-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kernel_module_disabled extend and bugfix #10519
Conversation
Hi @maage. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
13c2284
to
f5c7fb9
Compare
This datastream diff is auto generated by the check Click here to see the trimmed diffOVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.
--- oval:ssg-kernel_module_atm_disabled:def:1
+++ oval:ssg-kernel_module_atm_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_atm_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_atm_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_atm_disabled:tst:1
+criterion oval:ssg-test_kernmod_atm_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_atm_runtime:tst:1
+criterion oval:ssg-test_kernmod_atm_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
-
- sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=atm
+kernmodule_rx=atm
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
- echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then
- echo "blacklist atm" >> /etc/modprobe.d/atm.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
@@ -5,6 +5,91 @@
regexp: install\s+atm
line: install atm /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Find modules-load.d files with atm load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*atm\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove atm load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*atm\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is atm as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^atm\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove atm, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - atm
+ failed_when: false
tags:
- CCE-82028-2
- DISA-STIG-RHEL-08-040021
@@ -33,3 +118,54 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with atm load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\satm\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with atm load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'atm' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-atm.conf
+ regexp: ^omit_drivers\+=" atm "$
+ line: omit_drivers+=" atm "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.
--- oval:ssg-kernel_module_can_disabled:def:1
+++ oval:ssg-kernel_module_can_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_can_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_can_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_can_disabled:tst:1
+criterion oval:ssg-test_kernmod_can_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_can_runtime:tst:1
+criterion oval:ssg-test_kernmod_can_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
-
- sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=can
+kernmodule_rx=can
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf
- echo "install can /bin/true" >> /etc/modprobe.d/can.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then
- echo "blacklist can" >> /etc/modprobe.d/can.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
@@ -5,6 +5,91 @@
regexp: install\s+can
line: install can /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Find modules-load.d files with can load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*can\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove can load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*can\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is can as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^can\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove can, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - can
+ failed_when: false
tags:
- CCE-82059-7
- DISA-STIG-RHEL-08-040022
@@ -33,3 +118,54 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with can load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\scan\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with can load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'can' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-can.conf
+ regexp: ^omit_drivers\+=" can "$
+ line: omit_drivers+=" can "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.
--- oval:ssg-kernel_module_dccp_disabled:def:1
+++ oval:ssg-kernel_module_dccp_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_dccp_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_dccp_disabled:tst:1
+criterion oval:ssg-test_kernmod_dccp_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_dccp_runtime:tst:1
+criterion oval:ssg-test_kernmod_dccp_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then
-
- sed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=dccp
+kernmodule_rx=dccp
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf
- echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then
- echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
@@ -21,6 +21,111 @@
- medium_severity
- reboot_required
+- name: Find modules-load.d files with dccp load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*dccp\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove dccp load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*dccp\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is dccp as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^dccp\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove dccp, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - dccp
+ failed_when: false
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
- name: Ensure kernel module 'dccp' is blacklisted
lineinfile:
create: true
@@ -43,3 +148,59 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with dccp load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\sdccp\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with dccp load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'dccp' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-dccp.conf
+ regexp: ^omit_drivers\+=" dccp "$
+ line: omit_drivers+=" dccp "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.
--- oval:ssg-kernel_module_firewire-core_disabled:def:1
+++ oval:ssg-kernel_module_firewire-core_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_firewire-core_disabled:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_runtime:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then
-
- sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=firewire-core
+kernmodule_rx='firewire[_-]core'
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf
- echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then
- echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sfirewire[_-]core\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -2,9 +2,94 @@
lineinfile:
create: true
dest: /etc/modprobe.d/firewire-core.conf
- regexp: install\s+firewire-core
+ regexp: install\s+firewire[_-]core
line: install firewire-core /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Find modules-load.d files with firewire-core load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*firewire[_-]core\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Remove firewire-core load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*firewire[_-]core\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Is firewire-core as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^firewire[_-]core\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Try to remove firewire-core, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - firewire-core
+ failed_when: false
tags:
- CCE-82005-0
- DISA-STIG-RHEL-08-040026
@@ -20,7 +105,7 @@
lineinfile:
create: true
dest: /etc/modprobe.d/firewire-core.conf
- regexp: ^blacklist firewire-core$
+ regexp: ^blacklist firewire[_-]core$
line: blacklist firewire-core
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
@@ -33,3 +118,54 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with firewire-core load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\sfirewire[_-]core\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with firewire-core load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\sfirewire[_-]core\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'firewire-core' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-firewire-core.conf
+ regexp: ^omit_drivers\+=" firewire[_-]core "$
+ line: omit_drivers+=" firewire-core "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs.
--- oval:ssg-kernel_module_rds_disabled:def:1
+++ oval:ssg-kernel_module_rds_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_rds_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_rds_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_rds_disabled:tst:1
+criterion oval:ssg-test_kernmod_rds_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_rds_runtime:tst:1
+criterion oval:ssg-test_kernmod_rds_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then
-
- sed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=rds
+kernmodule_rx=rds
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf
- echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist rds$" /etc/modprobe.d/rds.conf ; then
- echo "blacklist rds" >> /etc/modprobe.d/rds.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\srds\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
@@ -5,6 +5,95 @@
regexp: install\s+rds
line: install rds /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Find modules-load.d files with rds load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*rds\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Remove rds load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*rds\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Is rds as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^rds\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Try to remove rds, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - rds
+ failed_when: false
tags:
- CCE-82870-7
- NIST-800-53-CM-6(a)
@@ -35,3 +124,55 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with rds load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\srds\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with rds load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\srds\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'rds' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-rds.conf
+ regexp: ^omit_drivers\+=" rds "$
+ line: omit_drivers+=" rds "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs.
--- oval:ssg-kernel_module_sctp_disabled:def:1
+++ oval:ssg-kernel_module_sctp_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_sctp_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_sctp_disabled:tst:1
+criterion oval:ssg-test_kernmod_sctp_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_sctp_runtime:tst:1
+criterion oval:ssg-test_kernmod_sctp_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then
-
- sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=sctp
+kernmodule_rx=sctp
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf
- echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then
- echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\ssctp\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
@@ -22,6 +22,115 @@
- medium_severity
- reboot_required
+- name: Find modules-load.d files with sctp load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*sctp\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove sctp load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*sctp\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is sctp as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^sctp\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove sctp, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - sctp
+ failed_when: false
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
- name: Ensure kernel module 'sctp' is blacklisted
lineinfile:
create: true
@@ -45,3 +154,60 @@
- medium_disruption
- medium_severity
- reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with sctp load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\ssctp\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with sctp load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\ssctp\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'sctp' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-sctp.conf
+ regexp: ^omit_drivers\+=" sctp "$
+ line: omit_drivers+=" sctp "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs.
--- oval:ssg-kernel_module_tipc_disabled:def:1
+++ oval:ssg-kernel_module_tipc_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_tipc_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_tipc_disabled:tst:1
+criterion oval:ssg-test_kernmod_tipc_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_tipc_runtime:tst:1
+criterion oval:ssg-test_kernmod_tipc_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then
-
- sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=tipc
+kernmodule_rx=tipc
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf
- echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then
- echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\stipc\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
@@ -5,6 +5,99 @@
regexp: install\s+tipc
line: install tipc /bin/true
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Find modules-load.d files with tipc load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*tipc\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Remove tipc load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*tipc\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Is tipc as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^tipc\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Try to remove tipc, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - tipc
+ failed_when: false
tags:
- CCE-82297-3
- DISA-STIG-RHEL-08-040024
@@ -37,3 +130,56 @@
- low_severity
- medium_disruption
- reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with tipc load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\stipc\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with tipc load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\stipc\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'tipc' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-tipc.conf
+ regexp: ^omit_drivers\+=" tipc "$
+ line: omit_drivers+=" tipc "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' differs.
--- oval:ssg-kernel_module_bluetooth_disabled:def:1
+++ oval:ssg-kernel_module_bluetooth_disabled:def:1
@@ -1,4 +1,19 @@
criteria OR
criteria AND
criterion oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_force_drivers:tst:1
criterion oval:ssg-test_kernmod_bluetooth_disabled:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_runtime:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_cmdline:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
@@ -1,16 +1,58 @@
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then
-
- sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=bluetooth
+kernmodule_rx=bluetooth
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf
- echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
fi
-if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then
- echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sbluetooth\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ i
... The diff is trimmed here ... |
Quote a string to safely use as in a POSIX shell. Handling quoting shell is quite hard when there is complex macro workflow. This filter allows to quote where ever variable is used. Name mirrors respective feature in ansible. usage: foo={{{ FOO | quote }}} If FOO requires additional quotes they are added, if not, they are not. Result can be like: foo=bar or foo='"bar"' Implemented using python shlex quote https://docs.python.org/3/library/shlex.html#shlex.quote
There is no need to optimize one AND away but duplicate _disabled rule criterion.
This avoids false positives when there is perfectly working rule, but check only variant. From: modprobe(8) ... modprobe intelligently adds or removes a module from the Linux kernel: note that for convenience, there is no difference between _ and - in module names (automatic underscore conversion is performed). ... Add test for this in firewire-core. There is no need to change ansible/bash remediations as if they are run, in worst case there is effectively duplicate entry only. Functionality is the same.
modules-load.d was implemented as same as modprobe.d, but they are different. This leads wrong pass for rule. modules-load.d(5) ... modules-load.d - Configure kernel modules to load at boot ... CONFIGURATION FORMAT The configuration files should simply contain a list of kernel module names to load, separated by newlines. Empty lines and lines whose first non-whitespace character is # or ; are ignored. ...
For example: https://access.redhat.com/solutions/41278 Note document has at this time typo when it references omit_dracutmodules. Greatly modify testing as no there is multiple new dimensions too. Removed unnecessary tests. /proc/cmdline feature is not tested. Keep product inferring the same. Each template type and tesing in 10-bash.jinja gets one.
f5c7fb9
to
0818456
Compare
Code Climate has analyzed commit 0818456 and detected 323 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 71.4% (50% is the threshold). This pull request will bring the total coverage in the repository to 52.4% (0.0% change). View more on Code Climate. |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Closing due to inactivity. If you still want to work on this PR, please reopen it and resolve the conflicts. |
Description:
Kernel module names can have '-' or '_'.
Test refactoring. Mainly to allow to more tests. And also trying jinja based approach. Main problem with previous tries is that after there is 5 possible separate OVAL test cases it is quite hard to define all properly in all tests. For example any fail tests might fail because one OVAL test is not setup. Also I tried previously the
source common.sh
approach and it was slightly awkward and not preferred.Add Fedora support.
Indent according to new style I think.
Try to simplify oval comparisons.
Fixed major misunderstanding with
modules-load.d
, it was implemented as it was about the same asmodprobe.d
. Sometimes it pays to read relevant manuals.Extend support for dracut configuration and also have runtime support.
Based on my #10524 because I use it here.
I guess it would be benefical to move from this kind of constructs sprinkled all over:
and just have it once and then have something like this:
This is kind of easy to implement as one new entry in product.yml just like:
sshd_distributed_config
. But I wonder if there could be easier way as routing new variables gets tedious fast and similar solution is inshared/templates/grub2_bootloader_argument/oval.template
. It should be something to be used also in tests and templates, so 4 places generally.Probably
.editorconfig
should be own PR with relevant simple fixes.Rationale:
Split from my features-1 patchset as this kind of ballooned and it might help to see only one template view. Mainly try to implement
kernel_module_disabled
as I understand it should be.Review Hints:
This is still a draft as a whole, but it might pass test or two.
oval.template
has comment block about how I understand kernel module loading methods now and what I see as missing.