forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix dirs in sysctl template for Ubuntu 20.04/22.04
On Ubuntu /lib is symlinked to /usr/lib, thus /lib/sysctl.d contains package-managed configs, which should not be modified and can be incorrect if overriden elsewhere (see ComplianceAsCode#10637).
- Loading branch information
Showing
4 changed files
with
276 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,272 @@ | ||
{{%- if SYSCTLVAL == "" %}} | ||
{{%- set COMMENT_VALUE="the appropriate value" %}} | ||
{{%- elif SYSCTLVAL is string %}} | ||
{{%- set COMMENT_VALUE=SYSCTLVAL %}} | ||
{{%- else %}} | ||
{{%- set COMMENT_VALUE = SYSCTLVAL | join(" or " ) %}} | ||
{{%- endif %}} | ||
|
||
{{% macro state_static_sysctld(prefix) -%}} | ||
<ind:object object_ref="object_static_{{{ prefix }}}_{{{ rule_id }}}"/> | ||
{{% if SYSCTLVAL is string %}} | ||
<ind:state state_ref="state_static_sysctld_{{{ rule_id }}}"/> | ||
{{% elif SYSCTLVAL is sequence %}} | ||
{{% for x in SYSCTLVAL %}} | ||
<ind:state state_ref="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" /> | ||
{{% endfor %}} | ||
{{% endif %}} | ||
{{%- endmacro -%}} | ||
{{%- macro sysctl_match() -%}} | ||
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern> | ||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
{{%- endmacro -%}} | ||
{{%- if "P" in FLAGS -%}} | ||
|
||
<def-group> | ||
<definition class="compliance" id="{{{ rule_id }}}" version="3"> | ||
{{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in system configuration" + (" and system runtime." if CHECK_RUNTIME == "true" else ".")) }}} | ||
<criteria operator="AND"> | ||
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check" | ||
definition_ref="{{{ rule_id }}}_static"/> | ||
{{% if CHECK_RUNTIME == "true" %}} | ||
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check" | ||
definition_ref="{{{ rule_id }}}_runtime"/> | ||
{{%- endif %}} | ||
</criteria> | ||
</definition> | ||
</def-group> | ||
|
||
{{%- elif "I" in FLAGS -%}} | ||
|
||
<def-group> | ||
<definition class="compliance" id="{{{ rule_id }}}" version="4"> | ||
{{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in system configuration" + (" and system runtime." if CHECK_RUNTIME == "true" else ".")) }}} | ||
<criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR"> | ||
{{% if product in ["ubuntu1604", "ubuntu1804"] %}} | ||
<extend_definition comment="is IPv6 enabled?" | ||
definition_ref="kernel_module_ipv6_option_disabled"/> | ||
{{% else %}} | ||
<extend_definition comment="is IPv6 enabled?" | ||
definition_ref="sysctl_kernel_ipv6_disable"/> | ||
{{% endif %}} | ||
<criteria operator="AND"> | ||
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check" | ||
definition_ref="{{{ rule_id }}}_static"/> | ||
{{% if CHECK_RUNTIME == "true" %}} | ||
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check" | ||
definition_ref="{{{ rule_id }}}_runtime"/> | ||
{{%- endif %}} | ||
</criteria> | ||
</criteria> | ||
</definition> | ||
</def-group> | ||
|
||
{{%- endif %}} | ||
{{%- if "R" in FLAGS -%}} | ||
|
||
{{% if CHECK_RUNTIME == "true" %}} | ||
<def-group> | ||
<definition class="compliance" id="{{{ rule_id }}}_runtime" version="3"> | ||
{{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system runtime.") }}} | ||
<criteria operator="AND"> | ||
<criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" | ||
test_ref="test_{{{ rule_id }}}_runtime"/> | ||
</criteria> | ||
</definition> | ||
|
||
<unix:sysctl_test id="test_{{{ rule_id }}}_runtime" version="1" | ||
comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}}" | ||
check="all" check_existence="all_exist" state_operator="OR"> | ||
<unix:object object_ref="object_{{{ rule_id }}}_runtime"/> | ||
{{% if SYSCTLVAL is string %}} | ||
<unix:state state_ref="state_{{{ rule_id }}}_runtime"/> | ||
{{% elif SYSCTLVAL is sequence %}} | ||
{{% for x in SYSCTLVAL %}} | ||
<unix:state state_ref="state_{{{ rule_id }}}_runtime_{{{ x }}}" /> | ||
{{% endfor %}} | ||
{{% endif %}} | ||
</unix:sysctl_test> | ||
|
||
<unix:sysctl_object id="object_{{{ rule_id }}}_runtime" version="1"> | ||
<unix:name>{{{ SYSCTLVAR }}}</unix:name> | ||
</unix:sysctl_object> | ||
{{% if SYSCTLVAL is string %}} | ||
{{% if SYSCTLVAL == "" %}} | ||
<unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1"> | ||
<unix:value datatype="{{{ DATATYPE }}}" operation="equals" | ||
var_ref="{{{ rule_id }}}_value"/> | ||
</unix:sysctl_state> | ||
|
||
<external_variable id="{{{ rule_id }}}_value" version="1" | ||
comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/> | ||
{{%- else %}} | ||
<unix:sysctl_state id="state_{{{ rule_id }}}_runtime" version="1"> | ||
{{% if OPERATION == "pattern match" %}} | ||
<unix:value datatype="{{{ DATATYPE }}}" | ||
operation="{{{ OPERATION }}}">{{{ SYSCTLVAL_REGEX }}}</unix:value> | ||
{{% else %}} | ||
<unix:value datatype="{{{ DATATYPE }}}" | ||
operation="{{{ OPERATION }}}">{{{ SYSCTLVAL }}}</unix:value> | ||
{{% endif %}} | ||
</unix:sysctl_state> | ||
{{%- endif %}} | ||
{{% elif SYSCTLVAL is sequence %}} | ||
{{% for x in SYSCTLVAL %}} | ||
<unix:sysctl_state id="state_{{{ rule_id }}}_runtime_{{{ x }}}" version="1"> | ||
<unix:value datatype="{{{ DATATYPE }}}" | ||
operation="{{{ OPERATION }}}">{{{ x }}}</unix:value> | ||
</unix:sysctl_state> | ||
{{% endfor %}} | ||
{{% endif %}} | ||
</def-group> | ||
{{% endif %}} | ||
|
||
{{%- endif -%}} | ||
{{%- if "S" in FLAGS -%}} | ||
|
||
<def-group> | ||
<definition class="compliance" id="{{{ rule_id }}}_static" version="3"> | ||
{{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + COMMENT_VALUE + " in the system configuration.") }}} | ||
|
||
<criteria operator="OR"> | ||
<!-- Processing differently files in /usr/lib/sysctl.d/ as they are managed by packages and | ||
won't be fixed by remediations, see sysctl.d(5) --> | ||
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} set to {{{ COMMENT_VALUE }}} in sysctl files not managed by packages" | ||
test_ref="test_{{{ rule_id }}}_static_user" /> | ||
<criteria operator="AND"> | ||
<criterion comment="kernel static parameter {{{ SYSCTLVAR }}} missing in sysctl files not managed by packages" | ||
test_ref="test_{{{ rule_id }}}_static_user_missing" /> | ||
{{% if MISSING_PARAMETER_PASS == "true" %}} | ||
<criterion comment="{{{ "kernel static parameter" + SYSCTLVAR + " set to " + | ||
COMMENT_VALUE + " or missing in sysctl files managed by packages" }}}" | ||
test_ref="test_{{{ rule_id }}}_static_pkg_not_wrong" /> | ||
{{% else %}} | ||
<criterion comment="{{{ "kernel static parameter " + SYSCTLVAR + " set to " + | ||
COMMENT_VALUE + " in sysctl files managed by packages" }}}" | ||
test_ref="test_{{{ rule_id }}}_static_pkg_correct" /> | ||
{{% endif %}} | ||
</criteria> | ||
</criteria> | ||
</definition> | ||
|
||
<ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user_missing" version="1" | ||
check="all" check_existence="none_exist" | ||
comment="{{{ SYSCTLVAR }}} static configuration"> | ||
<ind:object object_ref="object_static_user_{{{ rule_id }}}" /> | ||
</ind:textfilecontent54_test> | ||
|
||
<ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_user" version="1" | ||
check="all" check_existence="all_exist" | ||
comment="{{{ SYSCTLVAR }}} static configuration" state_operator="OR"> | ||
{{{ state_static_sysctld("user") }}} | ||
</ind:textfilecontent54_test> | ||
|
||
{{% if MISSING_PARAMETER_PASS == "true" %}} | ||
<ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_not_wrong" version="2" check="all" | ||
check_existence="any_exist" | ||
comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" state_operator="OR"> | ||
{{{ state_static_sysctld("usr_lib_sysctld") }}} | ||
</ind:textfilecontent54_test> | ||
{{% else %}} | ||
<ind:textfilecontent54_test id="test_{{{ rule_id }}}_static_pkg_correct" version="2" check="all" | ||
check_existence="all_exist" | ||
comment="{{{ SYSCTLVAR }}} static configuration in /usr/lib/sysctl.d/*.conf" | ||
state_operator="OR"> | ||
{{{ state_static_sysctld("usr_lib_sysctld") }}} | ||
</ind:textfilecontent54_test> | ||
{{% endif %}} | ||
|
||
<!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the | ||
variable to have no value even when there are valid objects. --> | ||
<ind:textfilecontent54_object id="object_static_user_{{{ rule_id }}}" version="1"> | ||
<set> | ||
<object_reference>object_static_etc_lib_sysctls_{{{ rule_id }}}</object_reference> | ||
<object_reference>object_static_run_usr_local_sysctls_{{{ rule_id }}}</object_reference> | ||
</set> | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_static_etc_lib_sysctls_{{{ rule_id }}}" version="1"> | ||
<set> | ||
<object_reference>object_static_etc_sysctls_{{{ rule_id }}}</object_reference> | ||
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} | ||
<object_reference>object_static_lib_sysctld_{{{ rule_id }}}</object_reference> | ||
{{% endif %}} | ||
</set> | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_static_etc_sysctls_{{{ rule_id }}}" version="1"> | ||
<set> | ||
<object_reference>object_static_sysctl_{{{ rule_id }}}</object_reference> | ||
<object_reference>object_static_etc_sysctld_{{{ rule_id }}}</object_reference> | ||
</set> | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_static_run_usr_local_sysctls_{{{ rule_id }}}" version="1"> | ||
<set> | ||
<object_reference>object_static_usr_local_lib_sysctld_{{{ rule_id }}}</object_reference> | ||
<object_reference>object_static_run_sysctld_{{{ rule_id }}}</object_reference> | ||
</set> | ||
</ind:textfilecontent54_object> | ||
<ind:textfilecontent54_object id="object_static_sysctl_{{{ rule_id }}}" version="1"> | ||
<ind:filepath>/etc/sysctl.conf</ind:filepath> | ||
{{{ sysctl_match() }}} | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_static_etc_sysctld_{{{ rule_id }}}" version="1"> | ||
<ind:path>/etc/sysctl.d</ind:path> | ||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename> | ||
{{{ sysctl_match() }}} | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_static_run_sysctld_{{{ rule_id }}}" version="1"> | ||
<ind:path>/run/sysctl.d</ind:path> | ||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename> | ||
{{{ sysctl_match() }}} | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_static_usr_local_lib_sysctld_{{{ rule_id }}}" version="1"> | ||
<ind:path>/usr/local/lib/sysctl.d</ind:path> | ||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename> | ||
{{{ sysctl_match() }}} | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_static_usr_lib_sysctld_{{{ rule_id }}}" version="1"> | ||
<ind:path>/usr/lib/sysctl.d</ind:path> | ||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename> | ||
{{{ sysctl_match() }}} | ||
</ind:textfilecontent54_object> | ||
{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel7", "rhel8", "rhel9"] %}} | ||
<ind:textfilecontent54_object id="object_static_lib_sysctld_{{{ rule_id }}}" version="1"> | ||
<ind:path>/lib/sysctl.d</ind:path> | ||
<ind:filename operation="pattern match">^.*\.conf$</ind:filename> | ||
{{{ sysctl_match() }}} | ||
</ind:textfilecontent54_object> | ||
{{% endif %}} | ||
{{% if SYSCTLVAL is string %}} | ||
{{% if SYSCTLVAL == "" %}} | ||
|
||
<ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1"> | ||
<ind:subexpression operation="{{{ OPERATION }}}" var_ref="{{{ rule_id }}}_value" | ||
datatype="{{{ DATATYPE }}}" /> | ||
</ind:textfilecontent54_state> | ||
|
||
<external_variable id="{{{ rule_id }}}_value" version="1" | ||
comment="External variable for {{{ SYSCTLVAR }}}" datatype="{{{ DATATYPE }}}"/> | ||
{{% else %}} | ||
<ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}" version="1"> | ||
{{% if OPERATION == "pattern match" %}} | ||
<ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL_REGEX }}}</ind:subexpression> | ||
{{% else %}} | ||
<ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ SYSCTLVAL }}}</ind:subexpression> | ||
{{% endif %}} | ||
</ind:textfilecontent54_state> | ||
{{% endif %}} | ||
{{% elif SYSCTLVAL is sequence %}} | ||
{{% for x in SYSCTLVAL %}} | ||
<ind:textfilecontent54_state id="state_static_sysctld_{{{ rule_id }}}_{{{ x }}}" version="1"> | ||
<ind:subexpression operation="{{{ OPERATION }}}" datatype="{{{ DATATYPE }}}">{{{ x }}}</ind:subexpression> | ||
</ind:textfilecontent54_state> | ||
{{% endfor %}} | ||
{{% endif %}} | ||
</def-group> | ||
{{%- endif -%}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters