From 463926002a5495753d7e8845a86fbffd07efc11b Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Mon, 13 Jan 2025 13:32:00 +0100 Subject: [PATCH 1/2] Fix the bash conditional for checking system architecture The previous conditional exited with RC=2 when either of the files were missing ('arch' is reported to be missing on older kernels). This resulted in: - false positive when the check was negated - error messages on stderr The proposed change moves the conditional into a Jinja macro. --- shared/applicability/aarch64_arch.yml | 2 +- shared/applicability/not_aarch64_arch.yml | 2 +- shared/applicability/not_s390x_arch.yml | 2 +- shared/applicability/ppc64le_arch.yml | 2 +- shared/applicability/s390x_arch.yml | 2 +- shared/applicability/x86_64_arch.yml | 2 +- shared/macros/10-bash.jinja | 11 +++++++++++ shared/macros/10-oval.jinja | 1 + 8 files changed, 18 insertions(+), 6 deletions(-) diff --git a/shared/applicability/aarch64_arch.yml b/shared/applicability/aarch64_arch.yml index 9880fcf6dae..7b8e7189922 100644 --- a/shared/applicability/aarch64_arch.yml +++ b/shared/applicability/aarch64_arch.yml @@ -1,5 +1,5 @@ name: cpe:/a:aarch64_arch title: System architecture is AARCH64 check_id: proc_sys_kernel_osrelease_arch_aarch64 -bash_conditional: 'grep -q aarch64 /proc/sys/kernel/{osrelease,arch}' +bash_conditional: {{{ bash_arch_conditional("aarch64") }}} ansible_conditional: 'ansible_architecture == "aarch64"' diff --git a/shared/applicability/not_aarch64_arch.yml b/shared/applicability/not_aarch64_arch.yml index 0c88bd9c0aa..dfe5eee9c57 100644 --- a/shared/applicability/not_aarch64_arch.yml +++ b/shared/applicability/not_aarch64_arch.yml @@ -1,5 +1,5 @@ name: cpe:/a:not_aarch64_arch title: System architecture is not AARCH64 check_id: proc_sys_kernel_osrelease_arch_not_aarch64 -bash_conditional: '! grep -q aarch64 /proc/sys/kernel/{osrelease,arch}' +bash_conditional: ! {{{ bash_arch_conditional("aarch64") }}} ansible_conditional: 'ansible_architecture != "aarch64"' diff --git a/shared/applicability/not_s390x_arch.yml b/shared/applicability/not_s390x_arch.yml index c21e1e99c30..e8919495f40 100644 --- a/shared/applicability/not_s390x_arch.yml +++ b/shared/applicability/not_s390x_arch.yml @@ -1,5 +1,5 @@ name: cpe:/a:not_s390x_arch title: System architecture is not S390X check_id: proc_sys_kernel_osrelease_arch_not_s390x -bash_conditional: '! grep -q s390x /proc/sys/kernel/{osrelease,arch}' +bash_conditional: ! {{{ bash_arch_conditional("s390x") }}} ansible_conditional: 'ansible_architecture != "s390x"' diff --git a/shared/applicability/ppc64le_arch.yml b/shared/applicability/ppc64le_arch.yml index c8c76e4ef0c..0e9befe672b 100644 --- a/shared/applicability/ppc64le_arch.yml +++ b/shared/applicability/ppc64le_arch.yml @@ -1,5 +1,5 @@ name: "cpe:/a:ppc64le_arch" title: "System architecture is ppc64le" check_id: proc_sys_kernel_osrelease_arch_ppc64le -bash_conditional: 'grep -q ppc64le /proc/sys/kernel/{osrelease,arch}' +bash_conditional: {{{ bash_arch_conditional("ppc64le") }}} ansible_conditional: 'ansible_architecture == "ppc64le"' diff --git a/shared/applicability/s390x_arch.yml b/shared/applicability/s390x_arch.yml index 5db3ff4157b..202054c8470 100644 --- a/shared/applicability/s390x_arch.yml +++ b/shared/applicability/s390x_arch.yml @@ -1,5 +1,5 @@ name: cpe:/a:s390x_arch title: System architecture is S390X check_id: proc_sys_kernel_osrelease_arch_s390x -bash_conditional: 'grep -q s390x /proc/sys/kernel/{osrelease,arch}' +bash_conditional: {{{ bash_arch_conditional("s390x") }}} ansible_conditional: 'ansible_architecture == "s390x"' diff --git a/shared/applicability/x86_64_arch.yml b/shared/applicability/x86_64_arch.yml index 1a0652aa250..e7932a988e0 100644 --- a/shared/applicability/x86_64_arch.yml +++ b/shared/applicability/x86_64_arch.yml @@ -1,5 +1,5 @@ name: cpe:/a:x86_64_arch title: System architecture is x86_64 check_id: proc_sys_kernel_osrelease_arch_x86_64 -bash_conditional: 'grep -q x86_64 /proc/sys/kernel/{osrelease,arch}' +bash_conditional: {{{ bash_arch_conditional("x86_64") }}} ansible_conditional: 'ansible_architecture == "x86_64"' diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 82ac231dfac..e3b55434f00 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2668,3 +2668,14 @@ if the remediation is not performed during a build of a bootable container image {{%- macro bash_not_bootc_build() -%}} [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] {{%- endmacro -%}} + + +{{# +This macro creates a Bash conditional which checks the system architecture in /proc/sys/kernel/{osrelease,arch} + + :param arch: system architecture (x86_64, aarch64, s90x, ppc64le, ...) + :type arch: str +#}} +{{%- macro bash_arch_conditional(arch) -%}} +( grep -sqE "^.*\.{{{ arch }}}$" /proc/sys/kernel/osrelease || grep -sqE "^{{{ arch }}}$" /proc/sys/kernel/arch; ) +{{%- endmacro -%}} diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 0fd0f07bf94..960b6abab3b 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -1729,6 +1729,7 @@ The macros generates the OVAL test including the dependent OVAL object and OVAL Macro for checking the system architecture in /proc/sys/kernel/{osrelease,arch} :param arch: system architecture (x86_64, aarch64, s90x, ppc64le, ...) + :type arch: str #}} {{%- macro oval_check_proc_sys_kernel_osrelease_arch(arch) -%}} From f9416791b6cbeea0a286160b9dc879926822d9a3 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Wed, 15 Jan 2025 11:06:59 +0100 Subject: [PATCH 2/2] Quote negated bash conditionals --- shared/applicability/not_aarch64_arch.yml | 2 +- shared/applicability/not_s390x_arch.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/applicability/not_aarch64_arch.yml b/shared/applicability/not_aarch64_arch.yml index dfe5eee9c57..b49cae2a713 100644 --- a/shared/applicability/not_aarch64_arch.yml +++ b/shared/applicability/not_aarch64_arch.yml @@ -1,5 +1,5 @@ name: cpe:/a:not_aarch64_arch title: System architecture is not AARCH64 check_id: proc_sys_kernel_osrelease_arch_not_aarch64 -bash_conditional: ! {{{ bash_arch_conditional("aarch64") }}} +bash_conditional: '! {{{ bash_arch_conditional("aarch64") }}}' ansible_conditional: 'ansible_architecture != "aarch64"' diff --git a/shared/applicability/not_s390x_arch.yml b/shared/applicability/not_s390x_arch.yml index e8919495f40..aaacd028286 100644 --- a/shared/applicability/not_s390x_arch.yml +++ b/shared/applicability/not_s390x_arch.yml @@ -1,5 +1,5 @@ name: cpe:/a:not_s390x_arch title: System architecture is not S390X check_id: proc_sys_kernel_osrelease_arch_not_s390x -bash_conditional: ! {{{ bash_arch_conditional("s390x") }}} +bash_conditional: '! {{{ bash_arch_conditional("s390x") }}}' ansible_conditional: 'ansible_architecture != "s390x"'