Update rule tests to rely on platform_package_overrides + add needed …

…alternatives to products
alanmcanonical · Nov 28, 2022 · 795f076 · 795f076
1 parent f0bd335
commit 795f076
Show file tree

Hide file tree

Showing 29 changed files with 7 additions and 102 deletions.
diff --git a/...screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh b/...screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/commented.fail.sh
@@ -1,12 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu,multi_platform_rhel
-{{% if "ubuntu" in product %}}
-# packages = libpam-pkcs11
-{{% elif "rhel7" == product %}}
-# packages = pam_pkcs11
-{{% else %}}
 # packages = openssl-pkcs11
-{{% endif %}}
 
 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then
     cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf

diff --git a/...l/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/correct.pass.sh b/...l/screen_locking/smart_card_login/smartcard_configure_cert_checking/tests/correct.pass.sh
@@ -1,12 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu
-{{% if "ubuntu" in product %}}
-# packages = libpam-pkcs11
-{{% elif product in ["ol7", "rhel7"] %}}
-# packages = pam_pkcs11
-{{% else %}}
 # packages = openssl-pkcs11
-{{% endif %}}
 
 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then
     cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf

diff --git a/...een_locking/smart_card_login/smartcard_configure_cert_checking/tests/missing_ocsp.fail.sh b/...een_locking/smart_card_login/smartcard_configure_cert_checking/tests/missing_ocsp.fail.sh
@@ -1,12 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu
-{{% if "ubuntu" in product %}}
-# packages = libpam-pkcs11
-{{% elif product in ["ol7", "rhel7"] %}}
-# packages = pam_pkcs11
-{{% else %}}
 # packages = openssl-pkcs11
-{{% endif %}}
 
 if [ ! -f /etc/pam_pkcs11/pam_pkcs11.conf ]; then
     cp /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf

diff --git a/...ernel_module_loading/audit_rules_kernel_module_loading_delete/tests/correct_rules.pass.sh b/...ernel_module_loading/audit_rules_kernel_module_loading_delete/tests/correct_rules.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules

diff --git a/...nel_module_loading/audit_rules_kernel_module_loading_delete/tests/rules_not_there.fail.sh b/...nel_module_loading/audit_rules_kernel_module_loading_delete/tests/rules_not_there.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules
diff --git a/...l_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_list_action.fail.sh b/...l_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_list_action.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules\

diff --git a/...ernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_syscall.fail.sh b/...ernel_module_loading/audit_rules_kernel_module_loading_delete/tests/wrong_syscall.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules

diff --git a/...kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh b/...kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/correct_rules.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 {{% if product in ["ol7", "ol8"] or 'rhel' in product %}}
 echo "-a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules

diff --git a/...audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/default.fail.sh b/...audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/tests/default.fail.sh
@@ -1,10 +1,6 @@
 #!/bin/bash
 # remediation = bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules
diff --git a/..._kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh b/..._kernel_module_loading/audit_rules_kernel_module_loading_init/tests/correct_rules.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 {{% if product in ["ol7", "ol8"] or 'rhel' in product %}}
 echo "-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -k modules" >> /etc/audit/rules.d/modules.rules

diff --git a/.../audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/default.fail.sh b/.../audit_kernel_module_loading/audit_rules_kernel_module_loading_init/tests/default.fail.sh
@@ -1,10 +1,6 @@
 #!/bin/bash
 # remediation = bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 rm -f /etc/audit/rules.d/*
 > /etc/audit/audit.rules
diff --git a/...ing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh b/...ing/auditd_configure_rules/file_group_ownership_var_log_audit/tests/correct_value.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product %}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 source common.sh
 

diff --git a/...nfigure_rules/file_group_ownership_var_log_audit/tests/correct_value_default_file.pass.sh b/...nfigure_rules/file_group_ownership_var_log_audit/tests/correct_value_default_file.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product %}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 source common.sh
 

diff --git a/...igure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh b/...igure_rules/file_group_ownership_var_log_audit/tests/correct_value_non-root_group.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product %}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 # platform = multi_platform_rhel
 
 if grep -iwq "log_file" /etc/audit/auditd.conf; then

diff --git a/...iting/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh b/...iting/auditd_configure_rules/file_group_ownership_var_log_audit/tests/wrong_value.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product %}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 source common.sh
 

diff --git a/...configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_default_file.fail.sh b/...configure_rules/file_group_ownership_var_log_audit/tests/wrong_value_default_file.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product %}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 source common.sh
 

diff --git a/...nfigure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh b/...nfigure_rules/file_group_ownership_var_log_audit/tests/wrong_value_non-root_group.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product %}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 # platform = multi_platform_rhel
 
 if grep -iwq "log_file" /etc/audit/auditd.conf; then

diff --git a/...g/configure_auditd_data_retention/auditd_data_disk_error_action/tests/wrong_value.fail.sh b/...g/configure_auditd_data_retention/auditd_data_disk_error_action/tests/wrong_value.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 source common.sh
 

diff --git a/...tion/auditd_data_disk_full_action/tests/correct_and_wrong_value_multiple_possible.fail.sh b/...tion/auditd_data_disk_full_action/tests/correct_and_wrong_value_multiple_possible.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 # variables = var_auditd_disk_full_action=action1|action2|action3
 
 source common.sh

diff --git a/...retention/auditd_data_disk_full_action/tests/correct_and_wrong_value_one_possible.fail.sh b/...retention/auditd_data_disk_full_action/tests/correct_and_wrong_value_one_possible.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 # variables = var_auditd_disk_full_action=action1
 
 source common.sh

diff --git a/...data_retention/auditd_data_disk_full_action/tests/correct_value_multiple_possible.pass.sh b/...data_retention/auditd_data_disk_full_action/tests/correct_value_multiple_possible.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 # variables = var_auditd_disk_full_action=action1|action2|action3
 
 source common.sh

diff --git a/...ditd_data_retention/auditd_data_disk_full_action/tests/correct_value_one_possible.pass.sh b/...ditd_data_retention/auditd_data_disk_full_action/tests/correct_value_one_possible.pass.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 # variables = var_auditd_disk_full_action=halt
 
 source common.sh

diff --git a/...iting/configure_auditd_data_retention/auditd_data_disk_full_action/tests/no_value.fail.sh b/...iting/configure_auditd_data_retention/auditd_data_disk_full_action/tests/no_value.fail.sh
@@ -1,8 +1,4 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 source common.sh
diff --git a/...ng/configure_auditd_data_retention/auditd_data_disk_full_action/tests/wrong_value.fail.sh b/...ng/configure_auditd_data_retention/auditd_data_disk_full_action/tests/wrong_value.fail.sh
@@ -1,9 +1,5 @@
 #!/bin/bash
-{{% if "ubuntu" in product%}}
-# packages = auditd
-{{% else %}}
 # packages = audit
-{{% endif %}}
 
 source common.sh
 

diff --git a/products/ol7/product.yml b/products/ol7/product.yml
@@ -37,6 +37,7 @@ cpes:
 # Mapping of CPE platform to package
 platform_package_overrides:
   login_defs: "shadow-utils"
+  openssl-pkcs11: "pam_pkcs11"
 
 reference_uris:
   cis: 'https://www.cisecurity.org/benchmark/oracle_linux/'
diff --git a/products/rhel7/product.yml b/products/rhel7/product.yml
@@ -58,6 +58,7 @@ cpes:
 # Mapping of CPE platform to package
 platform_package_overrides:
   login_defs: "shadow-utils"
+  openssl-pkcs11: "pam_pkcs11"
 
 centos_pkg_release: "53a7ff4b"
 centos_pkg_version: "f4a80eb5"

diff --git a/products/ubuntu1604/product.yml b/products/ubuntu1604/product.yml
@@ -28,13 +28,15 @@ cpes:
       check_id: installed_OS_is_ubuntu1604
 
 platform_package_overrides:
+  audit: auditd
   gdm: gdm3
   grub2: grub2-common
   net-snmp: snmp
   nss-pam-ldapd: libpam-ldap
   pam: libpam-runtime
   shadow: login
   sssd: sssd-common
+  openssl-pkcs11: libpam-pkcs11
 
 reference_uris:
   cis: 'https://www.cisecurity.org/benchmark/ubuntu_linux/'
diff --git a/products/ubuntu1804/product.yml b/products/ubuntu1804/product.yml
@@ -27,13 +27,15 @@ cpes:
       check_id: installed_OS_is_ubuntu1804
 
 platform_package_overrides:
+  audit: auditd
   gdm: gdm3
   grub2: grub2-common
   net-snmp: snmp
   nss-pam-ldapd: libpam-ldap
   pam: libpam-runtime
   shadow: login
   sssd: sssd-common
+  openssl-pkcs11: libpam-pkcs11
 
 reference_uris:
   cis: 'https://www.cisecurity.org/benchmark/ubuntu_linux/'
diff --git a/products/ubuntu2004/product.yml b/products/ubuntu2004/product.yml
@@ -35,6 +35,7 @@ platform_package_overrides:
   pam: libpam-runtime
   shadow: login
   sssd: sssd-common
+  openssl-pkcs11: libpam-pkcs11
 
 reference_uris:
   cis: 'https://www.cisecurity.org/benchmark/ubuntu_linux/'