Fix architecture applicability checks #12793

mpurg · 2025-01-09T08:28:36Z

Description:

Fix architecture applicability to check the architecture in /proc/sys/kernel/arch, not only in/proc/sys/kernel/osrelease (https://docs.kernel.org/admin-guide/sysctl/kernel.html#arch)
Refactor OVAL applicability checks to a Jinja macro to avoid duplicated code

Rationale:

osrelease does not contain the architecture on Ubuntu

openshift-ci · 2025-01-09T08:28:47Z

Hi @mpurg. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

github-actions · 2025-01-09T08:30:01Z

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

github-actions · 2025-01-09T08:32:58Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_rear_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_rear_installed
+++ xccdf_org.ssgproject.content_rule_package_rear_installed
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ! ( ( ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/osrelease && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/osrelease ) ) ); then
+if ! ( ( ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} && grep -qP "^ID=[\"']?ol[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} && grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="9.0"; printf "%s\n%s" "$expected" "$real" | sort -VC; } ) || ( grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.4"; printf "%s\n%s" "$real" "$expected" | sort -VC; } && grep -q s390x /proc/sys/kernel/{osrelease,arch} ) ) ); then
 
 if ! rpm -q --quiet "rear" ; then
     yum install -y "rear"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_install_smartcard_packages' differs.
--- xccdf_org.ssgproject.content_rule_install_smartcard_packages
+++ xccdf_org.ssgproject.content_rule_install_smartcard_packages
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q kernel && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then
+if rpm --quiet -q kernel && { ! grep -q s390x /proc/sys/kernel/{osrelease,arch}; }; then
 
 if ! rpm -q --quiet "openssl-pkcs11" ; then
     yum install -y "openssl-pkcs11"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
+++ xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && { grep -q x86_64 /proc/sys/kernel/osrelease; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && { grep -q x86_64 /proc/sys/kernel/{osrelease,arch}; }; then
 
 expected_value="none"
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_audit_argument' differs.
--- xccdf_org.ssgproject.content_rule_zipl_audit_argument
+++ xccdf_org.ssgproject.content_rule_zipl_audit_argument
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if grep -q s390x /proc/sys/kernel/{osrelease,arch} && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Correct BLS option using grubby, which is a thin wrapper around BLS operations
 grubby --update-kernel=ALL --args="audit=1"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_audit_backlog_limit_argument' differs.
--- xccdf_org.ssgproject.content_rule_zipl_audit_backlog_limit_argument
+++ xccdf_org.ssgproject.content_rule_zipl_audit_backlog_limit_argument
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if grep -q s390x /proc/sys/kernel/{osrelease,arch} && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Correct BLS option using grubby, which is a thin wrapper around BLS operations
 grubby --update-kernel=ALL --args="audit_backlog_limit=8192"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_page_poison_argument' differs.
--- xccdf_org.ssgproject.content_rule_zipl_page_poison_argument
+++ xccdf_org.ssgproject.content_rule_zipl_page_poison_argument
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if grep -q s390x /proc/sys/kernel/{osrelease,arch} && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Correct BLS option using grubby, which is a thin wrapper around BLS operations
 grubby --update-kernel=ALL --args="page_poison=1"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_slub_debug_argument' differs.
--- xccdf_org.ssgproject.content_rule_zipl_slub_debug_argument
+++ xccdf_org.ssgproject.content_rule_zipl_slub_debug_argument
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if grep -q s390x /proc/sys/kernel/{osrelease,arch} && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Correct BLS option using grubby, which is a thin wrapper around BLS operations
 grubby --update-kernel=ALL --args="slub_debug=P"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_systemd_debug-shell_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_zipl_systemd_debug-shell_argument_absent
+++ xccdf_org.ssgproject.content_rule_zipl_systemd_debug-shell_argument_absent
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if grep -q s390x /proc/sys/kernel/{osrelease,arch} && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Correct BLS option using grubby, which is a thin wrapper around BLS operations
 grubby --update-kernel=ALL --remove-args="systemd.debug-shell"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_vsyscall_argument' differs.
--- xccdf_org.ssgproject.content_rule_zipl_vsyscall_argument
+++ xccdf_org.ssgproject.content_rule_zipl_vsyscall_argument
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if grep -q s390x /proc/sys/kernel/{osrelease,arch} && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 # Correct BLS option using grubby, which is a thin wrapper around BLS operations
 grubby --update-kernel=ALL --args="vsyscall=none"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date' differs.
--- xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date
+++ xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if grep -q s390x /proc/sys/kernel/{osrelease,arch} && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
 
 /usr/sbin/zipl
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_usbguard_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_usbguard_installed
+++ xccdf_org.ssgproject.content_rule_package_usbguard_installed
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ); then
+if ( ! grep -q s390x /proc/sys/kernel/{osrelease,arch} && rpm --quiet -q kernel ); then
 
 if ! rpm -q --quiet "usbguard" ; then
     yum install -y "usbguard"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled' differs.
--- xccdf_org.ssgproject.content_rule_service_usbguard_enabled
+++ xccdf_org.ssgproject.content_rule_service_usbguard_enabled
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ); then
+if ( ! grep -q s390x /proc/sys/kernel/{osrelease,arch} && rpm --quiet -q kernel ); then
 
 SYSTEMCTL_EXEC='/usr/bin/systemctl'
 "$SYSTEMCTL_EXEC" unmask 'usbguard.service'

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ) && { rpm --quiet -q usbguard; }; then
+if ( ! grep -q s390x /proc/sys/kernel/{osrelease,arch} && rpm --quiet -q kernel ) && { rpm --quiet -q usbguard; }; then
 
 if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then
     

bash remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hid
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hid
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ); then
+if ( ! grep -q s390x /proc/sys/kernel/{osrelease,arch} && rpm --quiet -q kernel ); then
 
 # path of file with Usbguard rules
 rulesfile="/etc/usbguard/rules.conf"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ); then
+if ( ! grep -q s390x /proc/sys/kernel/{osrelease,arch} && rpm --quiet -q kernel ); then
 
 echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hub' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hub
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hub
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ); then
+if ( ! grep -q s390x /proc/sys/kernel/{osrelease,arch} && rpm --quiet -q kernel ); then
 
 echo "allow with-interface match-all { 09:00:* }" >> /etc/usbguard/rules.conf
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_generate_policy
+++ xccdf_org.ssgproject.content_rule_usbguard_generate_policy
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if ( ! grep -q s390x /proc/sys/kernel/osrelease && rpm --quiet -q kernel ); then
+if ( ! grep -q s390x /proc/sys/kernel/{osrelease,arch} && rpm --quiet -q kernel ); then
 
 if rpm --quiet -q usbguard
 then

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 ACTION_ARCH_FILTERS="-a always,exit -F arch=b32"
 OTHER_FILTERS=""

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # Perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')"
 cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')"
 cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 mkdir -p "$(dirname '/etc/audit/rules.d/30-ospp-v42-remediation.rules')"
 cat <<EOF > "/etc/audit/rules.d/30-ospp-v42-remediation.rules"

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_query' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_query
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_query
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/osrelease ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ); }; then
 
 # First perform the remediation of the syscall rule
 # Retrieve hardware architecture of the underlying system

bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_time_stime' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_time_stime
+++ xccdf_org.ssgproject.content_rule_audit_rules_time_stime
@@ -1,5 +1,5 @@
 # Remediation is applicable only in certain platforms
-if rpm --quiet -q audit && rpm --quiet -q kernel && { ( ! ( grep -q aarch64 /proc/sys/kernel/osrelease ) && ! ( grep -q s390x /proc/sys/kernel/osrelease ) ); }; then
+if rpm --quiet -q audit && rpm --quiet -q kernel && { ( ! ( grep -q aarch64 /proc/sys/kernel/{osrelease,arch} ) && ! ( grep -q s390x /proc/sys/kernel/{osrelease,arch} ) ); }; then
 
 # Retrieve hardware architecture of the underlying system
 [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

Mab879 · 2025-01-09T19:04:05Z

/packit retest-failed

jan-cerny

It appears that using /proc/sys/kernel/arch doesn't work on RHEL 8 and RHEL 9 because it doesn't exist there.

[root@vm-10-0-185-192 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.10 (Ootpa)
[root@vm-10-0-185-192 ~]# cat /proc/sys/kernel/osrelease 
4.18.0-553.30.1.el8_10.x86_64
[root@vm-10-0-185-192 ~]# cat /proc/sys/kernel/arch
cat: /proc/sys/kernel/arch: No such file or directory

[root@vm-10-0-186-128 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.6 Beta (Plow)
[root@vm-10-0-186-128 ~]# cat /proc/sys/kernel/osrelease
5.14.0-547.el9.x86_64
[root@vm-10-0-186-128 ~]# cat /proc/sys/kernel/arch
cat: /proc/sys/kernel/arch: No such file or directory

It works on RHEL 10, though:

[root@vm-10-0-186-37 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 10.0 (Coughlan)
[root@vm-10-0-186-37 ~]# cat /proc/sys/kernel/osrelease
6.12.0-36.el10.x86_64
[root@vm-10-0-186-37 ~]# cat /proc/sys/kernel/arch
x86_64

I guess it might be the case also on some other systems that use older kernels. But I haven't checked.

I think you need to change this PR so that /proc/sys/kernel/osrelease is still used on at least on RHEL 8 and RHEL 9. Hopefully it can be done using Jinja 2 macros and some variables.

mpurg · 2025-01-10T13:09:50Z

@jan-cerny Do you think it would be a good idea to switch to unix:uname_state:machine_class tests for oval?

Architecture applicability conditionals were matching checking only in /proc/sys/kernel/osrelease which doesn't contain the architecture on Ubuntu. Added /proc/sys/kernel/arch to the checks and refactored the OVALs to a Jinja macro.

mpurg · 2025-01-10T14:35:57Z

I updated the PR so the architecture is checked for both in 'osrelease' and in 'arch'.

jan-cerny · 2025-01-10T14:54:41Z

@jan-cerny Do you think it would be a good idea to switch to unix:uname_state:machine_class tests for oval?

@mpurg In theory yes, using OVAL uname_test should be better because it's a specialized OVAL test. However, the OpenSCAP's implementation of uname_test doesn't support offline mode. Using it here would cause us some problems when evaluating rule applicability in use-cases using the offline mode such as Image Builder, Image Mode RHEL or container scanning. So I think we should keep using the textfilecontent54_test here because of that.

codeclimate · 2025-01-10T15:00:14Z

Code Climate has analyzed commit ca84abc and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 61.8% (0.0% change).

View more on Code Climate.

openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jan 9, 2025

dodys requested a review from a team January 9, 2025 09:32

jan-cerny self-assigned this Jan 10, 2025

jan-cerny added this to the 0.1.76 milestone Jan 10, 2025

jan-cerny requested changes Jan 10, 2025

View reviewed changes

mpurg force-pushed the fix_arch_applicability branch from b60876f to 8275358 Compare January 10, 2025 14:27

openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Jan 10, 2025

mpurg force-pushed the fix_arch_applicability branch from 8275358 to ef722f0 Compare January 10, 2025 14:30

openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Jan 10, 2025

Fix architecture applicability

ca84abc

Architecture applicability conditionals were matching checking only in /proc/sys/kernel/osrelease which doesn't contain the architecture on Ubuntu. Added /proc/sys/kernel/arch to the checks and refactored the OVALs to a Jinja macro.

mpurg force-pushed the fix_arch_applicability branch from ef722f0 to ca84abc Compare January 10, 2025 14:33

jan-cerny approved these changes Jan 13, 2025

View reviewed changes

jan-cerny merged commit ef3cc68 into ComplianceAsCode:master Jan 13, 2025
91 of 98 checks passed

mpurg mentioned this pull request Jan 13, 2025

Fix the bash conditional for checking system architecture #12815

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix architecture applicability checks #12793

Fix architecture applicability checks #12793

mpurg commented Jan 9, 2025 •

edited

Loading

openshift-ci bot commented Jan 9, 2025

github-actions bot commented Jan 9, 2025

github-actions bot commented Jan 9, 2025 •

edited

Loading

Mab879 commented Jan 9, 2025

jan-cerny left a comment

mpurg commented Jan 10, 2025 •

edited

Loading

mpurg commented Jan 10, 2025

jan-cerny commented Jan 10, 2025

codeclimate bot commented Jan 10, 2025

Fix architecture applicability checks #12793

Fix architecture applicability checks #12793

Conversation

mpurg commented Jan 9, 2025 • edited Loading

Description:

Rationale:

openshift-ci bot commented Jan 9, 2025

github-actions bot commented Jan 9, 2025

github-actions bot commented Jan 9, 2025 • edited Loading

Mab879 commented Jan 9, 2025

jan-cerny left a comment

Choose a reason for hiding this comment

mpurg commented Jan 10, 2025 • edited Loading

mpurg commented Jan 10, 2025

jan-cerny commented Jan 10, 2025

codeclimate bot commented Jan 10, 2025

mpurg commented Jan 9, 2025 •

edited

Loading

github-actions bot commented Jan 9, 2025 •

edited

Loading

mpurg commented Jan 10, 2025 •

edited

Loading