Bash
- TEMPLATE bash_instantiate_variables
Pass strings that correspond to XCCDF value names as arguments to this macro:
bash_instantiate_variables("varname1", "varname2")Then, assume that variables of that names are defined and contain the correct value, e.g.:
echo "Setting=$varname1" >> config_filebash_instantiate_variables()
- TEMPLATE bash_ensure_pam_module_options
Make sure that we have a line like this in pamFile (additional options are left as-is): type control module option=valueRegexArg
- Parameters
pamFile – PAM config file
type – PAM module interface
control – PAM control flags
module – PAM module name
option – PAM module option
valueRegexArg – PAM module option argument regex pattern
defaultValueArg – PAM module option argument default value
bash_ensure_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg)
- TEMPLATE bash_provide_pam_module_options
Make sure that we have a line with given type, control and module has the given option in pamFile (additional options are left as-is): type control module option=valueRegexArg
- Parameters
pamFile – PAM config file
type – PAM module interface
control – PAM control flags
module – PAM module name
option – PAM module option
valueRegexArg – PAM module option argument regex pattern
defaultValueArg – PAM module option argument default value
bash_provide_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg)
- TEMPLATE bash_shell_file_set
Set a parameter
- Parameters
path (str) – Path to file
parameter (str) – Parameter to set
value (str) – Value to set
no_quotes (str) – Boolean, if true the value is not quoted. Default is false.
bash_shell_file_set(path, parameter, value, no_quotes=false)
- TEMPLATE bash_perform_audit_rules_privileged_commands_remediation
Macro to perform remediation for ‘audit_rules_privileged_commands’ rule
:param tool: tool used to load audit rules either ‘auditctl’ or ‘augenrules’ :param min_auid: minimum original ID the user logged in with
Example macro invocation(s):
perform_audit_rules_privileged_commands_remediation("auditctl", "500") perform_audit_rules_privileged_commands_remediation("augenrules", "1000")bash_perform_audit_rules_privileged_commands_remediation(tool, min_auid)
- TEMPLATE bash_sshd_config_set
Set set a parameter in /etc/sshd_config
- Parameters
parameter (str) – Parameter to set
value (str) – The value to set
bash_sshd_config_set(parameter, value)
- TEMPLATE bash_sshd_remediation
Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/
- Parameters
parameter (str) – Parameter to set
value (str) – The value to set
config_is_distributed (str) – If true, will ok look in /etc/ssh/sshd_config.d
bash_sshd_remediation(parameter, value, config_is_distributed)
- TEMPLATE bash_create_audit_remediation_unsuccessful_file_modification_detailed
Macro that copies the audit rules into a file. The purpose is to create exactly the same content in the file specified by filename argument as in https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules
- Parameters
filename (str) – Name of the file to print the information to; written do directory specified by the filename
bash_create_audit_remediation_unsuccessful_file_modification_detailed(filename)
- TEMPLATE bash_auditd_config_set
Set parameter in /etc/audit/auditd.conf
- Parameters
parameter (str) – Parameter to set
value (str) – The value to set
bash_auditd_config_set(parameter, value)
- TEMPLATE bash_coredump_config_set
Set parameter in /etc/systemd/coredump.conf
- Parameters
parameter (str) – Parameter to set
value (str) – The value to set
bash_coredump_config_set(parameter, value)
- TEMPLATE bash_selinux_config_set
Set parameter in /etc/selinux/config
- Parameters
parameter (str) – Parameter to set
value (str) – The value to set
bash_selinux_config_set(parameter, value)
- TEMPLATE bash_fix_audit_watch_rule
Macro to fix audit file system object watch rule for given path: * if rule exists, also verifies the -w bits match the requirements * if rule doesn’t exist yet, appends expected rule form to $files_to_inspect
audit rules file, depending on the tool which was used to load audit rules
:param audit tool tool used to load audit rules, either ‘auditctl’, or ‘augenrules’ :param path: value of -w audit rule’s argument :param required_access_bits: value of -p audit rule’s argument :param key: value of -k audit rule’s argument
Example macro invocation:
{{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}}bash_fix_audit_watch_rule(tool, path, required_access_bits, key)
- TEMPLATE bash_package_install
Install a package
Uses the right command based on pkg_manager property defined in product.yml.
- Parameters
package (str) – name of the package
bash_package_install(package)
- TEMPLATE bash_package_remove
Remove a package
Uses the right command based on pkg_manager property defined in product.yml. When used in a test scenario, the macro will remove even protected packages.
- Parameters
package (str) – name of the package
bash_package_remove(package)
- TEMPLATE bash_perform_audit_adjtimex_settimeofday_stime_remediation
Macro to perform remediation for the ‘adjtimex’, ‘settimeofday’, and ‘stime’ audit system calls on RHEL, Fedora or OL systems. Remediation performed for both possible tools: ‘auditctl’ and ‘augenrules’.
Note: ‘stime’ system call isn’t known at 64-bit arch (see “$ ausyscall x86_64 stime” ‘s output) therefore excluded from the list of time group system calls to be audited on this arch
Example macro invocation:
{{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}}bash_perform_audit_adjtimex_settimeofday_stime_remediation()
- TEMPLATE bash_disable_prelink
Disable prelinking in sysconfig
bash_disable_prelink()
- TEMPLATE bash_dconf_settings
Macro to configure DConf settings for RHEL and Fedora systems.
If files contain ibus or distro, ignore them.
bash_dconf_settings(path, key, value, db, setting_file)
- TEMPLATE bash_dconf_lock
Macro to configure DConf locks for RHEL and Fedora systems.
bash_dconf_lock(key, setting, db, lock_file)
- TEMPLATE bash_service_command
Macro to enable or disable a particular service.
Examples:
bash_service_command(“enable”, “bluetooth”) bash_service_command(“disable”, “bluetooth.service”) bash_service_command(“disable”, “rsh.socket”, xinetd=”rsh”)
- Parameters
service_state – Desired state of the service
service – The service to change
xinetd – Set the xinetd for the service. Defaults to empty string.
bash_service_command(service_state, service, xinetd=””)
- TEMPLATE bash_firefox_js_setting
Example Calls:
With a fixed integer value:
bash_firefox_js_setting("local-settings.js", "general.config.obscure_value", "0")With a fixed string value:
bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="mozilla.cfg")With a string variable:
bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="$var_config_file_name")
- Parameters
config_file – Configuration file that will be modified
key – Configuration option to change
value – Value of the configuration option to change
bash_firefox_js_setting(config_file, key, value=””, quoted_value=””, sed_separator=”/”)
- TEMPLATE bash_firefox_cfg_setting
Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the preference if it does not exist.
Example Call(s):
Without string or variable:
bash_firefox_cfg_setting("mozilla.cfg" "extensions.update.enabled" value="false")With string:
bash_firefox_cfg_setting("mozilla.cfg" "security.default_personal_cert" quoted_value="Ask Every Time")With a string variable:
bash_firefox_cfg_setting("mozilla.cfg" "browser.startup.homepage" quoted_value="${var_default_home_page}")
- Parameters
config_file – Configuration file that will be modified
key – Configuration option to change
value – Value of the configuration option to change
bash_firefox_cfg_setting(config_file, key, value=””, quoted_value=””, sed_separator=”/”)
- TEMPLATE bash_ensure_there_are_servers_in_ntp_compatible_config_file
Macro to ensure that the ntp/chrony config file contains valid server entries.
- Parameters
config_file – Path to the ntp/chrony config file
servers_list – Comma-separated list of servers
bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list)
- TEMPLATE bash_set_faillock_option
Sets PAM faillock module options and values. Also it adds pam_faillock.so as required module for account.
- Parameters
option – faillock option eg. deny, unlock_time
value – value of option
bash_set_faillock_option(option, value)
- TEMPLATE die
Print a message to stderr and exit the shell
- Parameters
message – The message to print.
rc – The error code (optional, default is 1)
action – What to do (optional, default is ‘exit’, can be also ‘return’ or anything else)
die(message, rc=1, action=”exit”)
- TEMPLATE set_config_file
Add an entry to a text configuration file
- Parameters
path – path of the configuration file
parameter – the parameter to be set in the configuration file
value – the value of the parameter to be set in the configuration file
create – whether create the file specified by path if the file does not exits
insert_after – inserts the entry right after first line that matches regular expression specified by this argument, set to EOF to insert at the end of the file
insert_before – inserts the entry right before first line that matches regular expression specified by this argument, set to BOF to insert at the beginning of the file
insensitive – ignore case
separator – separates parameter from the value (literal)
separator_regex – regular expression that describes the separator and surrounding whitespace
prefix_regex – regular expression describing allowed leading characters at each line
set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=” “, separator_regex=”s+”, prefix_regex=”^s*”, sed_path_separator=”/”)
- TEMPLATE bash_file_contents
Generates bash script code that puts ‘contents’ into a file at ‘filepath’
- Parameters
filepath – Filepath of the file to check
contents – Contents that should be in the file
bash_file_contents(filepath=’’, contents=’’)
- TEMPLATE bash_deregexify_banner_anchors
Strips anchors regex around the banner text
bash_deregexify_banner_anchors(banner_var_name)
- TEMPLATE bash_deregexify_multiple_banners
Strips multibanner regex and keeps only the first banner
bash_deregexify_multiple_banners(banner_var_name)
- TEMPLATE bash_deregexify_banner_space
Strips whitespace or newline regex
bash_deregexify_banner_space(banner_var_name)
- TEMPLATE bash_deregexify_banner_newline
Strips newline or newline escape sequence regex
bash_deregexify_banner_newline(banner_var_name, newline)
- TEMPLATE bash_deregexify_banner_newline_token
Strips newline token for a newline escape sequence regex
bash_deregexify_banner_newline_token(banner_var_name)
- TEMPLATE bash_deregexify_banner_backslash
Strips backslash regex
bash_deregexify_banner_backslash(banner_var_name)
- TEMPLATE bash_package_installed
# Check whether or not a package is installed.
bash_package_installed(pkgname)
- TEMPLATE set_cce_value
Set rule CCE value
This macro gets the var cce_identifiers from the environment created by the build scripts. The cce_identifiers is a dictionary that contains either the ‘cce’:’CCENUM’ record for the product this remediation is being built for, or it is empty.
set_cce_value()
- TEMPLATE bash_replace_or_append
Macro to replace configuration setting in config file or add the configuration setting if it does not exist.
Example Calls:
With default format of ‘key = value’:
{{{ bash_replace_or_append('/etc/sysctl.conf', '^kernel.randomize_va_space', '2') }}}With custom key/value format:
{{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', 'disabled', '%s=%s') }}}With a variable:
{{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', "$var_selinux_state", '%s=%s') }}}
- Parameters
config_file – Configuration file that will be modified
key – Configuration option to change
value – Value of the configuration option to change
format – Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =)
bash_replace_or_append(config_file, key, value, format=’%s = %s’)
- TEMPLATE bash_ensure_mount_option_for_vfstype
To see how args corresponds to an
/etc/fstab
entry, see bash_ensure_mount_option_for_vfstype documentation
- Parameters
vfstype – type of filesystem
mount_opt – mount point option which we are checking
fs_spec – identification of the filesystem to be mounted (LABEL, UUID, device name etc.)
type – mount type of new mount point (used when adding new entry in fstab)
bash_ensure_mount_option_for_vfstype(vfstype, mount_opt, filesystem, type)
- TEMPLATE bash_ensure_mount_option_in_fstab
Ensures that given mount point is in
/etc/fstab
.If we look at an example invocation of this macro:
{{{ bash_ensure_mount_option_in_fstab("/home", "auto_da_alloc", "LABEL=t-home2", "ext4") }}}}The resulting
/etc/fstab
entry could look like this:LABEL=t-home2 /home ext4 defaults,auto_da_alloc 0 2
- param mount_point
mount point
- param mount_opt
mount point option whose presence in /etc/fstab we are ensuring
- param fs_spec
identification of the filesystem to be mounted (LABEL, UUID, device name etc.)
- param type
mount type of mount point (used when adding new entry in fstab)
bash_ensure_mount_option_in_fstab(mount_point, mount_opt, fs_spec, type)
- TEMPLATE bash_assert_mount_point_in_fstab
# Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not
bash_assert_mount_point_in_fstab(mount_point)
- TEMPLATE bash_ensure_partition_is_mounted
# Ensure that partition is mounted at mount_point # If partition already mounted at mount_point, then remount to apply option changes
bash_ensure_partition_is_mounted(mount_point)
- TEMPLATE bash_fix_audit_syscall_rule
Based on example audit syscall rule definitions as outlined in
/usr/share/doc/audit-2.3.7/stig.rules
file provided with the audit package. It will combine multiple system calls belonging to the same syscall group into one audit rule (rather than to create audit rule per different system call) to avoid audit infrastructure performance penalty in the case of ‘one-audit-rule-definition-per-one-system-call’. See:for further details.
Notes:
The 2-nd up to 4-th arguments are used to determine how many existing audit rules will be inspected for resemblance with the new audit rule the macro is going to add.
The macro’s similarity check uses the 5-th argument to optimize audit rules definitions (merge syscalls of the same group into one rule) to avoid the “single-syscall-per-audit-rule” performance penalty.
The key argument (7-th argument) is not used when the syscall is grouped to an
existing audit rule. The audit rule will retain the key it already had.
- Parameters
audit_tool – tool used to load audit rules, either ‘auditctl’, or ‘augenrules
action_arch_filters – The action and arch filters of the rule. For example, “-a always,exit -F arch=b64”
other_filters – Other filters that may characterize the rule. For example, “-F a2&03 -F path=/etc/passwd”
auid_filters – The auid filters of the rule. For example, “-F auid>=1000 -F auid!=unset”
syscall – The syscall to ensure presense among audit rules. For example, “chown”
syscall_groupings – Other syscalls that can be grouped with ‘syscall’ as a space separated list. For example, “fchown lchown fchownat”
key – The key to use when appending a new rule
bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key)
- TEMPLATE grub2_bootloader_argument_remediation
Remediation for grub2 bootloader arguments
grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE)