File: sce-bash.template

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (102 lines) | stat: -rw-r--r-- 3,133 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
#!/usr/bin/env bash
# environment = bootc
# check-import = stdout
{{% if SYSCTLVAL == "" %}}
# check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value
{{% endif %}}

{{% if product in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204", "ubuntu2404"] %}}
FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
{{% else %}}
FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
{{% endif %}}
FILES_MANAGED_BY_PACKAGES=("/usr/lib/sysctl.d/*.conf")

function pass_if_set_correctly()
{
    local filelist="$1"
    local regex="$2"
    local expected_value="$3"
    local found=0
    for files in $filelist ; do
        [[ -e "$files" ]] || continue
        found_value=$(grep -P "$regex" $files | sed -E "s/$regex/\1/")
        if [[ -n "$found_value" ]] ; then
            if [[ "$found_value" == "$expected_value" ]] ; then
                found=1
            else
                return 1
            fi
        fi
    done
    if [[ $found == 1 ]] ; then
        return 0
    fi
    return 1
}

function pass_if_missing()
{
    local filelist="$1"
    local regex="$2"
    for files in $filelist ; do
        [[ -e "$files" ]] || continue
        if grep -P "$regex"  $files ; then
            return 1
        fi
    done
    return 0
}

function check_sysctl_configuration()
{
    local sysctlvar="$1"
    local expected_value="$2"

    regex="^\s*$sysctlvar\s*=\s*(.*)\s*"

    # kernel static parameter $sysctlvar set to $sysctlvar in sysctl files not managed by packages
    pass_if_set_correctly "${FILES_NOT_MANAGED_BY_PACKAGES[*]}" "$regex" "$expected_value"
    set_correctly_in_not_managed="$?"

    # kernel static parameter $sysctlvar missing in sysctl files not managed by packages
    pass_if_missing "${FILES_NOT_MANAGED_BY_PACKAGES[*]}" "$regex"
    missing_in_not_managed="$?"

    # kernel static parameter $sysctlvar set to $sysctlval in sysctl files managed by packages
    pass_if_set_correctly "${FILES_MANAGED_BY_PACKAGES[*]}" "$regex" "$expected_value"
    set_correctly_in_managed="$?"

    if [[ "$set_correctly_in_not_managed" == 0 || ( "$missing_in_not_managed" == 0 && "$set_correctly_in_managed" == 0 ) ]] ; then
        return 0
    fi
    return 1
}

{{% if IPV6 == "true" -%}}
# pass if IPv6 is disabled
check_sysctl_configuration "net.ipv6.conf.all.disable_ipv6" "1"
if [[ $? == 0 ]] ; then
    exit $XCCDF_RESULT_PASS
fi
{{% endif %}}

{{% if SYSCTLVAL is string %}}
{{% if SYSCTLVAL == "" -%}}
expected_value="$XCCDF_VALUE_sysctl_{{{ SYSCTLID }}}_value"
{{%- else -%}}
expected_value="{{{ SYSCTLVAL }}}"
{{%- endif %}}
check_sysctl_configuration "{{{ SYSCTLVAR }}}" "$expected_value"
if [[ $? == 0 ]] ; then
    exit $XCCDF_RESULT_PASS
fi
{{% elif SYSCTLVAL is sequence %}}
{{% for x in SYSCTLVAL %}}
check_sysctl_configuration "{{{ SYSCTLVAR }}}" "{{{ x }}}"
if [[ $? == 0 ]] ; then
    exit $XCCDF_RESULT_PASS
fi
{{% endfor %}}
{{% endif %}}
exit $XCCDF_RESULT_FAIL