Bash

TEMPLATE bash_instantiate_variables

Pass strings that correspond to XCCDF value names as arguments to this macro:

bash_instantiate_variables("varname1", "varname2")

Then, assume that variables of that names are defined and contain the correct value, e.g.:

echo "Setting=$varname1" >> config_file

bash_instantiate_variables()

TEMPLATE bash_ensure_pam_module_options

Make sure that we have a line like this in pamFile (additional options are left as-is): type control module option=valueRegexArg

Parameters
  • pamFile – PAM config file

  • type – PAM module interface

  • control – PAM control flags

  • module – PAM module name

  • option – PAM module option

  • valueRegexArg – PAM module option argument regex pattern

  • defaultValueArg – PAM module option argument default value

bash_ensure_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg)

TEMPLATE bash_provide_pam_module_options

Make sure that we have a line with given type, control and module has the given option in pamFile (additional options are left as-is): type control module option=valueRegexArg

Parameters
  • pamFile – PAM config file

  • type – PAM module interface

  • control – PAM control flags

  • module – PAM module name

  • option – PAM module option

  • valueRegexArg – PAM module option argument regex pattern

  • defaultValueArg – PAM module option argument default value

bash_provide_pam_module_options(pamFile, type, control, module, option, valueRegexArg, defaultValueArg)

TEMPLATE bash_shell_file_set

Set a parameter

Parameters
  • path (str) – Path to file

  • parameter (str) – Parameter to set

  • value (str) – Value to set

  • no_quotes (str) – Boolean, if true the value is not quoted. Default is false.

bash_shell_file_set(path, parameter, value, no_quotes=false)

TEMPLATE bash_perform_audit_rules_privileged_commands_remediation

Macro to perform remediation for ‘audit_rules_privileged_commands’ rule

:param tool: tool used to load audit rules either ‘auditctl’ or ‘augenrules’ :param min_auid: minimum original ID the user logged in with

Example macro invocation(s):

perform_audit_rules_privileged_commands_remediation("auditctl", "500")
perform_audit_rules_privileged_commands_remediation("augenrules", "1000")

bash_perform_audit_rules_privileged_commands_remediation(tool, min_auid)

TEMPLATE bash_sshd_config_set

Set set a parameter in /etc/sshd_config

Parameters
  • parameter (str) – Parameter to set

  • value (str) – The value to set

bash_sshd_config_set(parameter, value)

TEMPLATE bash_sshd_remediation

Set set a parameter in /etc/sshd_config or /etc/ssh/sshd_config.d/

Parameters
  • parameter (str) – Parameter to set

  • value (str) – The value to set

  • config_is_distributed (str) – If true, will ok look in /etc/ssh/sshd_config.d

bash_sshd_remediation(parameter, value, config_is_distributed)

TEMPLATE bash_create_audit_remediation_unsuccessful_file_modification_detailed

Macro that copies the audit rules into a file. The purpose is to create exactly the same content in the file specified by filename argument as in https://github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules

Parameters
  • filename (str) – Name of the file to print the information to; written do directory specified by the filename

bash_create_audit_remediation_unsuccessful_file_modification_detailed(filename)

TEMPLATE bash_auditd_config_set

Set parameter in /etc/audit/auditd.conf

Parameters
  • parameter (str) – Parameter to set

  • value (str) – The value to set

bash_auditd_config_set(parameter, value)

TEMPLATE bash_coredump_config_set

Set parameter in /etc/systemd/coredump.conf

Parameters
  • parameter (str) – Parameter to set

  • value (str) – The value to set

bash_coredump_config_set(parameter, value)

TEMPLATE bash_selinux_config_set

Set parameter in /etc/selinux/config

Parameters
  • parameter (str) – Parameter to set

  • value (str) – The value to set

bash_selinux_config_set(parameter, value)

TEMPLATE bash_fix_audit_watch_rule

Macro to fix audit file system object watch rule for given path: * if rule exists, also verifies the -w bits match the requirements * if rule doesn’t exist yet, appends expected rule form to $files_to_inspect

audit rules file, depending on the tool which was used to load audit rules

:param audit tool tool used to load audit rules, either ‘auditctl’, or ‘augenrules’ :param path: value of -w audit rule’s argument :param required_access_bits: value of -p audit rule’s argument :param key: value of -k audit rule’s argument

Example macro invocation:

{{{ bash_fix_audit_watch_rule("auditctl", "/etc/localtime", "wa", "audit_time_rules") }}}

bash_fix_audit_watch_rule(tool, path, required_access_bits, key)

TEMPLATE bash_package_install

Install a package

Uses the right command based on pkg_manager property defined in product.yml.

Parameters
  • package (str) – name of the package

bash_package_install(package)

TEMPLATE bash_package_remove

Remove a package

Uses the right command based on pkg_manager property defined in product.yml. When used in a test scenario, the macro will remove even protected packages.

Parameters
  • package (str) – name of the package

bash_package_remove(package)

TEMPLATE bash_perform_audit_adjtimex_settimeofday_stime_remediation

Macro to perform remediation for the ‘adjtimex’, ‘settimeofday’, and ‘stime’ audit system calls on RHEL, Fedora or OL systems. Remediation performed for both possible tools: ‘auditctl’ and ‘augenrules’.

Note: ‘stime’ system call isn’t known at 64-bit arch (see “$ ausyscall x86_64 stime” ‘s output) therefore excluded from the list of time group system calls to be audited on this arch

Example macro invocation:

{{{ bash_perform_audit_adjtimex_settimeofday_stime_remediation() }}}

bash_perform_audit_adjtimex_settimeofday_stime_remediation()

Disable prelinking in sysconfig

bash_disable_prelink()

TEMPLATE bash_dconf_settings

Macro to configure DConf settings for RHEL and Fedora systems.

If files contain ibus or distro, ignore them.

bash_dconf_settings(path, key, value, db, setting_file)

TEMPLATE bash_dconf_lock

Macro to configure DConf locks for RHEL and Fedora systems.

bash_dconf_lock(key, setting, db, lock_file)

TEMPLATE bash_service_command

Macro to enable or disable a particular service.

Examples:

bash_service_command(“enable”, “bluetooth”) bash_service_command(“disable”, “bluetooth.service”) bash_service_command(“disable”, “rsh.socket”, xinetd=”rsh”)

Parameters
  • service_state – Desired state of the service

  • service – The service to change

  • xinetd – Set the xinetd for the service. Defaults to empty string.

bash_service_command(service_state, service, xinetd=””)

TEMPLATE bash_firefox_js_setting

Example Calls:

With a fixed integer value:

bash_firefox_js_setting("local-settings.js", "general.config.obscure_value", "0")

With a fixed string value:

bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="mozilla.cfg")

With a string variable:

bash_firefox_js_setting("local-settings.js", "general.config.filename", quoted_value="$var_config_file_name")
Parameters
  • config_file – Configuration file that will be modified

  • key – Configuration option to change

  • value – Value of the configuration option to change

bash_firefox_js_setting(config_file, key, value=””, quoted_value=””, sed_separator=”/”)

TEMPLATE bash_firefox_cfg_setting

Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the preference if it does not exist.

Example Call(s):

Without string or variable:

bash_firefox_cfg_setting("mozilla.cfg" "extensions.update.enabled" value="false")

With string:

bash_firefox_cfg_setting("mozilla.cfg" "security.default_personal_cert" quoted_value="Ask Every Time")

With a string variable:

bash_firefox_cfg_setting("mozilla.cfg" "browser.startup.homepage" quoted_value="${var_default_home_page}")
Parameters
  • config_file – Configuration file that will be modified

  • key – Configuration option to change

  • value – Value of the configuration option to change

bash_firefox_cfg_setting(config_file, key, value=””, quoted_value=””, sed_separator=”/”)

TEMPLATE bash_ensure_there_are_servers_in_ntp_compatible_config_file

Macro to ensure that the ntp/chrony config file contains valid server entries.

Parameters
  • config_file – Path to the ntp/chrony config file

  • servers_list – Comma-separated list of servers

bash_ensure_there_are_servers_in_ntp_compatible_config_file(config_file, servers_list)

TEMPLATE bash_set_faillock_option

Sets PAM faillock module options and values. Also it adds pam_faillock.so as required module for account.

Parameters
  • option – faillock option eg. deny, unlock_time

  • value – value of option

bash_set_faillock_option(option, value)

TEMPLATE die

Print a message to stderr and exit the shell

Parameters
  • message – The message to print.

  • rc – The error code (optional, default is 1)

  • action – What to do (optional, default is ‘exit’, can be also ‘return’ or anything else)

die(message, rc=1, action=”exit”)

TEMPLATE set_config_file

Add an entry to a text configuration file

Parameters
  • path – path of the configuration file

  • parameter – the parameter to be set in the configuration file

  • value – the value of the parameter to be set in the configuration file

  • create – whether create the file specified by path if the file does not exits

  • insert_after – inserts the entry right after first line that matches regular expression specified by this argument, set to EOF to insert at the end of the file

  • insert_before – inserts the entry right before first line that matches regular expression specified by this argument, set to BOF to insert at the beginning of the file

  • insensitive – ignore case

  • separator – separates parameter from the value (literal)

  • separator_regex – regular expression that describes the separator and surrounding whitespace

  • prefix_regex – regular expression describing allowed leading characters at each line

set_config_file(path, parameter, value, create, insert_after, insert_before, insensitive=true, separator=” “, separator_regex=”s+”, prefix_regex=”^s*”, sed_path_separator=”/”)

TEMPLATE bash_file_contents

Generates bash script code that puts ‘contents’ into a file at ‘filepath’

Parameters
  • filepath – Filepath of the file to check

  • contents – Contents that should be in the file

bash_file_contents(filepath=’’, contents=’’)

TEMPLATE bash_deregexify_banner_anchors

Strips anchors regex around the banner text

bash_deregexify_banner_anchors(banner_var_name)

TEMPLATE bash_deregexify_multiple_banners

Strips multibanner regex and keeps only the first banner

bash_deregexify_multiple_banners(banner_var_name)

TEMPLATE bash_deregexify_banner_space

Strips whitespace or newline regex

bash_deregexify_banner_space(banner_var_name)

TEMPLATE bash_deregexify_banner_newline

Strips newline or newline escape sequence regex

bash_deregexify_banner_newline(banner_var_name, newline)

TEMPLATE bash_deregexify_banner_newline_token

Strips newline token for a newline escape sequence regex

bash_deregexify_banner_newline_token(banner_var_name)

TEMPLATE bash_deregexify_banner_backslash

Strips backslash regex

bash_deregexify_banner_backslash(banner_var_name)

TEMPLATE bash_package_installed

# Check whether or not a package is installed.

bash_package_installed(pkgname)

TEMPLATE set_cce_value

Set rule CCE value

This macro gets the var cce_identifiers from the environment created by the build scripts. The cce_identifiers is a dictionary that contains either the ‘cce’:’CCENUM’ record for the product this remediation is being built for, or it is empty.

set_cce_value()

TEMPLATE bash_replace_or_append

Macro to replace configuration setting in config file or add the configuration setting if it does not exist.

Example Calls:

With default format of ‘key = value’:

{{{ bash_replace_or_append('/etc/sysctl.conf', '^kernel.randomize_va_space', '2') }}}

With custom key/value format:

{{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', 'disabled', '%s=%s') }}}

With a variable:

{{{ bash_replace_or_append('/etc/sysconfig/selinux', '^SELINUX=', "$var_selinux_state", '%s=%s') }}}
Parameters
  • config_file – Configuration file that will be modified

  • key – Configuration option to change

  • value – Value of the configuration option to change

  • format – Optional argument, The printf-like format string that will be given stripped key and value as arguments, so e.g. ``%s=%s` will result in key=value substitution (i.e. without spaces around =)

bash_replace_or_append(config_file, key, value, format=’%s = %s’)

TEMPLATE bash_ensure_mount_option_for_vfstype

To see how args corresponds to an /etc/fstab entry, see bash_ensure_mount_option_for_vfstype documentation

Parameters
  • vfstype – type of filesystem

  • mount_opt – mount point option which we are checking

  • fs_spec – identification of the filesystem to be mounted (LABEL, UUID, device name etc.)

  • type – mount type of new mount point (used when adding new entry in fstab)

bash_ensure_mount_option_for_vfstype(vfstype, mount_opt, filesystem, type)

TEMPLATE bash_ensure_mount_option_in_fstab

Ensures that given mount point is in /etc/fstab.

If we look at an example invocation of this macro:

{{{ bash_ensure_mount_option_in_fstab("/home", "auto_da_alloc", "LABEL=t-home2", "ext4") }}}}

The resulting /etc/fstab entry could look like this:

LABEL=t-home2   /home      ext4    defaults,auto_da_alloc      0  2
param mount_point

mount point

param mount_opt

mount point option whose presence in /etc/fstab we are ensuring

param fs_spec

identification of the filesystem to be mounted (LABEL, UUID, device name etc.)

param type

mount type of mount point (used when adding new entry in fstab)

bash_ensure_mount_option_in_fstab(mount_point, mount_opt, fs_spec, type)

TEMPLATE bash_assert_mount_point_in_fstab

# Check whether mount_point is present in /etc/fstab; print err to stderr and return 1 if not

bash_assert_mount_point_in_fstab(mount_point)

TEMPLATE bash_ensure_partition_is_mounted

# Ensure that partition is mounted at mount_point # If partition already mounted at mount_point, then remount to apply option changes

bash_ensure_partition_is_mounted(mount_point)

TEMPLATE bash_fix_audit_syscall_rule

Based on example audit syscall rule definitions as outlined in /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit package. It will combine multiple system calls belonging to the same syscall group into one audit rule (rather than to create audit rule per different system call) to avoid audit infrastructure performance penalty in the case of ‘one-audit-rule-definition-per-one-system-call’. See:

for further details.

Notes:

  • The 2-nd up to 4-th arguments are used to determine how many existing audit rules will be inspected for resemblance with the new audit rule the macro is going to add.

  • The macro’s similarity check uses the 5-th argument to optimize audit rules definitions (merge syscalls of the same group into one rule) to avoid the “single-syscall-per-audit-rule” performance penalty.

  • The key argument (7-th argument) is not used when the syscall is grouped to an

existing audit rule. The audit rule will retain the key it already had.

Parameters
  • audit_tool – tool used to load audit rules, either ‘auditctl’, or ‘augenrules

  • action_arch_filters – The action and arch filters of the rule. For example, “-a always,exit -F arch=b64”

  • other_filters – Other filters that may characterize the rule. For example, “-F a2&03 -F path=/etc/passwd”

  • auid_filters – The auid filters of the rule. For example, “-F auid>=1000 -F auid!=unset”

  • syscall – The syscall to ensure presense among audit rules. For example, “chown”

  • syscall_groupings – Other syscalls that can be grouped with ‘syscall’ as a space separated list. For example, “fchown lchown fchownat”

  • key – The key to use when appending a new rule

bash_fix_audit_syscall_rule(tool, action_arch_filters, other_filters, auid_filters, syscall, syscall_groupings, key)

TEMPLATE grub2_bootloader_argument_remediation

Remediation for grub2 bootloader arguments

grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE)