Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Macro clean-up #11948

Merged
merged 2 commits into from
May 9, 2024
Merged

Macro clean-up #11948

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a48ebb5
Improve macros readability and description
marcusburghardt Aug 22, 2023
ce5fab2
Remove unused data definitions
marcusburghardt Aug 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 31 additions & 35 deletions shared/macros/10-oval.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1561,83 +1561,83 @@ Generates an OVAL check that checks a particular field in the "/etc/shadow" file
{{%- endmacro %}}

{{#
Macro to define service disabled criteria. The definition vary from socket to configuration
depending on the oval version
Macro to define service disabled criteria. The definition varies regarding socket configuration
depending on the oval version. These definitions are used together with the tests defined in
oval_test_service_disabled_tests macro.

:param name: Name of the service to be checked
#}}
{{%- macro oval_test_service_disabled_criteria(name='') -%}}
{{% if init_system == "systemd" %}}
{{% if target_oval_version >= [5, 11] %}}

{{%- if init_system == "systemd" %}}
{{%- if target_oval_version >= [5, 11] %}}
{{# we are using systemd and our target OVAL version does support the systemd related tests #}}

<criteria operator="AND" comment="service {{{ name }}} is not configured to start">
<criterion comment="{{{ name }}} is not running"
test_ref="test_service_not_running_{{{ rule_id }}}_{{{ name }}}" />
<criterion comment="Property LoadState of service {{{ name }}} is masked"
test_ref="test_service_loadstate_is_masked_{{{ rule_id }}}_{{{ name }}}" />
<criterion test_ref="test_service_not_running_{{{ rule_id }}}_{{{ name }}}"
comment="{{{ name }}} is not running"/>
<criterion test_ref="test_service_loadstate_is_masked_{{{ rule_id }}}_{{{ name }}}"
comment="Property LoadState of service {{{ name }}} is masked"/>
</criteria>
{{% else %}}

{{%- else %}}
{{# fallback if we are using systemd but can't use the new systemd features of OVAL 5.11 #}}

<criteria operator="AND" comment="service and socket {{{ name }}} are disabled">
<criterion comment="{{{ name }}} disabled in multi-user.target"
test_ref="test_{{{ rule_id }}}_{{{ name }}}_disabled_multi_user_target" />
<criterion comment="{{{ name }}} socket disabled in sockets.target"
test_ref="test_{{{ rule_id }}}_{{{ name }}}_socket_disabled_sockets_target" />
<criterion test_ref="test_{{{ rule_id }}}_{{{ name }}}_disabled_multi_user_target"
comment="{{{ name }}} disabled in multi-user.target"/>
<criterion test_ref="test_{{{ rule_id }}}_{{{ name }}}_disabled_sockets_target"
comment="{{{ name }}} socket disabled in sockets.target"/>
</criteria>
{{% endif %}}

{{%- endif %}}
{{% endif %}}

{{%- endmacro -%}}

{{#
Macro to define service disabled tests. The definition vary from oval unit definition,
to check configuration unit file, depending on the oval version.
Macro to define service disabled tests. The tests varies depending on the oval version. These
tests are used together with the definitions defined in oval_test_service_disabled_criteria
macro.

:param name: Name of the service to be checked
#}}
{{%- macro oval_test_service_disabled_tests(name='') -%}}
{{% if init_system == "systemd" %}}
{{% if target_oval_version >= [5, 11] %}}

{{%- if init_system == "systemd" %}}
{{%- if target_oval_version >= [5, 11] %}}
{{# we are using systemd and our target OVAL version does support the systemd related tests #}}
<linux:systemdunitproperty_test id="test_service_not_running_{{{ rule_id }}}_{{{ name }}}"
check="all" check_existence="any_exist"
comment="Test that the {{{ name }}} service is not running" version="1">
<linux:object object_ref="obj_service_not_running_{{{ rule_id }}}_{{{ name }}}"/>
<linux:state state_ref="state_service_not_running_{{{ rule_id }}}_{{{ name }}}"/>
</linux:systemdunitproperty_test>

<linux:systemdunitproperty_object id="obj_service_not_running_{{{ rule_id }}}_{{{ name }}}"
comment="Retrieve the ActiveState property of {{{ name }}}" version="1">
<linux:unit operation="pattern match">^{{{ name }}}\.(service|socket)$</linux:unit>
<linux:property>ActiveState</linux:property>
</linux:systemdunitproperty_object>

<linux:systemdunitproperty_state id="state_service_not_running_{{{ rule_id }}}_{{{ name }}}"
version="1" comment="{{{ name }}} is not running">
<linux:value operation="pattern match">inactive|failed</linux:value>
</linux:systemdunitproperty_state>

<linux:systemdunitproperty_test check="all" check_existence="any_exist"
id="test_service_loadstate_is_masked_{{{ rule_id }}}_{{{ name }}}"
comment="Test that the property LoadState from the service {{{ name }}} is masked"
version="1">
<linux:object object_ref="obj_service_loadstate_is_masked_{{{ rule_id }}}_{{{ name }}}"/>
<linux:state state_ref="state_service_loadstate_is_masked_{{{ rule_id }}}_{{{ name }}}"/>
</linux:systemdunitproperty_test>

<linux:systemdunitproperty_object comment="Retrieve the LoadState property of {{{ name }}}"
version="1" id="obj_service_loadstate_is_masked_{{{ rule_id }}}_{{{ name }}}">
<linux:unit operation="pattern match">^{{{ name }}}\.(service|socket)$</linux:unit>
<linux:property>LoadState</linux:property>
</linux:systemdunitproperty_object>

<linux:systemdunitproperty_state comment="LoadState is set to masked"
id="state_service_loadstate_is_masked_{{{ rule_id }}}_{{{ name }}}"
version="1">
<linux:value>masked</linux:value>
</linux:systemdunitproperty_state>

{{% else %}}

{{%- else %}}
{{# fallback if we are using systemd but can't use the new systemd features of OVAL 5.11 #}}
<unix:file_test check="all" check_existence="none_exist"
comment="look for {{{ name }}}.service in /etc/systemd/system/multi-user.target.wants"
Expand All @@ -1655,7 +1655,7 @@ Generates an OVAL check that checks a particular field in the "/etc/shadow" file

<unix:file_test check="all" check_existence="none_exist"
comment="look for {{{ name }}}.socket in /etc/systemd/system/sockets.target.wants"
id="test_{{{ rule_id }}}_{{{ name }}}_socket_disabled_sockets_target" version="1">
id="test_{{{ rule_id }}}_{{{ name }}}_disabled_sockets_target" version="1">
<unix:object object_ref="object_{{{ rule_id }}}_{{{ name }}}_socket_disabled_sockets_tgt"/>
</unix:file_test>

Expand All @@ -1669,10 +1669,6 @@ Generates an OVAL check that checks a particular field in the "/etc/shadow" file
<unix:file_state id="unit_{{{ rule_id }}}_{{{ name }}}_state_symlink" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>

{{% endif %}}

{{% endif %}}

{{%- endif %}}
{{%- endif %}}
{{%- endmacro -%}}

4 changes: 0 additions & 4 deletions shared/templates/platform_service_disabled/template.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
def preprocess(data, lang):
if "packagename" not in data:
data["packagename"] = data["servicename"]
if "daemonname" not in data:
data["daemonname"] = data["servicename"]
if "mask_service" not in data:
data["mask_service"] = "true"
return data
Loading