Skip to content

Commit

Permalink
Fix architecture applicability
Browse files Browse the repository at this point in the history
Architecture applicability conditionals were matching
checking only in /proc/sys/kernel/osrelease which
doesn't contain the architecture on Ubuntu.

Added /proc/sys/kernel/arch to the checks and refactored
the OVALs to a Jinja macro.
  • Loading branch information
mpurg committed Jan 10, 2025
1 parent 2ff8dcb commit 8275358
Show file tree
Hide file tree
Showing 11 changed files with 46 additions and 138 deletions.
2 changes: 1 addition & 1 deletion shared/applicability/aarch64_arch.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: cpe:/a:aarch64_arch
title: System architecture is AARCH64
check_id: proc_sys_kernel_osrelease_arch_aarch64
bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease'
bash_conditional: 'grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
ansible_conditional: 'ansible_architecture == "aarch64"'
2 changes: 1 addition & 1 deletion shared/applicability/not_aarch64_arch.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: cpe:/a:not_aarch64_arch
title: System architecture is not AARCH64
check_id: proc_sys_kernel_osrelease_arch_not_aarch64
bash_conditional: '! grep -q aarch64 /proc/sys/kernel/osrelease'
bash_conditional: '! grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
ansible_conditional: 'ansible_architecture != "aarch64"'
2 changes: 1 addition & 1 deletion shared/applicability/not_s390x_arch.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: cpe:/a:not_s390x_arch
title: System architecture is not S390X
check_id: proc_sys_kernel_osrelease_arch_not_s390x
bash_conditional: '! grep -q s390x /proc/sys/kernel/osrelease'
bash_conditional: '! grep -q s390x /proc/sys/kernel/{osrelease,arch}'
ansible_conditional: 'ansible_architecture != "s390x"'
Original file line number Diff line number Diff line change
@@ -1,33 +1 @@
<def-group>
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_aarch64"
version="1">
<metadata>
<title>Test that the architecture is aarch64</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</description>
</metadata>
<criteria>
<criterion comment="Architecture is aarch64"
test_ref="test_proc_sys_kernel_osrelease_arch_aarch64" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="proc_sys_kernel is for aarch64 architecture"
id="test_proc_sys_kernel_osrelease_arch_aarch64"
version="1">
<ind:object object_ref="object_proc_sys_kernel_osrelease_arch_aarch64" />
<ind:state state_ref="state_proc_sys_kernel_osrelease_arch_aarch64" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_aarch64" version="1">
<ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
<ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_aarch64" version="1">
<ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
</ind:textfilecontent54_state>
</def-group>
{{{ oval_check_proc_sys_kernel_osrelease_arch("aarch64") }}}
Original file line number Diff line number Diff line change
@@ -1,33 +1 @@
<def-group>
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_ppc64le"
version="1">
<metadata>
<title>Test that the architecture is ppc64le</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</description>
</metadata>
<criteria>
<criterion comment="Architecture is ppc64le"
test_ref="test_proc_sys_kernel_osrelease_arch_ppc64le" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="proc_sys_kernel is for ppc64le architecture"
id="test_proc_sys_kernel_osrelease_arch_ppc64le"
version="1">
<ind:object object_ref="object_proc_sys_kernel_osrelease_arch_ppc64le" />
<ind:state state_ref="state_proc_sys_kernel_osrelease_arch_ppc64le" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
<ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
<ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
<ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
</ind:textfilecontent54_state>
</def-group>
{{{ oval_check_proc_sys_kernel_osrelease_arch("ppc64le") }}}
Original file line number Diff line number Diff line change
@@ -1,33 +1 @@
<def-group>
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
version="1">
<metadata>
<title>Test that the architecture is s390x</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
</metadata>
<criteria>
<criterion comment="Architecture is s390x"
test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="proc_sys_kernel is for s390x architecture"
id="test_proc_sys_kernel_osrelease_arch_s390x"
version="1">
<ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
<ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
<ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
<ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
<ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
</ind:textfilecontent54_state>
</def-group>
{{{ oval_check_proc_sys_kernel_osrelease_arch("s390x") }}}
Original file line number Diff line number Diff line change
@@ -1,33 +1 @@
<def-group>
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_x86_64"
version="1">
<metadata>
<title>Test that the architecture is x86_64</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
<description>Check that architecture of kernel in /proc/sys/kernel/osrelease is x86_64</description>
</metadata>
<criteria>
<criterion comment="Architecture is x86_64"
test_ref="test_proc_sys_kernel_osrelease_arch_x86_64" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="proc_sys_kernel is for x86_64 architecture"
id="test_proc_sys_kernel_osrelease_arch_x86_64"
version="1">
<ind:object object_ref="object_proc_sys_kernel_osrelease_arch_x86_64" />
<ind:state state_ref="state_proc_sys_kernel_osrelease_arch_x86_64" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_x86_64" version="1">
<ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
<ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

<ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_x86_64" version="1">
<ind:subexpression datatype="string" operation="pattern match">^x86_64$</ind:subexpression>
</ind:textfilecontent54_state>
</def-group>
{{{ oval_check_proc_sys_kernel_osrelease_arch("x86_64") }}}
2 changes: 1 addition & 1 deletion shared/applicability/ppc64le_arch.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: "cpe:/a:ppc64le_arch"
title: "System architecture is ppc64le"
check_id: proc_sys_kernel_osrelease_arch_ppc64le
bash_conditional: 'grep -q ppc64le /proc/sys/kernel/osrelease'
bash_conditional: 'grep -q ppc64le /proc/sys/kernel/{osrelease,arch}'
ansible_conditional: 'ansible_architecture == "ppc64le"'
2 changes: 1 addition & 1 deletion shared/applicability/s390x_arch.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: cpe:/a:s390x_arch
title: System architecture is S390X
check_id: proc_sys_kernel_osrelease_arch_s390x
bash_conditional: 'grep -q s390x /proc/sys/kernel/osrelease'
bash_conditional: 'grep -q s390x /proc/sys/kernel/{osrelease,arch}'
ansible_conditional: 'ansible_architecture == "s390x"'
2 changes: 1 addition & 1 deletion shared/applicability/x86_64_arch.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: cpe:/a:x86_64_arch
title: System architecture is x86_64
check_id: proc_sys_kernel_osrelease_arch_x86_64
bash_conditional: 'grep -q x86_64 /proc/sys/kernel/osrelease'
bash_conditional: 'grep -q x86_64 /proc/sys/kernel/{osrelease,arch}'
ansible_conditional: 'ansible_architecture == "x86_64"'
36 changes: 36 additions & 0 deletions shared/macros/10-oval.jinja
Original file line number Diff line number Diff line change
Expand Up @@ -1702,3 +1702,39 @@ Generates an OVAL check that checks a particular field in the "/etc/shadow" file
{{%- endif %}}
{{%- endif %}}
{{%- endmacro -%}}

{{#
Macro for checking the machine architecture type via uname machine_class

:param arch: Machine architecture (x86_64, aarch64, s90x, ppc64le, ...)
#}}
{{%- macro oval_check_proc_sys_kernel_osrelease_arch(arch) -%}}
<def-group>
<definition class="inventory" id="proc_sys_kernel_osrelease_arch_{{{ arch }}}"
version="1">
<metadata>
<title>Test that the architecture is {{{ arch }}}</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
<description>Check that architecture of kernel in /proc/sys/kernel is {{{ arch }}}</description>
</metadata>
<criteria>
<criterion comment="Architecture is {{{ arch }}}"
test_ref="test_proc_sys_kernel_osrelease_arch_{{{ arch }}}" />
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
comment="proc_sys_kernel is for {{{ arch }}} architecture"
id="test_proc_sys_kernel_osrelease_arch_{{{ arch }}}" version="1">
<ind:object object_ref="object_proc_sys_kernel_osrelease_arch_{{{ arch }}}" />
</ind:textfilecontent54_test>

<ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_{{{ arch }}}" version="1">
<ind:filepath operation="pattern match">/proc/sys/kernel/(osrelease|arch)</ind:filepath>
<ind:pattern operation="pattern match">^.*\.{{{ arch }}}$|^{{{ arch }}}$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>

</def-group>
{{%- endmacro -%}}

0 comments on commit 8275358

Please sign in to comment.