Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DO NOT MERGE] Adapt sysctl template for use in oscap-bootc #12543

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions shared/checks/oval/oscap_bootc_env_var.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
<def-group>
<definition class="inventory" id="oscap_bootc_env_var" version="2">
<metadata>
<title>Check if the environment is execution of the oscap-bootc build tool in the podman build environment</title>
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
<description>Check the value of environment variable OSCAP_BOOTC_BUILD.</description>
<reference ref_id="cpe:/a:osbuild" source="CPE" />
</metadata>
<criteria>
<criterion comment="Check the value of OSCAP_BOOTC_BUILD variable" test_ref="test_oscap_bootc_env_var" />
</criteria>
</definition>

<ind:environmentvariable58_test check="all" check_existence="all_exist"
comment="environment variable OSCAP_BOOTC_BUILD is set to bwrap-osbuild"
id="test_oscap_bootc_env_var" version="1">
<ind:object object_ref="object_oscap_bootc_env_var" />
<ind:state state_ref="state_oscap_bootc_env_var" />
</ind:environmentvariable58_test>

<ind:environmentvariable58_object
id="object_oscap_bootc_env_var" version="1">
<ind:pid xsi:nil="true" datatype="int" />
<ind:name>OSCAP_BOOTC_BUILD</ind:name>
</ind:environmentvariable58_object>

<ind:environmentvariable58_state
id="state_oscap_bootc_env_var" version="1">
<ind:value>YES</ind:value>
</ind:environmentvariable58_state>
</def-group>
4 changes: 4 additions & 0 deletions shared/templates/sysctl/bash.template
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,12 @@ SYSCONFIG_FILE="/etc/sysctl.conf"
{{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}}
{{{ bash_instantiate_variables("sysctl_" ~ SYSCTLID ~ "_value") }}}

if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
#
# Set runtime for {{{ SYSCTLVAR }}}
#
/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="$sysctl_{{{ SYSCTLID }}}_value"
fi

#
# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to appropriate value
Expand All @@ -54,10 +56,12 @@ sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf

{{%- else %}}

if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
#
# Set runtime for {{{ SYSCTLVAR }}}
#
/sbin/sysctl -q -n -w {{{ SYSCTLVAR }}}="{{{ SYSCTLVAL }}}"
fi

#
# If {{{ SYSCTLVAR }}} present in /etc/sysctl.conf, change value to "{{{ SYSCTLVAL }}}"
Expand Down
16 changes: 12 additions & 4 deletions shared/templates/sysctl/oval.template
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,12 @@
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
definition_ref="{{{ rule_id }}}_static"/>
{{% if CHECK_RUNTIME == "true" %}}
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
definition_ref="{{{ rule_id }}}_runtime"/>
<criteria operator="OR">
<extend_definition comment="we are building bootable container image"
definition_ref="oscap_bootc_env_var"/>
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
definition_ref="{{{ rule_id }}}_runtime"/>
</criteria>
{{%- endif %}}
</criteria>
</definition>
Expand All @@ -53,8 +57,12 @@
<extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check"
definition_ref="{{{ rule_id }}}_static"/>
{{% if CHECK_RUNTIME == "true" %}}
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
definition_ref="{{{ rule_id }}}_runtime"/>
<criteria operator="OR">
<extend_definition comment="we are building bootable container image"
definition_ref="oscap_bootc_env_var"/>
<extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check"
definition_ref="{{{ rule_id }}}_runtime"/>
</criteria>
{{%- endif %}}
</criteria>
</criteria>
Expand Down
Loading