add
75285c9
@maage
feature: kernel_module_x25_disabled: add
33f21af
@maage
feature: kernel_module_floppy_disabled: add
d145db8
@maage
feature: kernel_module_ksmbd_disabled: add
1c9b0d7
@maage
feature: kernel_module_dvb_core_disabled: add
a86d3c7
@maage
feature: kernel_module_snd_disabled: add
62ea487
@maage
feature: kernel_module_soundcore_disabled: add
1994c15
@maage
bugfix: sysctl: /etc/sysctl.conf might not exist
c2b4279 
Implement `sysctl_reset` to ensure all sysctl directories and files
do exist, and there can only be configuration at `/etc/sysctl.conf`.

If there is some reason to modify this phase, now there is shared place
to do it.

From: sysctl.conf(5)
...
FILES
       /etc/sysctl.d/*.conf
       /run/sysctl.d/*.conf
       /usr/local/lib/sysctl.d/*.conf
       /usr/lib/sysctl.d/*.conf
       /lib/sysctl.d/*.conf
       /etc/sysctl.conf
...
@maage
feature: sysctl_dev_tty_ldisc_autoload add
5567202
@maage
feature: sysctl_dev_tty_legacy_tiocsti add
1c1f6c2 
Additional reasons why for example from:
https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking
@maage
change: sysctl: ensure value is actually set when using ansible
a4d5b67
@maage
change: sysctl_net_ipv4_ip_local_port_range: add variable support
12f71d6 
When you combine xccdf variables and other format than simple int /
string, there is no generict way to implement comparison. So I decided
just to use per name comparison method.
@maage
change: fedora ospp: add sysctl_net_ipv4_ip_local_port_range
7da2fcf
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label May 21, 2023
@codeclimate
Copy link

codeclimate bot commented May 21, 2023

Code Climate has analyzed commit 7da2fcf and detected 326 issues on this pull request.

Here's the issue category breakdown:

Category Count
Style 326

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.5% (0.0% change).

View more on Code Climate.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Jun 23, 2023
@openshift-merge-robot
Copy link
Collaborator

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jan-cerny
Copy link
Collaborator

Closing due to inactivity. If you still want to work on this PR, please reopen it and resolve the conflicts.

@jan-cerny jan-cerny closed this Sep 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/work-in-progress Used by openshift-ci bot. needs-ok-to-test Used by openshift-ci bot. needs-rebase Used by openshift-ci bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maage @openshift-merge-robot @jan-cerny