kernel_module_disabled extend and bugfix

[maage]

Description:

Kernel module names can have '-' or '_'.
Test refactoring. Mainly to allow to more tests. And also trying jinja based approach. Main problem with previous tries is that after there is 5 possible separate OVAL test cases it is quite hard to define all properly in all tests. For example any fail tests might fail because one OVAL test is not setup. Also I tried previously the source common.sh approach and it was slightly awkward and not preferred.
Add Fedora support.
Indent according to new style I think.
Try to simplify oval comparisons.
Fixed major misunderstanding with modules-load.d, it was implemented as it was about the same as modprobe.d. Sometimes it pays to read relevant manuals.
Extend support for dracut configuration and also have runtime support.

Based on my #10524 because I use it here.

I guess it would be benefical to move from this kind of constructs sprinkled all over:

{{% if product in ["ol7", "ol8", "rhcos4", "sle12", "sle15"]  or 'rhel' in product %}}

and just have it once and then have something like this:

{{% if system_with_blacklisted_supported %}}

This is kind of easy to implement as one new entry in product.yml just like:
sshd_distributed_config. But I wonder if there could be easier way as routing new variables gets tedious fast and similar solution is in shared/templates/grub2_bootloader_argument/oval.template. It should be something to be used also in tests and templates, so 4 places generally.

Probably .editorconfig should be own PR with relevant simple fixes.

Rationale:

Split from my features-1 patchset as this kind of ballooned and it might help to see only one template view. Mainly try to implement kernel_module_disabled as I understand it should be.

Review Hints:

This is still a draft as a whole, but it might pass test or two.

oval.template has comment block about how I understand kernel module loading methods now and what I see as missing.

[openshift-ci]

Hi @maage. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.
--- oval:ssg-kernel_module_atm_disabled:def:1
+++ oval:ssg-kernel_module_atm_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_atm_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_atm_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_atm_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_atm_disabled:tst:1
+criterion oval:ssg-test_kernmod_atm_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_atm_runtime:tst:1
+criterion oval:ssg-test_kernmod_atm_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install atm" /etc/modprobe.d/atm.conf ; then
- 
- sed -i 's#^install atm.*#install atm /bin/true#g' /etc/modprobe.d/atm.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=atm
+kernmodule_rx=atm
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/atm.conf
- echo "install atm /bin/true" >> /etc/modprobe.d/atm.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist atm$" /etc/modprobe.d/atm.conf ; then
- echo "blacklist atm" >> /etc/modprobe.d/atm.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
@@ -5,6 +5,91 @@
 regexp: install\s+atm
 line: install atm /bin/true
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Find modules-load.d files with atm load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*atm\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove atm load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*atm\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is atm as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^atm\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove atm, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - atm
+ failed_when: false
 tags:
 - CCE-82028-2
 - DISA-STIG-RHEL-08-040021
@@ -33,3 +118,54 @@
 - medium_disruption
 - medium_severity
 - reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with atm load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\satm\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with atm load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\satm\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'atm' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-atm.conf
+ regexp: ^omit_drivers\+=" atm "$
+ line: omit_drivers+=" atm "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82028-2
+ - DISA-STIG-RHEL-08-040021
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_atm_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.
--- oval:ssg-kernel_module_can_disabled:def:1
+++ oval:ssg-kernel_module_can_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_can_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_can_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_can_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_can_disabled:tst:1
+criterion oval:ssg-test_kernmod_can_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_can_runtime:tst:1
+criterion oval:ssg-test_kernmod_can_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install can" /etc/modprobe.d/can.conf ; then
- 
- sed -i 's#^install can.*#install can /bin/true#g' /etc/modprobe.d/can.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=can
+kernmodule_rx=can
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/can.conf
- echo "install can /bin/true" >> /etc/modprobe.d/can.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist can$" /etc/modprobe.d/can.conf ; then
- echo "blacklist can" >> /etc/modprobe.d/can.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
@@ -5,6 +5,91 @@
 regexp: install\s+can
 line: install can /bin/true
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Find modules-load.d files with can load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*can\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove can load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*can\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is can as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^can\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove can, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - can
+ failed_when: false
 tags:
 - CCE-82059-7
 - DISA-STIG-RHEL-08-040022
@@ -33,3 +118,54 @@
 - medium_disruption
 - medium_severity
 - reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with can load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\scan\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with can load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\scan\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'can' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-can.conf
+ regexp: ^omit_drivers\+=" can "$
+ line: omit_drivers+=" can "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82059-7
+ - DISA-STIG-RHEL-08-040022
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_can_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.
--- oval:ssg-kernel_module_dccp_disabled:def:1
+++ oval:ssg-kernel_module_dccp_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_dccp_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_dccp_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_dccp_disabled:tst:1
+criterion oval:ssg-test_kernmod_dccp_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_dccp_runtime:tst:1
+criterion oval:ssg-test_kernmod_dccp_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install dccp" /etc/modprobe.d/dccp.conf ; then
- 
- sed -i 's#^install dccp.*#install dccp /bin/true#g' /etc/modprobe.d/dccp.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=dccp
+kernmodule_rx=dccp
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/dccp.conf
- echo "install dccp /bin/true" >> /etc/modprobe.d/dccp.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist dccp$" /etc/modprobe.d/dccp.conf ; then
- echo "blacklist dccp" >> /etc/modprobe.d/dccp.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
@@ -21,6 +21,111 @@
 - medium_severity
 - reboot_required
 
+- name: Find modules-load.d files with dccp load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*dccp\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove dccp load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*dccp\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is dccp as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^dccp\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove dccp, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - dccp
+ failed_when: false
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
 - name: Ensure kernel module 'dccp' is blacklisted
 lineinfile:
 create: true
@@ -43,3 +148,59 @@
 - medium_disruption
 - medium_severity
 - reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with dccp load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\sdccp\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with dccp load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\sdccp\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'dccp' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-dccp.conf
+ regexp: ^omit_drivers\+=" dccp "$
+ line: omit_drivers+=" dccp "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80833-7
+ - CJIS-5.10.1
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_dccp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.
--- oval:ssg-kernel_module_firewire-core_disabled:def:1
+++ oval:ssg-kernel_module_firewire-core_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_firewire-core_disabled:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_runtime:tst:1
+criterion oval:ssg-test_kernmod_firewire-core_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install firewire-core" /etc/modprobe.d/firewire-core.conf ; then
- 
- sed -i 's#^install firewire-core.*#install firewire-core /bin/true#g' /etc/modprobe.d/firewire-core.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=firewire-core
+kernmodule_rx='firewire[_-]core'
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/firewire-core.conf
- echo "install firewire-core /bin/true" >> /etc/modprobe.d/firewire-core.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist firewire-core$" /etc/modprobe.d/firewire-core.conf ; then
- echo "blacklist firewire-core" >> /etc/modprobe.d/firewire-core.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sfirewire[_-]core\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -2,9 +2,94 @@
 lineinfile:
 create: true
 dest: /etc/modprobe.d/firewire-core.conf
- regexp: install\s+firewire-core
+ regexp: install\s+firewire[_-]core
 line: install firewire-core /bin/true
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Find modules-load.d files with firewire-core load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*firewire[_-]core\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Remove firewire-core load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*firewire[_-]core\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Is firewire-core as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^firewire[_-]core\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Try to remove firewire-core, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - firewire-core
+ failed_when: false
 tags:
 - CCE-82005-0
 - DISA-STIG-RHEL-08-040026
@@ -20,7 +105,7 @@
 lineinfile:
 create: true
 dest: /etc/modprobe.d/firewire-core.conf
- regexp: ^blacklist firewire-core$
+ regexp: ^blacklist firewire[_-]core$
 line: blacklist firewire-core
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
@@ -33,3 +118,54 @@
 - low_severity
 - medium_disruption
 - reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with firewire-core load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\sfirewire[_-]core\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with firewire-core load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\sfirewire[_-]core\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'firewire-core' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-firewire-core.conf
+ regexp: ^omit_drivers\+=" firewire[_-]core "$
+ line: omit_drivers+=" firewire-core "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82005-0
+ - DISA-STIG-RHEL-08-040026
+ - NIST-800-53-AC-18
+ - disable_strategy
+ - kernel_module_firewire-core_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs.
--- oval:ssg-kernel_module_rds_disabled:def:1
+++ oval:ssg-kernel_module_rds_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_rds_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_rds_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_rds_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_rds_disabled:tst:1
+criterion oval:ssg-test_kernmod_rds_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_rds_runtime:tst:1
+criterion oval:ssg-test_kernmod_rds_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install rds" /etc/modprobe.d/rds.conf ; then
- 
- sed -i 's#^install rds.*#install rds /bin/true#g' /etc/modprobe.d/rds.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=rds
+kernmodule_rx=rds
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/rds.conf
- echo "install rds /bin/true" >> /etc/modprobe.d/rds.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist rds$" /etc/modprobe.d/rds.conf ; then
- echo "blacklist rds" >> /etc/modprobe.d/rds.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\srds\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled
@@ -5,6 +5,95 @@
 regexp: install\s+rds
 line: install rds /bin/true
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Find modules-load.d files with rds load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*rds\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Remove rds load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*rds\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Is rds as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^rds\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Try to remove rds, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - rds
+ failed_when: false
 tags:
 - CCE-82870-7
 - NIST-800-53-CM-6(a)
@@ -35,3 +124,55 @@
 - low_severity
 - medium_disruption
 - reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with rds load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\srds\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with rds load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\srds\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'rds' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-rds.conf
+ regexp: ^omit_drivers\+=" rds "$
+ line: omit_drivers+=" rds "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82870-7
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_rds_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs.
--- oval:ssg-kernel_module_sctp_disabled:def:1
+++ oval:ssg-kernel_module_sctp_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_sctp_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_sctp_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_sctp_disabled:tst:1
+criterion oval:ssg-test_kernmod_sctp_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_sctp_runtime:tst:1
+criterion oval:ssg-test_kernmod_sctp_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install sctp" /etc/modprobe.d/sctp.conf ; then
- 
- sed -i 's#^install sctp.*#install sctp /bin/true#g' /etc/modprobe.d/sctp.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=sctp
+kernmodule_rx=sctp
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/sctp.conf
- echo "install sctp /bin/true" >> /etc/modprobe.d/sctp.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist sctp$" /etc/modprobe.d/sctp.conf ; then
- echo "blacklist sctp" >> /etc/modprobe.d/sctp.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\ssctp\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
@@ -22,6 +22,115 @@
 - medium_severity
 - reboot_required
 
+- name: Find modules-load.d files with sctp load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*sctp\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Remove sctp load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*sctp\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Is sctp as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^sctp\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
+- name: Try to remove sctp, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - sctp
+ failed_when: false
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required
+
 - name: Ensure kernel module 'sctp' is blacklisted
 lineinfile:
 create: true
@@ -45,3 +154,60 @@
 - medium_disruption
 - medium_severity
 - reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with sctp load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\ssctp\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with sctp load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\ssctp\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'sctp' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-sctp.conf
+ regexp: ^omit_drivers\+=" sctp "$
+ line: omit_drivers+=" sctp "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-80834-5
+ - CJIS-5.10.1
+ - DISA-STIG-RHEL-08-040023
+ - NIST-800-171-3.4.6
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - PCI-DSS-Req-1.4.2
+ - PCI-DSSv4-1.4.2
+ - disable_strategy
+ - kernel_module_sctp_disabled
+ - low_complexity
+ - medium_disruption
+ - medium_severity
+ - reboot_required

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs.
--- oval:ssg-kernel_module_tipc_disabled:def:1
+++ oval:ssg-kernel_module_tipc_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_tipc_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_tipc_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_tipc_disabled:tst:1
+criterion oval:ssg-test_kernmod_tipc_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_tipc_runtime:tst:1
+criterion oval:ssg-test_kernmod_tipc_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install tipc" /etc/modprobe.d/tipc.conf ; then
- 
- sed -i 's#^install tipc.*#install tipc /bin/true#g' /etc/modprobe.d/tipc.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=tipc
+kernmodule_rx=tipc
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/tipc.conf
- echo "install tipc /bin/true" >> /etc/modprobe.d/tipc.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist tipc$" /etc/modprobe.d/tipc.conf ; then
- echo "blacklist tipc" >> /etc/modprobe.d/tipc.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\stipc\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "s/${rx}/\1 \2/" -- "${f}"
+ fi
+done
+
+
+# Try to unload, this might fail for various reasons
+if LC_ALL=C grep -E -q -m 1 "^${kernmodule_rx}\s" /proc/modules; then
+ modprobe -r "${kernmodule}" || :
 fi
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled
@@ -5,6 +5,99 @@
 regexp: install\s+tipc
 line: install tipc /bin/true
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Find modules-load.d files with tipc load
+ find:
+ paths:
+ - /etc/modules-load.d
+ - /lib/modules-load.d
+ - /run/modules-load.d
+ - /usr/lib/modules-load.d
+ - /usr/local/lib/modules-load.d
+ patterns: '*.conf'
+ contains: ^\s*tipc\s*$
+ register: r_modules_load_d_to_modify
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Remove tipc load from modules-load.d files
+ lineinfile:
+ path: '{{ item.path }}'
+ state: absent
+ regexp: ^\s*tipc\s*$
+ loop: '{{ r_modules_load_d_to_modify.files }}'
+ loop_control:
+ label: '{{ item.path }}'
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Is tipc as loaded module
+ lineinfile:
+ path: /proc/modules
+ regexp: ^tipc\s
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: r_in_modules
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required
+
+- name: Try to remove tipc, might fail
+ when:
+ - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - r_in_modules.found is defined
+ - r_in_modules.found >= 1
+ command:
+ argv:
+ - modprobe
+ - -r
+ - tipc
+ failed_when: false
 tags:
 - CCE-82297-3
 - DISA-STIG-RHEL-08-040024
@@ -37,3 +130,56 @@
 - low_severity
 - medium_disruption
 - reboot_required
+
+- name: Block dracut configuration
+ block:
+
+ - name: Gather the package facts
+ package_facts:
+ manager: auto
+
+ - name: Block dracut package
+ when:
+ - ('dracut' in ansible_facts.packages)
+ block:
+
+ - name: Find dracut configs with tipc load
+ find:
+ paths:
+ - /etc/dracut.conf.d
+ - /usr/lib/dracut/dracut.conf.d
+ patterns: '*.conf'
+ contains: ^\s*(drivers|add_drivers|force_drivers)\+="[^"]*\stipc\s[^"]*"\s*$
+ register: r_dracut_configs_to_modify
+
+ - name: Replace dracut configs with tipc load
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^\s*((?:drivers|add_drivers|force_drivers)\+="[^"]*)\stipc\s([^"]*")\s*$
+ replace: \g<1> \g<2>
+ vars:
+ dracut_conf_path_entry:
+ - path: /etc/dracut.conf
+ loop: '{{ r_dracut_configs_to_modify.files + dracut_conf_path_entry }}'
+ loop_control:
+ label: '{{ item.path }}'
+
+ - name: Ensure kernel module 'tipc' is in dracut.conf omit_drivers
+ lineinfile:
+ create: true
+ dest: /etc/dracut.conf.d/omit-tipc.conf
+ regexp: ^omit_drivers\+=" tipc "$
+ line: omit_drivers+=" tipc "
+ when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ tags:
+ - CCE-82297-3
+ - DISA-STIG-RHEL-08-040024
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-CM-7(a)
+ - NIST-800-53-CM-7(b)
+ - disable_strategy
+ - kernel_module_tipc_disabled
+ - low_complexity
+ - low_severity
+ - medium_disruption
+ - reboot_required

OVAL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' differs.
--- oval:ssg-kernel_module_bluetooth_disabled:def:1
+++ oval:ssg-kernel_module_bluetooth_disabled:def:1
@@ -1,4 +1,19 @@
 criteria OR
 criteria AND
 criterion oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1
+criteria OR
+extend_definition oval:ssg-package_dracut_installed:def:1
+criteria AND
+criteria OR
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_omit_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_add_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_force_drivers:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_dracut_conf_d_force_drivers:tst:1
 criterion oval:ssg-test_kernmod_bluetooth_disabled:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_in_modules_load:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_runtime:tst:1
+criterion oval:ssg-test_kernmod_bluetooth_cmdline:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled' differs.
--- xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
@@ -1,16 +1,58 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
 
-if LC_ALL=C grep -q -m 1 "^install bluetooth" /etc/modprobe.d/bluetooth.conf ; then
- 
- sed -i 's#^install bluetooth.*#install bluetooth /bin/true#g' /etc/modprobe.d/bluetooth.conf
+set -u
+
+
+
+
+
+
+
+
+
+
+kernmodule=bluetooth
+kernmodule_rx=bluetooth
+modprobe_file=/etc/modprobe.d/"${kernmodule}".conf
+rx="^install\s+${kernmodule_rx}(\s|$)"
+if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${modprobe_file}"; then
+ sed -Ei "s#${rx}.*#install ${kernmodule} /bin/true#g" "${modprobe_file}"
 else
- echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/bluetooth.conf
- echo "install bluetooth /bin/true" >> /etc/modprobe.d/bluetooth.conf
+ printf "\n# Disable per security requirements\ninstall %s /bin/true\n" "${kernmodule}" >> "${modprobe_file}"
 fi
 
-if ! LC_ALL=C grep -q -m 1 "^blacklist bluetooth$" /etc/modprobe.d/bluetooth.conf ; then
- echo "blacklist bluetooth" >> /etc/modprobe.d/bluetooth.conf
+rx="^\s*${kernmodule_rx}\s*$"
+for f in /etc/modules-load.d/*.conf /lib/modules-load.d/*.conf /run/modules-load.d/*.conf /usr/lib/modules-load.d/*.conf /usr/local/lib/modules-load.d/*.conf; do
+ [ -f "${f}" ] || continue
+ if LC_ALL=C grep -E -q -m 1 "${rx}" -- "${f}"; then
+ LC_ALL=C sed -Ei "/${rx}/d" -- "${f}"
+ fi
+done
+
+
+if ! LC_ALL=C grep -E -q -m 1 "^\s*blacklist\s+${kernmodule_rx}\s*$" "${modprobe_file}"; then
+ printf "blacklist %s\n" "${kernmodule}" >> "${modprobe_file}"
+fi
+
+
+dracut_file=/etc/dracut.conf.d/omit-"${kernmodule}".conf
+if ! LC_ALL=C grep -E -q -m 1 '^\s*omit_drivers+="[^"]*\s'"${kernmodule_rx}"'\s[^"]*"\s*$' "${dracut_file}"; then
+ printf 'omit_drivers+=" %s "\n' "${kernmodule}" >> "${dracut_file}"
+fi
+
+rx='^\s*((drivers|add_drivers|force_drivers)\+="[^"]*)\sbluetooth\s([^"]*")\s*$'
+for f in /etc/dracut.conf/*.conf /etc/dracut.conf.d/*.conf /usr/lib/dracut/dracut.conf.d/*.conf; do
+ [ -f "${f}" ] || continue
+ i

... The diff is trimmed here ...

[codeclimate]

Code Climate has analyzed commit 0818456 and detected 323 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Style	323

The test coverage on the diff in this pull request is 71.4% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jan-cerny]

@maage You can take a look at a fresh new feature "distributed product properties" that has been introduced by #10648. That allows you to define a variable at the single place (in the /product_properties directory) and then use it across the remaining code.

[jan-cerny]

Closing due to inactivity. If you still want to work on this PR, please reopen it and resolve the conflicts.