Run tmux only right after sshd/login

[comps]

This prevents tmux-inside-tmux for common use cases like su -.

I'm not quite sure how the OVAL should look like or whether the tail -5 is valid, hence I'm submitting this as a draft. Any opinions?

Thanks.

[yuumasato]

In this line, a regular expression like this could work. I haven't tested though.

if [ "$PS1" ]; then\n[\s]+parent=$(ps -o ppid= -p $$)\n[\s]+name=$(ps -o comm= -p $parent)\n[\s]+case\n"$name" in sshd|login) exec tmux ;; esac\nfi

The single line behavior[0] mitght affect matching of \n.

[0] https://github.com/OVALProject/Language/blob/master/docs/independent-definitions-schema.md#-textfilecontent54behaviors-

[comps]

The single line behavior[0] mitght affect matching of \n.

[0] https://github.com/OVALProject/Language/blob/master/docs/independent-definitions-schema.md#-textfilecontent54behaviors-

I think we want single-line matching here. This IIUC takes the whole file content and matches against it. Multiline mode basically takes it line-by-line and applies the regex on each line.

I'll update and test the OVAL on my end.

[comps]

What kind of matching does OVAL do? ... It seems to be using Perl rules for single/multi line, so I rewrote the regexp to match Perl standards (and I tested it as working using perl), but xccdf eval fails on it:
if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi

Is this somehow related to <ind:pattern operation="pattern match">([^\n]+)\s*$</ind:pattern> in obj_configure_bashrc_exec_tmux?

[yuumasato]

@comps Could you push the regex? So I can try to debug and check the objects collected and to what regex it is trying to match?

[yuumasato]

The test is capturing only the last line as the object of evaluation.
Changing pattern in line 26 to ^(.*)$ will capture the whole file as a single object.

And the operation in the state needs to be pattern match.

[comps]

Thanks for the help. Everything should be in its final form, I tested the check for pass/fail and remediation - seems to be working.

[yuumasato]

@comps Thanks for the PR.

One more thing, I forgot, was focused on OVAL.
Do you think it makes sense to also reflect this change in the rule description?

[comps]

I believe I did change ocil to match the new algorithm (please double check). I don't see anything from the actual description that would need changing.

[yuumasato]

Cool, thank again for the patch!