[RHEL/7] Version ComplianceAsCode#2 of service_disabled (unix:file_test) template for systemd.

Jan Lieskovsky · Jan Lieskovsky · commit ea9e83ae442d · 2014-09-21T13:05:48.000+02:00
Service is considered disabled if:
         * corresponding RPM isn't installed OR,
         * particular service got masked OR,
         * particular service is disabled on boot AND not enabled at runtime.

         Also apply that template against abrtd service for testing.
diff --git a/RHEL/6/input/checks/package_abrt_removed.xml b/RHEL/6/input/checks/package_abrt_removed.xml
diff --git a/RHEL/6/input/checks/package_abrt_removed.xml b/RHEL/6/input/checks/package_abrt_removed.xml
@@ -0,0 +1 @@
+../../../../shared/oval/package_abrt_removed.xml
diff --git a/RHEL/7/input/checks/package_abrt_removed.xml b/RHEL/7/input/checks/package_abrt_removed.xml
@@ -0,0 +1 @@
+../../../../shared/oval/package_abrt_removed.xml
diff --git a/RHEL/7/input/checks/service_abrtd_disabled.xml b/RHEL/7/input/checks/service_abrtd_disabled.xml
@@ -0,0 +1,79 @@
+<def-group>
+  <!-- THIS FILE IS GENERATED by create_services_disabled.py according to RHEL-7 template
+       from RHEL/7/input/checks/templates/template_service_disabled. DO NOT EDIT.
+
+       IF REQUIRED INSTEAD OF EDITING THIS FILE RATHER EDIT THAT TEMPLATE DIRECTLY.
+       AFTER THAT BE SURE TO REGENERATE ALL CORRESPONDING UNCOMMENTED CHECKS FROM
+       service_disabled.csv CSV FILE AND PLACE THOSE NEW OVAL VERSIONS into
+       RHEL/7/input/checks DIRECTORY REPLACING THE FORMER ONES
+  -->
+
+  <definition class="compliance" id="service_abrtd_disabled" version="1">
+    <metadata>
+      <title>Service abrtd Disabled</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The abrtd service should be disabled if possible.</description>
+      <reference source="JL" ref_id="20140921" ref_url="test_attestation"/>
+    </metadata>
+    <criteria operator="OR" comment="package abrt removed or service abrtd is not configured to start">
+      <extend_definition comment="abrt removed" definition_ref="package_abrt_removed" />
+      <criteria operator="OR" comment="service abrtd is not configured to start">
+        <criterion comment="abrtd masked" test_ref="test_abrtd_masked" />
+        <criteria operator="AND" comment="service abrtd is disabled on boot and not enabled at runtime">
+          <criterion comment="abrtd disabled on boot" test_ref="test_abrtd_disabled_on_boot" />
+          <criterion comment="abrtd not enabled at runtime" test_ref="test_abrtd_runtime_not_enabled" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <!-- Test if abrtd is masked -->
+  <unix:file_test id="test_abrtd_masked" check="all" check_existence="at_least_one_exists" comment="Test if abrtd is masked" version="1">
+    <unix:object object_ref="object_abrtd_masked" />
+  </unix:file_test>
+
+  <unix:file_object id="object_abrtd_masked" comment="/etc/systemd/system/abrtd.service exists" version="1">
+    <unix:filepath>/etc/systemd/system/abrtd.service</unix:filepath>
+  </unix:file_object>
+
+  <!-- Test if abrtd is disabled for all targets on boot -->
+  <unix:file_test id="test_abrtd_disabled_on_boot" check="all" check_existence="none_exist" comment="Test if abrtd not enabled on boot" version="1">
+    <unix:object object_ref="object_abrtd_disabled_on_boot" />
+  </unix:file_test>
+
+  <unix:file_object id="object_abrtd_disabled_on_boot" comment="No /etc/systemd/system/*.wants/abrtd.service exists" version="1">
+    <!-- Don't follow symbolic links below to search just through /etc/systemd/system/* content -->
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+    <unix:path>/etc/systemd/system</unix:path>
+    <unix:filename>abrtd.service</unix:filename>
+    <!-- Include all symbolic link entities in the /etc/systemd/system directory tree -->
+    <filter action="include">state_abrtd_symlink</filter>
+    <!-- But exclude that one causing service to be masked -->
+    <filter action="exclude">state_abrtd_masked_symlink</filter>
+  </unix:file_object>
+
+  <unix:file_state id="state_abrtd_symlink" version="1">
+    <unix:type>symbolic link</unix:type>
+  </unix:file_state>
+
+  <unix:file_state id="state_abrtd_masked_symlink" version="1">
+    <unix:filepath>/etc/systemd/system/abrtd.service</unix:filepath>
+  </unix:file_state>
+
+  <!-- Test if abrtd is not enabled at runtime -->
+  <unix:file_test id="test_abrtd_runtime_not_enabled" check="all" check_existence="none_exist" comment="Test if abrtd not enabled at runtime" version="1">
+    <unix:object object_ref="object_abrtd_runtime_not_enabled" />
+  </unix:file_test>
+
+  <unix:file_object id="object_abrtd_runtime_not_enabled" comment="No /run/systemd/system/*.wants/abrtd.service exists" version="1">
+    <!-- Don't follow symbolic links below to search just through /run/systemd/system/* content -->
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+    <unix:path>/run/systemd/system</unix:path>
+    <unix:filename>abrtd.service</unix:filename>
+    <!-- Include all symbolic link entities in the /run/systemd/system directory tree -->
+    <filter action="include">state_abrtd_symlink</filter>
+  </unix:file_object>
+
+</def-group>
diff --git a/RHEL/7/input/checks/templates/Makefile b/RHEL/7/input/checks/templates/Makefile
@@ -0,0 +1,23 @@
+templates: services packages
+
+SHARED_DIR=../../../../../shared/oval/templates
+
+services:
+	${SHARED_DIR}/create_services_disabled.py services_disabled.csv
+
+packages:
+	${SHARED_DIR}/create_package_removed.py packages_removed.csv
+
+compare:
+	diff output/ ../ | grep -v "Only in ../"
+
+copy:
+	cp output/*.xml ../
+	cp output/*.sh ../../fixes/bash/
+
+find-untemplated: templates
+	./find_untemplated.py
+
+clean:
+	rm -f output/*.xml
+	rm -f output/*.sh
diff --git a/RHEL/7/input/checks/templates/output/.gitignore b/RHEL/7/input/checks/templates/output/.gitignore
@@ -0,0 +1,3 @@
+# files to ignore
+*.xml
+*.sh
diff --git a/RHEL/7/input/checks/templates/packages_removed.csv b/RHEL/7/input/checks/templates/packages_removed.csv
@@ -0,0 +1 @@
+abrt
diff --git a/RHEL/7/input/checks/templates/services_disabled.csv b/RHEL/7/input/checks/templates/services_disabled.csv
@@ -0,0 +1 @@
+abrtd,abrt
diff --git a/RHEL/7/input/checks/templates/template_package_removed b/RHEL/7/input/checks/templates/template_package_removed
@@ -0,0 +1,26 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_package_removed.py.  DO NOT EDIT.  -->
+  <definition class="compliance" id="package_PKGNAME_removed"
+  version="1">
+    <metadata>
+      <title>Package PKGNAME Removed</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The RPM package PKGNAME should be removed.</description>
+      <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+    </metadata>
+    <criteria>
+      <criterion comment="package PKGNAME is removed"
+      test_ref="test_package_PKGNAME_removed" />
+    </criteria>
+  </definition>
+  <linux:rpminfo_test check="all" check_existence="none_exist"
+  id="test_package_PKGNAME_removed" version="1"
+  comment="package PKGNAME is removed">
+    <linux:object object_ref="obj_package_PKGNAME_removed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_package_PKGNAME_removed" version="1">
+    <linux:name>PKGNAME</linux:name>
+  </linux:rpminfo_object>
+</def-group>
diff --git a/RHEL/7/input/checks/templates/template_service_disabled b/RHEL/7/input/checks/templates/template_service_disabled
@@ -0,0 +1,78 @@
+<def-group>
+  <!-- THIS FILE IS GENERATED by create_services_disabled.py according to RHEL-7 template
+       from RHEL/7/input/checks/templates/template_service_disabled. DO NOT EDIT.
+
+       IF REQUIRED INSTEAD OF EDITING THIS FILE RATHER EDIT THAT TEMPLATE DIRECTLY.
+       AFTER THAT BE SURE TO REGENERATE ALL CORRESPONDING UNCOMMENTED CHECKS FROM
+       service_disabled.csv CSV FILE AND PLACE THOSE NEW OVAL VERSIONS into
+       RHEL/7/input/checks DIRECTORY REPLACING THE FORMER ONES
+  -->
+
+  <definition class="compliance" id="service_SERVICENAME_disabled" version="1">
+    <metadata>
+      <title>Service SERVICENAME Disabled</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The SERVICENAME service should be disabled if possible.</description>
+    </metadata>
+    <criteria operator="OR" comment="package PACKAGENAME removed or service SERVICENAME is not configured to start">
+      <extend_definition comment="PACKAGENAME removed" definition_ref="package_PACKAGENAME_removed" />
+      <criteria operator="OR" comment="service SERVICENAME is not configured to start">
+        <criterion comment="SERVICENAME masked" test_ref="test_SERVICENAME_masked" />
+        <criteria operator="AND" comment="service SERVICENAME is disabled on boot and not enabled at runtime">
+          <criterion comment="SERVICENAME disabled on boot" test_ref="test_SERVICENAME_disabled_on_boot" />
+          <criterion comment="SERVICENAME not enabled at runtime" test_ref="test_SERVICENAME_runtime_not_enabled" />
+        </criteria>
+      </criteria>
+    </criteria>
+  </definition>
+
+  <!-- Test if SERVICENAME is masked -->
+  <unix:file_test id="test_SERVICENAME_masked" check="all" check_existence="at_least_one_exists" comment="Test if SERVICENAME is masked" version="1">
+    <unix:object object_ref="object_SERVICENAME_masked" />
+  </unix:file_test>
+
+  <unix:file_object id="object_SERVICENAME_masked" comment="/etc/systemd/system/SERVICENAME.service exists" version="1">
+    <unix:filepath>/etc/systemd/system/SERVICENAME.service</unix:filepath>
+  </unix:file_object>
+
+  <!-- Test if SERVICENAME is disabled for all targets on boot -->
+  <unix:file_test id="test_SERVICENAME_disabled_on_boot" check="all" check_existence="none_exist" comment="Test if SERVICENAME not enabled on boot" version="1">
+    <unix:object object_ref="object_SERVICENAME_disabled_on_boot" />
+  </unix:file_test>
+
+  <unix:file_object id="object_SERVICENAME_disabled_on_boot" comment="No /etc/systemd/system/*.wants/SERVICENAME.service exists" version="1">
+    <!-- Don't follow symbolic links below to search just through /etc/systemd/system/* content -->
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+    <unix:path>/etc/systemd/system</unix:path>
+    <unix:filename>SERVICENAME.service</unix:filename>
+    <!-- Include all symbolic link entities in the /etc/systemd/system directory tree -->
+    <filter action="include">state_SERVICENAME_symlink</filter>
+    <!-- But exclude that one causing service to be masked -->
+    <filter action="exclude">state_SERVICENAME_masked_symlink</filter>
+  </unix:file_object>
+
+  <unix:file_state id="state_SERVICENAME_symlink" version="1">
+    <unix:type>symbolic link</unix:type>
+  </unix:file_state>
+
+  <unix:file_state id="state_SERVICENAME_masked_symlink" version="1">
+    <unix:filepath>/etc/systemd/system/SERVICENAME.service</unix:filepath>
+  </unix:file_state>
+
+  <!-- Test if SERVICENAME is not enabled at runtime -->
+  <unix:file_test id="test_SERVICENAME_runtime_not_enabled" check="all" check_existence="none_exist" comment="Test if SERVICENAME not enabled at runtime" version="1">
+    <unix:object object_ref="object_SERVICENAME_runtime_not_enabled" />
+  </unix:file_test>
+
+  <unix:file_object id="object_SERVICENAME_runtime_not_enabled" comment="No /run/systemd/system/*.wants/SERVICENAME.service exists" version="1">
+    <!-- Don't follow symbolic links below to search just through /run/systemd/system/* content -->
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+    <unix:path>/run/systemd/system</unix:path>
+    <unix:filename>SERVICENAME.service</unix:filename>
+    <!-- Include all symbolic link entities in the /run/systemd/system directory tree -->
+    <filter action="include">state_SERVICENAME_symlink</filter>
+  </unix:file_object>
+
+</def-group>
diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml
@@ -120,13 +120,13 @@ ANTIQUATED SERVICES
 <select idref="uninstall_tftp-server" selected="true"/>
 <select idref="disable_tftp" selected="true"/>
 <select idref="disable_avahi" selected="true"/>
-<select idref="service_abrtd_disabled" selected="true"/>
 <select idref="service_atd_disabled" selected="true"/>
 <select idref="service_autofs_disabled" selected="true"/>
 <select idref="service_ntpdate_disabled" selected="true"/>
 <select idref="service_oddjobd_disabled" selected="true"/>
 <select idref="service_qpidd_disabled" selected="true"/>
 <select idref="service_rdisc_disabled" selected="true"/-->
+<select idref="service_abrtd_disabled" selected="true"/>
 <select idref="disable_telnet_service" selected="true"/>
 <select idref="package_telnet_removed" selected="true"/>
 <select idref="uninstall_telnet_server" selected="true"/>
diff --git a/RHEL/7/input/services/base.xml b/RHEL/7/input/services/base.xml
@@ -23,6 +23,7 @@ information from within a process's address space or registers.</rationale>
 <ident cce="RHEL7-CCE-TBD" />
 <oval id="service_abrtd_disabled" />
 <ref nist="AC-17(8),CM-7" disa="381" />
+<tested by="JL" on="20140921"/>
 </Rule>
 
 <Rule id="service_acpid_disabled">
diff --git a/shared/oval/package_abrt_removed.xml b/shared/oval/package_abrt_removed.xml
@@ -0,0 +1,27 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_package_removed.py.  DO NOT EDIT.  -->
+  <definition class="compliance" id="package_abrt_removed"
+  version="1">
+    <metadata>
+      <title>Package abrt Removed</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 6</platform>
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The RPM package abrt should be removed.</description>
+      <reference source="JL" ref_id="20140921" ref_url="test_attestation"/>
+    </metadata>
+    <criteria>
+      <criterion comment="package abrt is removed"
+      test_ref="test_package_abrt_removed" />
+    </criteria>
+  </definition>
+  <linux:rpminfo_test check="all" check_existence="none_exist"
+  id="test_package_abrt_removed" version="1"
+  comment="package abrt is removed">
+    <linux:object object_ref="obj_package_abrt_removed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_package_abrt_removed" version="1">
+    <linux:name>abrt</linux:name>
+  </linux:rpminfo_object>
+</def-group>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+../../../../shared/oval/package_abrt_removed.xml`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# files to ignore`
	`2`	`+*.xml`
	`3`	`+*.sh`