Bash

TEMPLATE bash_instantiate_variables

Pass strings that correspond to XCCDF value names as arguments to this macro: bash_instantiate_variables(“varname1”, “varname2”)

Then, assume that variables of that names are defined and contain the correct value, e.g. echo “Setting=$varname1” >> config_file

bash_instantiate_variables()

TEMPLATE bash_ensure_pam_module_options

make sure that we have a line like this in pamFile (additional options are left as-is): type control module option=valueRegexArg

pamFile PAM config file type PAM module interface control PAM control flags module PAM module name option PAM module option valueRegexArg PAM module option argument regex pattern defaultValueArg PAM module option argument default value

bash_ensure_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg)

TEMPLATE bash_perform_audit_rules_privileged_commands_remediation

# Macro to perform remediation for ‘audit_rules_privileged_commands’ rule # # Expects two arguments: # # tool tool used to load audit rules # either ‘auditctl’ or ‘augenrules’ # min_auid minimum original ID the user logged in with # # Example macro invocation(s): # # perform_audit_rules_privileged_commands_remediation “auditctl” “500” # perform_audit_rules_privileged_commands_remediation “augenrules” “1000” # bash_perform_audit_rules_privileged_commands_remediation(tool, min_auid)

TEMPLATE bash_create_audit_remediation_unsuccessful_file_modification_detailed

Macro that copies the audit rules into a file. The purpose is to create exactly the same content in the file specified by filename arg as in https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules

Expects one argument:

filename name of the file to print the information to; written do directory specified by the filename

bash_create_audit_remediation_unsuccessful_file_modification_detailed(filename)

TEMPLATE bash_fix_audit_watch_rule

# Macro to fix audit file system object watch rule for given path: # * if rule exists, also verifies the -w bits match the requirements # * if rule doesn’t exist yet, appends expected rule form to $files_to_inspect # audit rules file, depending on the tool which was used to load audit rules # # Expects four arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either ‘auditctl’, or ‘augenrules’ # * path value of -w audit rule’s argument # * required_access_bits value of -p audit rule’s argument # * key value of -k audit rule’s argument # # Example macro invocation: # # {{{ bash_fix_audit_watch_rule(“auditctl”, “/etc/localtime”, “wa”, “audit_time_rules”) }}} # bash_fix_audit_watch_rule(tool, path, required_access_bits, key)

TEMPLATE bash_package_install

Install a package

Uses the right command based on pkg_manager property defined in product.yml.

param package

name of the package

type package

str

bash_package_install(package)

TEMPLATE bash_package_remove

Remove a package

Uses the right command based on pkg_manager property defined in product.yml. When used in a test scenario, the macro will remove even protected packages.

param package

name of the package

type package

str

bash_package_remove(package)

TEMPLATE bash_perform_audit_adjtimex_settimeofday_stime_remediation

# Macro to perform remediation for the ‘adjtimex’, ‘settimeofday’, and ‘stime’ audit # system calls on RHEL, Fedora or OL systems. # Remediation performed for both possible tools: ‘auditctl’ and ‘augenrules’. # # Note: ‘stime’ system call isn’t known at 64-bit arch (see “$ ausyscall x86_64 stime” ‘s output) # therefore excluded from the list of time group system calls to be audited on this arch # # Example macro invocation: # # {{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}} # bash_perform_audit_adjtimex_settimeofday_stime_remediation()

TEMPLATE bash_dconf_settings

# Macro to configure DConf settings for RHEL and Fedora systems. bash_dconf_settings(path, key, value, db, setting_file)

TEMPLATE bash_dconf_lock

# Macro to configure DConf locks for RHEL and Fedora systems. bash_dconf_lock(key, setting, db, lock_file)

TEMPLATE bash_service_command

# Macro to enable or disable a particular service. # # Examples: # # bash_service_command(“enable”, “bluetooth”) # bash_service_command(“disable”, “bluetooth.service”) # bash_service_command(“disable”, “rsh.socket”, xinetd=”rsh”) bash_service_command(service_state, service, xinetd=””)

TEMPLATE bash_firefox_js_setting

# bash_firefox_js_setting expects three arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # # Example Calls: # # With a fixed integer value: # bash_firefox_js_setting(“local-settings.js”, “general.config.obscure_value”, “0”) # # With a fixed string value: # bash_firefox_js_setting(“local-settings.js”, “general.config.filename”, quoted_value=”mozilla.cfg”) # # With a string variable: # bash_firefox_js_setting(“local-settings.js”, “general.config.filename”, quoted_value=”$var_config_file_name”) bash_firefox_js_setting(config_file, key, value=””, quoted_value=””, sed_separator=”/”)

TEMPLATE bash_firefox_cfg_setting

# Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the # preference if it does not exist. # # Expects three arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # # # Example Call(s): # # Without string or variable: # bash_firefox_cfg_setting(“mozilla.cfg” “extensions.update.enabled” value=”false”) # # With string: # bash_firefox_cfg_setting(“mozilla.cfg” “security.default_personal_cert” quoted_value=”Ask Every Time”) # # With a string variable: # bash_firefox_cfg_setting(“mozilla.cfg” “browser.startup.homepage” quoted_value=”${var_default_home_page}”) bash_firefox_cfg_setting(config_file, key, value=””, quoted_value=””, sed_separator=”/”)

TEMPLATE bash_ensure_there_are_servers_in_ntp_compatible_config_file

# Macro to ensure that the ntp/chrony config file contains valid server entries. # config_file: Path to the ntp/chrony config file # servers_list: Comma-separated list of servers bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list)

TEMPLATE bash_set_faillock_option

# Sets PAM faillock module options and values. # Also it adds pam_faillock.so as required module for account. # option: faillock option eg. deny, unlock_time # value: value of option bash_set_faillock_option(option, value)

TEMPLATE die

# Print a message to stderr and exit the shell # message: The message to print. # rc: The error code (optional, default is 1) # action: What to do (optional, default is ‘exit’, can be also ‘return’ or anything else) die(message, rc=1, action=”exit”)

TEMPLATE set_config_file

# Add an entry to a text configuration file # path: path of the configuration file # parameter: the paramenter to be set in the configuration file # value: the value of the parameter to be set in the configuration file # create: whether create the file specified by path if the file does not exits # insert_after: inserts the entry right after first line that matches regular expression specified by this argument, set to EOF to insert at the end of the file # insert_before: inserts the entry right before first line that matches regular expression specified by this argument, set to BOF to insert at the beginning of the file # insensitive: ignore case # separator: separates parameter from the value (literal) # separator_regex: regular expression that describes the separator and surrounding whitespace # prefix_regex: regular expression describing allowed leading characters at each line set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=” “, separator_regex=”s+”, prefix_regex=”^s*”, sed_path_separator=”/”)

TEMPLATE bash_file_contents

Generates bash script code that puts ‘contents’ into a file at ‘filepath’ Parameters:

filepath - filepath of the file to check

contents - contents that should be in the file

bash_file_contents(filepath=’’, contents=’’)

TEMPLATE bash_deregexify_banner_anchors

Strips anchors regex around the banner text

bash_deregexify_banner_anchors(banner_var_name)

TEMPLATE bash_deregexify_multiple_banners

Strips multibanner regex and keeps only the first banner

bash_deregexify_multiple_banners(banner_var_name)

TEMPLATE bash_deregexify_banner_space

Strips whitespace or newline regex

bash_deregexify_banner_space(banner_var_name)

TEMPLATE bash_deregexify_banner_newline

Strips newline or newline escape sequence regex

bash_deregexify_banner_newline(banner_var_name, newline)

TEMPLATE bash_deregexify_banner_newline_token

Strips newline token for a newline escape sequence regex

bash_deregexify_banner_newline_token(banner_var_name)

TEMPLATE bash_deregexify_banner_backslash

Strips backslash regex

bash_deregexify_banner_backslash(banner_var_name)

TEMPLATE bash_package_installed

# Check whether or not a package is installed.

bash_package_installed(pkgname)

TEMPLATE bash_replace_or_append

Macro to replace configuration setting in config file or add the configuration setting if it does not exist.

Expects arguments:

config_file: Configuration file that will be modified key: Configuration option to change value: Value of the configuration option to change cce: The CCE identifier or ‘@CCENUM@’ if no CCE identifier exists format: The printf-like format string that will be given stripped key and value as arguments,

so e.g. ‘%s=%s’ will result in key=value subsitution (i.e. without spaces around =)

Optional arugments:

format: Optional argument to specify the format of how key/value should be
modified/appended in the configuration file. The default is key = value.

Example Call(s):

With default format of ‘key = value’: {{{ bash_replace_or_append(‘/etc/sysctl.conf’, ‘^kernel.randomize_va_space’, ‘2’, ‘@CCENUM@’) }}}

With custom key/value format: {{{ bash_replace_or_append(‘/etc/sysconfig/selinux’, ‘^SELINUX=’, ‘disabled’, ‘@CCENUM@’, ‘%s=%s’) }}}

With a variable: {{{ bash_replace_or_append(‘/etc/sysconfig/selinux’, ‘^SELINUX=’, “$var_selinux_state”, ‘@CCENUM@’, ‘%s=%s’) }}}

bash_replace_or_append(config_file, key, value, cce, format=’%s = %s’)

TEMPLATE bash_ensure_mount_option_for_vfstype

# vfstype: type of filesystem # mount_opt: mount point option which we are checking # fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.) # type: mount type of new mount point (used when adding new entry in fstab) # # To see how args corresponds to an /etc/fstab entry, see bash_ensure_mount_option_in_fstab documentation bash_ensure_mount_option_for_vfstype(vfstype, mount_opt, filesystem, type)

TEMPLATE bash_ensure_mount_option_in_fstab

# mount_point: mount point # mount_opt: mount point option whose presence in /etc/fstab we are ensuring # fs_spec: identification of the filesystem to be mounted (LABEL, UUID, device name etc.) # type: mount type of mount point (used when adding new entry in fstab) # # If we look at an example invocation of this macro: # {{{ bash_ensure_mount_option_in_fstab(“/home”, “auto_da_alloc”, “LABEL=t-home2”, “ext4”) }}}} # # The resulting /etc/fstab entry could look like this: # LABEL=t-home2 /home ext4 defaults,auto_da_alloc 0 2 # bash_ensure_mount_option_in_fstab(mount_point, mount_opt, fs_spec, type)

TEMPLATE bash_assert_mount_point_in_fstab

# Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not

bash_assert_mount_point_in_fstab(mount_point)

TEMPLATE bash_ensure_partition_is_mounted

# Ensure that partition is mounted at mount_point # If partition already mounted at mount_point, then remount to apply option changes

bash_ensure_partition_is_mounted(mount_point)

TEMPLATE bash_fix_audit_syscall_rule

# based on example audit syscall rule definitions as outlined in # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit # package. It will combine multiple system calls belonging to the same # syscall group into one audit rule (rather than to create audit rule per # different system call) to avoid audit infrastructure performance penalty # in the case of ‘one-audit-rule-definition-per-one-system-call’. See: # # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html # # for further details. # # Expects seven arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either ‘auditctl’, or ‘augenrules # * action_arch_filters The action and arch filters of the rule # For example, “-a always,exit -F arch=b64” # * other_filters Other filters that may characterize the rule: # For example, “-F a2&03 -F path=/etc/passwd” # * auid_filters The auid filters of the rule # For example, “-F auid>=1000 -F auid!=unset” # * syscall The syscall to ensure presense among audit rules # For example, “chown” # * syscall_groupings Other syscalls that can be grouped with ‘syscall’ # as a space separated list. # For example, “fchown lchown fchownat” # * key The key to use when appending a new rule # # Notes: # - The 2-nd up to 4-th arguments are used to determine how many existing # audit rules will be inspected for resemblance with the new audit rule # the macro is going to add. # - The macro’s similarity check uses the 5-th argument to optimize audit # rules definitions (merge syscalls of the same group into one rule) to avoid # the “single-syscall-per-audit-rule” performance penalty. # - The key argument (7-th argument) is not used when the syscall is grouped to an # existing audit rule. The audit rule will retain the key it already had. bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key)