From d87c0a7cf2c26b5dec2dbdfe4f2d8d7200ecffd0 Mon Sep 17 00:00:00 2001
From: Markus Linnala <Markus.Linnala@knowit.fi>
Date: Thu, 1 Sep 2022 14:25:55 +0300
Subject: [PATCH 1/3] fix: service_disabled/tests: handle socket actication
 services

They have service like: <name>@.service and are only meant to be used
via socket activation.

Also there is considerable speed difference between slow:
	systemctl list-unit-files
and fast:
	systemctl list-unit-files <name>.<type>

Use fast solution here.
---
 .../tests/service_disabled.pass.sh                | 12 ++++++++----
 .../tests/service_enabled.fail.sh                 | 15 ++++++++++++---
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/shared/templates/service_disabled/tests/service_disabled.pass.sh b/shared/templates/service_disabled/tests/service_disabled.pass.sh
index dbd400eae51..7d0c50a910d 100644
--- a/shared/templates/service_disabled/tests/service_disabled.pass.sh
+++ b/shared/templates/service_disabled/tests/service_disabled.pass.sh
@@ -2,11 +2,15 @@
 # packages = {{{ PACKAGENAME }}}
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service'
-"$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service'
-"$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.service'
+# Some services use <name>@.service style that is not meant to be activated at all,
+# and only used via socket activation.
+if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.service' | grep -q '^{{{ DAEMONNAME }}}.service'; then
+    "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service'
+    "$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service'
+    "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.service'
+fi
 # Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^{{{ DAEMONNAME }}}.socket'; then
+if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.socket' | grep -q '^{{{ DAEMONNAME }}}.socket'; then
     "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.socket'
     "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.socket'
 fi
diff --git a/shared/templates/service_disabled/tests/service_enabled.fail.sh b/shared/templates/service_disabled/tests/service_enabled.fail.sh
index 717a895cea2..7d9efcaf266 100644
--- a/shared/templates/service_disabled/tests/service_enabled.fail.sh
+++ b/shared/templates/service_disabled/tests/service_enabled.fail.sh
@@ -2,9 +2,18 @@
 # packages = {{{ PACKAGENAME }}}
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
-"$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service'
-"$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service'
-"$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'
+# Some services use <name>@.service style that is not meant to be activated at all,
+# and only used via socket activation.
+if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.service' | grep -q '^{{{ DAEMONNAME }}}.service'; then
+    "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service'
+    "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service'
+    "$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'
+fi
+# Disable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.socket' | grep -q '^{{{ DAEMONNAME }}}.socket'; then
+    "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.socket'
+    "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.socket'
+fi
 
 # The service may not be running because it has been started and failed,
 # so let's reset the state so OVAL checks pass.

From c143373bef27f560be3379d545846e2432b46c85 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 5 Jan 2023 14:41:22 +0100
Subject: [PATCH 2/3] Remove unnecessary grep from test scenario scripts

Since the unit is now informed in the for the sysctl list-unit-files,
the return code will already be 0 if the unit exists and 1 otherwise.
So, this | grep is no longer necessary.
---
 .../service_disabled/tests/service_disabled.pass.sh         | 4 ++--
 .../service_disabled/tests/service_enabled.fail.sh          | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/shared/templates/service_disabled/tests/service_disabled.pass.sh b/shared/templates/service_disabled/tests/service_disabled.pass.sh
index 7d0c50a910d..71cd5dcb61e 100644
--- a/shared/templates/service_disabled/tests/service_disabled.pass.sh
+++ b/shared/templates/service_disabled/tests/service_disabled.pass.sh
@@ -4,13 +4,13 @@
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 # Some services use <name>@.service style that is not meant to be activated at all,
 # and only used via socket activation.
-if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.service' | grep -q '^{{{ DAEMONNAME }}}.service'; then
+if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then
     "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.service'
     "$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service'
     "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.service'
 fi
 # Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.socket' | grep -q '^{{{ DAEMONNAME }}}.socket'; then
+if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then
     "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.socket'
     "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.socket'
 fi
diff --git a/shared/templates/service_disabled/tests/service_enabled.fail.sh b/shared/templates/service_disabled/tests/service_enabled.fail.sh
index 7d9efcaf266..a3a7137eb34 100644
--- a/shared/templates/service_disabled/tests/service_enabled.fail.sh
+++ b/shared/templates/service_disabled/tests/service_enabled.fail.sh
@@ -4,13 +4,13 @@
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 # Some services use <name>@.service style that is not meant to be activated at all,
 # and only used via socket activation.
-if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.service' | grep -q '^{{{ DAEMONNAME }}}.service'; then
+if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.service'; then
     "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.service'
     "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.service'
     "$SYSTEMCTL_EXEC" enable '{{{ DAEMONNAME }}}.service'
 fi
-# Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" list-unit-files '{{{ DAEMONNAME }}}.socket' | grep -q '^{{{ DAEMONNAME }}}.socket'; then
+# Enable socket activation if we have a unit file for it
+if "$SYSTEMCTL_EXEC" -q list-unit-files '{{{ DAEMONNAME }}}.socket'; then
     "$SYSTEMCTL_EXEC" unmask '{{{ DAEMONNAME }}}.socket'
     "$SYSTEMCTL_EXEC" start '{{{ DAEMONNAME }}}.socket'
 fi

From 7f3ef42532e73dc3d2e27250c9fe38096da775bb Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 6 Jan 2023 08:17:14 +0100
Subject: [PATCH 3/3] Optimize conditional in bash remediation

---
 shared/templates/service_disabled/bash.template | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template
index a408e3d1760..27666b03bcb 100644
--- a/shared/templates/service_disabled/bash.template
+++ b/shared/templates/service_disabled/bash.template
@@ -11,7 +11,7 @@ SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" disable '{{{ DAEMONNAME }}}.service'
 "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.service'
 # Disable socket activation if we have a unit file for it
-if "$SYSTEMCTL_EXEC" list-unit-files | grep -q '^{{{ DAEMONNAME }}}.socket'; then
+if "$SYSTEMCTL_EXEC" -q list-unit-files {{{ DAEMONNAME }}}.socket; then
     "$SYSTEMCTL_EXEC" stop '{{{ DAEMONNAME }}}.socket'
     "$SYSTEMCTL_EXEC" mask '{{{ DAEMONNAME }}}.socket'
 fi