1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
<def-group>
<definition class="compliance" id="require_singleuser_auth" version="1">
{{{ oval_metadata("The requirement for a password to boot into single-user mode
should be configured correctly.") }}}
<criteria operator="AND">
<criteria operator="OR">
<criteria operator="AND">
<criterion comment="authentication for single user mode is configured in the file provided by distro"
test_ref="test_require_rescue_service_distro" />
<criterion comment="Execstart directive of rescue.service is not overridden"
test_ref="test_rescue_service_not_overridden" />
</criteria>
<criterion comment="authentication for single user mode is configured in the override file"
test_ref="test_require_rescue_service_override" />
</criteria>
{{%- if 'ol' not in families and 'rhel' not in product and "fedora" != product-%}}
<criterion test_ref="test_require_rescue_service_runlevel1" />
<criterion test_ref="test_no_custom_runlevel1_target" negate="true"/>
<criterion test_ref="test_no_custom_rescue_service" negate="true"/>
{{%- endif -%}}
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Tests that
{{% if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
/usr/lib/systemd/systemd-sulogin-shell
{{%- else -%}}
/sbin/sulogin
{{%- endif %}}
was not removed from the default systemd rescue.service to ensure that a
password must be entered to access single user mode"
id="test_require_rescue_service_distro" version="1">
<ind:object object_ref="obj_require_rescue_service_distro" />
<ind:state state_ref="state_require_rescue_service" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_require_rescue_service_distro" version="1">
<ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
<ind:pattern operation="pattern match">^ExecStart\s?=\s?\-?(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Tests that
{{%- if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
/usr/lib/systemd/systemd-sulogin-shell
{{%- else -%}}
/sbin/sulogin
{{%- endif %}}
is defined in /etc/systemd/system/rescue.service.d/*.conf"
id="test_require_rescue_service_override" version="1">
<ind:object object_ref="obj_require_rescue_service_override" />
<ind:state state_ref="state_require_rescue_service" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_require_rescue_service_override" version="1">
<ind:behaviors singleline="true" multiline="false" />
<ind:path>/etc/systemd/system/rescue.service.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
<ind:pattern operation="pattern match">^.*ExecStart\s?=\s+.*ExecStart\s?=\s?\-?(.*)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_require_rescue_service" version="1">
{{%- if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
<ind:subexpression datatype="string" operation="pattern match">.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue</ind:subexpression>
{{%- else -%}}
<ind:subexpression datatype="string" operation="pattern match">/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:subexpression>
{{%- endif -%}}
</ind:textfilecontent54_state>
<ind:textfilecontent54_test check="all" check_existence="none_exist"
comment="Check that there is no override file for rescue.service with Execstart - directive"
id="test_rescue_service_not_overridden" version="1">
<ind:object object_ref="obj_require_rescue_service_override"/>
</ind:textfilecontent54_test>
{{%- if product not in ["ol8"] and 'rhel' not in product -%}}
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Tests that the systemd rescue.service is in the runlevel1.target"
id="test_require_rescue_service_runlevel1" version="1">
<ind:object object_ref="obj_require_rescue_service_runlevel1" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_require_rescue_service_runlevel1" version="1">
<ind:filepath>/usr/lib/systemd/system/runlevel1.target</ind:filepath>
<ind:pattern operation="pattern match">^Requires=.*rescue\.service</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<unix:file_test check="all" check_existence="at_least_one_exists"
comment="look for rescue.service in /etc/systemd/system"
id="test_no_custom_rescue_service" version="1">
<unix:object object_ref="object_no_custom_rescue_service" />
</unix:file_test>
<unix:file_object comment="look for rescue.service in /etc/systemd/system"
id="object_no_custom_rescue_service" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all" />
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^rescue.service$</unix:filename>
</unix:file_object>
<unix:file_test check="all" check_existence="at_least_one_exists"
comment="look for runlevel1.target in /etc/systemd/system"
id="test_no_custom_runlevel1_target" version="1">
<unix:object object_ref="object_no_custom_runlevel1_target" />
</unix:file_test>
<unix:file_object comment="look for runlevel1.target in /etc/systemd/system"
id="object_no_custom_runlevel1_target" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all" />
<unix:path operation="equals">/etc/systemd/system</unix:path>
<unix:filename operation="pattern match">^runlevel1.target$</unix:filename>
</unix:file_object>
{{%- endif -%}}
</def-group>
|
