Generated Bash scripts should separate individual Bash remediations #1809
Comments
|
The problem is related to the question "to what degree should the scanner understand the structure of underlying remediations?". The scanner can't do much here either. In Bash, variables in functions are global, unless explicitly declared as Our Bash remediations are complex, they also contain here-documents, so they are fragile (sensitive even to indentation), and given that Bash can't be parsed easily, the amount of reasonable assumptions one can make about the code is extremely low. |
|
Oh, we can do This way they won't pollute parent shell and each other. |
|
And we to some degree dive inside all our remediations: Ansible, Blueprint :) |
That's correct, that would work. However, I can't get myself to like auto-wrap of Bash code to functions, it seems too defensive with potential disadvantages. Auto-formatting code is risky, for instance this would create problems if the original code already contained defined functions. We can avoid this in the ComplianceAsCode content, but what about people out there? |
What problems? Having a function-in-a-function is pretty much OK in Bash, AFAIK. Do you have something special on your mind? Okay, okay, I get it. Everything has its drawbacks. But what are you proposing instead? And, by the way, this wrapping is attractive from the point of view of progress update during the first boot remediation. That's why it got me. |
|
Fixed in #2072. |
Description of Problem:
When the bash remediation script is generated by the
oscap xccdf generate fixcommand from a SCAP source data stream, OpenSCAP simply iterates over all rules in the data stream and blindly concatenates all remediations together.But, some remediations for some rules can be influenced by previous remediations in that script. The code might depend on assumptions that the variables used in the remediations don't exist or are empty or unset. But, the variables aren't cleaned so they leak and might influence the code in next remediations.
When people write the remediations in the content project, they assume that it's a standalone script. It's also executed for each remediation separately when you run
oscap xccdf eval --remediate. So the only situation when every remediation isn't a separate script is when you generate bash script usingoscap xccdf generate fix. So we think that the right place where to fix this problem is in the OpenSCAP's generator code.This applies to both profile and results oriented scripts.
OpenSCAP Version:
all, current upstream as of 2021-09-17
Operating System & Version:
all
Steps to Reproduce:
Actual Results:
remediation scripts for multiple rules are just concatenated and possibly influence each other when the script is executed
Expected Results:
We think that we solve the problem this way: Each rule remediation is wrapped inside a function and this function is the only statement executed in the remediation. The variables used in a function won't influence other functions therefore the variables used in one rule's remediation script shouldn't influence other remediation scripts.
Additional Information / Debugging Steps:
This has been revealed in the ComplianceAsCode/content project when we converted some legacy bash remediation functions to Jinja macros. Jinja macros aren't functions, so some variables that were local inside a function (their scope was limited to the function body) have suddenly become global and influencing the code below them.
We probably can't expect people that they will unset every variable after use or clean every variable before use. That would be difficult to enforce, hard to test and it would made the bash code more complex.
CC @dodys and @j-ode for awareness.
The text was updated successfully, but these errors were encountered: