OPENSCAP-5220 Change macro bash_bootc_build #12988
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, Bash remediations for bootable containers hardening depend on OpenSCAP passing the OSCAP_BOOTC_BUILD environment variable. We will change this approach. Instead, the Bash remediation code will detect the environment. It won't depend on the OSCAP_BOOTC_BUILD environment variable. Specifically, Jinja macros bash_bootc_build() and bash_not_bootc_build() will be reworked to contain a detection condition. We already do it similar way in IB, where the environment variable container sets them to bwrap-osbuild.
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if ( ! ( [ "${container:-}" == "bwrap-osbuild" ] ) && rpm --quiet -q kernel ); then
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; }; then
cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF
kargs = ["fips=1"]
EOF
bash remediation for rule 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot' differs.
--- xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
+++ xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
systemctl disable ctrl-alt-del.target
systemctl mask ctrl-alt-del.target
else
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs.
--- xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
+++ xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
@@ -4,7 +4,7 @@
expected_value="force"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "iommu" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"iommu=[^\"]*\"(.*]\s*)/\1\"iommu=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng' differs.
--- xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
+++ xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
@@ -4,7 +4,7 @@
expected_value="on"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "random.trust_cpu" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"random.trust_cpu=[^\"]*\"(.*]\s*)/\1\"random.trust_cpu=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
+++ xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
@@ -6,7 +6,7 @@
expected_value="$var_l1tf_options"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "l1tf" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"l1tf=[^\"]*\"(.*]\s*)/\1\"l1tf=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_mce_argument
+++ xccdf_org.ssgproject.content_rule_grub2_mce_argument
@@ -4,7 +4,7 @@
expected_value="0"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "mce" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"mce=[^\"]*\"(.*]\s*)/\1\"mce=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
sed -i -E "/kargs\s*=\s*\[\s*\"nosmap=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"nosmap=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
else
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
sed -i -E "/kargs\s*=\s*\[\s*\"nosmep=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"nosmep=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
else
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_pti_argument
+++ xccdf_org.ssgproject.content_rule_grub2_pti_argument
@@ -4,7 +4,7 @@
expected_value="on"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "pti" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"pti=[^\"]*\"(.*]\s*)/\1\"pti=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
+++ xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
@@ -6,7 +6,7 @@
expected_value="$var_rng_core_default_quality"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "rng_core.default_quality" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"rng_core.default_quality=[^\"]*\"(.*]\s*)/\1\"rng_core.default_quality=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
+++ xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
@@ -4,7 +4,7 @@
expected_value="yes"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "slab_nomerge" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"slab_nomerge=[^\"]*\"(.*]\s*)/\1\"slab_nomerge=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
@@ -6,7 +6,7 @@
expected_value="$var_spec_store_bypass_disable_options"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "spec_store_bypass_disable" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"spec_store_bypass_disable=[^\"]*\"(.*]\s*)/\1\"spec_store_bypass_disable=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
@@ -4,7 +4,7 @@
expected_value="on"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "spectre_v2" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"spectre_v2=[^\"]*\"(.*]\s*)/\1\"spectre_v2=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
sed -i -E "/kargs\s*=\s*\[\s*\"systemd.debug-shell=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"systemd.debug-shell=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
else
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
+++ xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
@@ -4,7 +4,7 @@
expected_value="none"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "vsyscall" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"vsyscall=[^\"]*\"(.*]\s*)/\1\"vsyscall=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_cron_logging' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
+++ xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
@@ -6,7 +6,7 @@
echo "cron.* /var/log/cron" >> /etc/rsyslog.d/cron.conf
fi
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
systemctl restart rsyslog.service
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
@@ -8,7 +8,7 @@
ipv4_rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
ipv6_rule='rule family=ipv6 source address="::1" destination not address="::1" drop'
-if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
+if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; }; then
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv4_rule}"
firewall-offline-cmd --zone=trusted --add-rich-rule="${ipv6_rule}"
elif systemctl is-active firewalld; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
@@ -5,7 +5,7 @@
yum install -y "firewalld"
fi
-if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]]; then
+if test "$(stat -c %d:%i /)" != "$(stat -c %d:%i /proc/1/root/.)" || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; }; then
firewall-offline-cmd --zone=trusted --add-interface=lo
elif systemctl is-active firewalld; then
firewall-cmd --permanent --zone=trusted --add-interface=lo
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
+++ xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
@@ -4,7 +4,7 @@
expected_value="1"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "ipv6.disable" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"ipv6.disable=[^\"]*\"(.*]\s*)/\1\"ipv6.disable=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv6.conf.all.disable_ipv6
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.disable_ipv6="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv6.conf.default.disable_ipv6
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.disable_ipv6="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.accept_ra
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra="$sysctl_net_ipv6_conf_all_accept_ra_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_defrtr
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.accept_ra_defrtr
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_defrtr="$sysctl_net_ipv6_conf_all_accept_ra_defrtr_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_pinfo
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.accept_ra_pinfo
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_pinfo="$sysctl_net_ipv6_conf_all_accept_ra_pinfo_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.accept_ra_rtr_pref
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.accept_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects="$sysctl_net_ipv6_conf_all_accept_redirects_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.accept_source_route
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_source_route="$sysctl_net_ipv6_conf_all_accept_source_route_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_autoconf
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.autoconf
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.autoconf="$sysctl_net_ipv6_conf_all_autoconf_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.forwarding
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding="$sysctl_net_ipv6_conf_all_forwarding_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_max_addresses
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.max_addresses
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.max_addresses="$sysctl_net_ipv6_conf_all_max_addresses_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_router_solicitations
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.all.router_solicitations
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.all.router_solicitations="$sysctl_net_ipv6_conf_all_router_solicitations_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.accept_ra
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra="$sysctl_net_ipv6_conf_default_accept_ra_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_defrtr
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.accept_ra_defrtr
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_defrtr="$sysctl_net_ipv6_conf_default_accept_ra_defrtr_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_pinfo
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.accept_ra_pinfo
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_pinfo="$sysctl_net_ipv6_conf_default_accept_ra_pinfo_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.accept_ra_rtr_pref
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_ra_rtr_pref="$sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.accept_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_redirects="$sysctl_net_ipv6_conf_default_accept_redirects_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.accept_source_route
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.accept_source_route="$sysctl_net_ipv6_conf_default_accept_source_route_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_autoconf
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.autoconf
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.autoconf="$sysctl_net_ipv6_conf_default_autoconf_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_max_addresses
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.max_addresses
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.max_addresses="$sysctl_net_ipv6_conf_default_max_addresses_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_router_solicitations
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv6.conf.default.router_solicitations
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv6.conf.default.router_solicitations="$sysctl_net_ipv6_conf_default_router_solicitations_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv4.conf.all.accept_local
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_local="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.accept_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects="$sysctl_net_ipv4_conf_all_accept_redirects_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.accept_source_route
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route="$sysctl_net_ipv4_conf_all_accept_source_route_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.arp_filter
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_filter="$sysctl_net_ipv4_conf_all_arp_filter_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.arp_ignore
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.arp_ignore="$sysctl_net_ipv4_conf_all_arp_ignore_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_drop_gratuitous_arp
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv4.conf.all.drop_gratuitous_arp
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.drop_gratuitous_arp="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_forwarding
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.forwarding
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.forwarding="$sysctl_net_ipv4_conf_all_forwarding_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.log_martians
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians="$sysctl_net_ipv4_conf_all_log_martians_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv4.conf.all.route_localnet
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.route_localnet="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.rp_filter
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.rp_filter="$sysctl_net_ipv4_conf_all_rp_filter_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.secure_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.secure_redirects="$sysctl_net_ipv4_conf_all_secure_redirects_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.all.shared_media
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.shared_media="$sysctl_net_ipv4_conf_all_shared_media_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.default.accept_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects="$sysctl_net_ipv4_conf_default_accept_redirects_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.default.accept_source_route
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route="$sysctl_net_ipv4_conf_default_accept_source_route_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.default.log_martians
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians="$sysctl_net_ipv4_conf_default_log_martians_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.default.rp_filter
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.rp_filter="$sysctl_net_ipv4_conf_default_rp_filter_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.default.secure_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.secure_redirects="$sysctl_net_ipv4_conf_default_secure_redirects_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.conf.default.shared_media
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.shared_media="$sysctl_net_ipv4_conf_default_shared_media_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts="$sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.icmp_ignore_bogus_error_responses
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.icmp_ignore_bogus_error_responses="$sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv4.ip_local_port_range
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.ip_local_port_range="32768 65535"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.tcp_invalid_ratelimit
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.tcp_invalid_ratelimit="$sysctl_net_ipv4_tcp_invalid_ratelimit_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_rfc1337
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.tcp_rfc1337
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.tcp_rfc1337="$sysctl_net_ipv4_tcp_rfc1337_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
@@ -31,7 +31,7 @@
#
# Set runtime for net.ipv4.tcp_syncookies
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies="$sysctl_net_ipv4_tcp_syncookies_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv4.conf.all.send_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv4.conf.default.send_redirects
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
@@ -29,7 +29,7 @@
#
# Set runtime for net.ipv4.ip_forward
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.ipv4.ip_forward="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks
+++ xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks
@@ -29,7 +29,7 @@
#
# Set runtime for fs.protected_hardlinks
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w fs.protected_hardlinks="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks
+++ xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks
@@ -29,7 +29,7 @@
#
# Set runtime for fs.protected_symlinks
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w fs.protected_symlinks="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.core_pattern
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.core_pattern="|/bin/false"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_core_uses_pid' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_core_uses_pid
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_core_uses_pid
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.core_uses_pid
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.core_uses_pid="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.dmesg_restrict
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.dmesg_restrict="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.kexec_load_disabled
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.kexec_load_disabled="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.panic_on_oops
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.panic_on_oops="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_cpu_time_max_percent
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.perf_cpu_time_max_percent
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.perf_cpu_time_max_percent="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_max_sample_rate
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.perf_event_max_sample_rate
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.perf_event_paranoid
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.perf_event_paranoid="2"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.pid_max
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.pid_max="65536"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.sysrq
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.sysrq="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.unprivileged_bpf_disabled
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.unprivileged_bpf_disabled="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.yama.ptrace_scope
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.yama.ptrace_scope="1"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden
+++ xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden
@@ -29,7 +29,7 @@
#
# Set runtime for net.core.bpf_jit_harden
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w net.core.bpf_jit_harden="2"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
+++ xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
@@ -29,7 +29,7 @@
#
# Set runtime for user.max_user_namespaces
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w user.max_user_namespaces="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr
+++ xccdf_org.ssgproject.content_rule_sysctl_vm_mmap_min_addr
@@ -29,7 +29,7 @@
#
# Set runtime for vm.mmap_min_addr
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w vm.mmap_min_addr="65536"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
+++ xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable
@@ -29,7 +29,7 @@
#
# Set runtime for fs.suid_dumpable
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w fs.suid_dumpable="0"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
@@ -31,7 +31,7 @@
#
# Set runtime for kernel.kptr_restrict
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
@@ -29,7 +29,7 @@
#
# Set runtime for kernel.randomize_va_space
#
-if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
+if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
/sbin/sysctl -q -n -w kernel.randomize_va_space="2"
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_page_poison_argument
+++ xccdf_org.ssgproject.content_rule_grub2_page_poison_argument
@@ -4,7 +4,7 @@
expected_value="1"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "page_poison" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"page_poison=[^\"]*\"(.*]\s*)/\1\"page_poison=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
+++ xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
@@ -6,7 +6,7 @@
expected_value="$var_slub_debug_options"
-if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
KARGS_DIR="/usr/lib/bootc/kargs.d/"
if grep -q -E "slub_debug" "$KARGS_DIR/*.toml" ; then
sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"slub_debug=[^\"]*\"(.*]\s*)/\1\"slub_debug=$expected_value\"\2/" "$KARGS_DIR/*.toml"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_abrt_anon_write' differs.
--- xccdf_org.ssgproject.content_rule_sebool_abrt_anon_write
+++ xccdf_org.ssgproject.content_rule_sebool_abrt_anon_write
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_abrt_anon_write=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_abrt_handle_event' differs.
--- xccdf_org.ssgproject.content_rule_sebool_abrt_handle_event
+++ xccdf_org.ssgproject.content_rule_sebool_abrt_handle_event
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_abrt_handle_event=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write' differs.
--- xccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write
+++ xccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_abrt_upload_watch_anon_write=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system' differs.
--- xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system
+++ xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_antivirus_can_scan_system=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_antivirus_use_jit' differs.
--- xccdf_org.ssgproject.content_rule_sebool_antivirus_use_jit
+++ xccdf_org.ssgproject.content_rule_sebool_antivirus_use_jit
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_antivirus_use_jit=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content' differs.
--- xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content
+++ xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_auditadm_exec_content=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_authlogin_nsswitch_use_ldap' differs.
--- xccdf_org.ssgproject.content_rule_sebool_authlogin_nsswitch_use_ldap
+++ xccdf_org.ssgproject.content_rule_sebool_authlogin_nsswitch_use_ldap
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_authlogin_nsswitch_use_ldap=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_authlogin_radius' differs.
--- xccdf_org.ssgproject.content_rule_sebool_authlogin_radius
+++ xccdf_org.ssgproject.content_rule_sebool_authlogin_radius
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_authlogin_radius=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_authlogin_yubikey' differs.
--- xccdf_org.ssgproject.content_rule_sebool_authlogin_yubikey
+++ xccdf_org.ssgproject.content_rule_sebool_authlogin_yubikey
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_authlogin_yubikey=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_awstats_purge_apache_log_files' differs.
--- xccdf_org.ssgproject.content_rule_sebool_awstats_purge_apache_log_files
+++ xccdf_org.ssgproject.content_rule_sebool_awstats_purge_apache_log_files
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_awstats_purge_apache_log_files=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_boinc_execmem' differs.
--- xccdf_org.ssgproject.content_rule_sebool_boinc_execmem
+++ xccdf_org.ssgproject.content_rule_sebool_boinc_execmem
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
var_boinc_execmem=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sebool_cdrecord_read_content' differs.
--- xccdf_org.ssgproject.content_rule_sebool_cdrecord_read_content
+++ xccdf_org.ssgproject.content_rule_sebool_cdrecord_read_content
@@ -6,7 +6,7 @@
fi
-if selinuxenabled || [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+if selinuxenabled || { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.con
... The diff is trimmed here ... |
matusmarhefka
approved these changes
Feb 7, 2025
matusmarhefka
requested changes
Feb 10, 2025
Wrap condition in curly braces to prevent operator priority problems when the macro is used as a part of a bigger expression.
|
Code Climate has analyzed commit 9c4e7c0 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.9% (0.0% change). View more on Code Climate. |
jan-cerny
changed the title
matusmarhefka
approved these changes
Feb 12, 2025
There was a problem hiding this comment.
LGTM, the changes have been tested with automated tests from https://github.com/RHSecurityCompliance/contest/tree/main/hardening/container on both RHEL9 and RHEL10.
matusmarhefka
merged commit 697fa03
into
ComplianceAsCode:master
104 of 111 checks passed
jan-cerny
added a commit
to jan-cerny/openscap
that referenced
this pull request
Feb 13, 2025
Starting from ComplianceAsCode/content#12988 the SCAP content doesn't depend on exporting the OSCAP_BOOTC_BUILD variable. Therefore we can stop exporting this variable and we can stop passing this variable from outside environemnt to remediations environment.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, Bash remediations for bootable containers hardening depend on OpenSCAP passing the OSCAP_BOOTC_BUILD environment variable. We will change this approach. Instead, the Bash remediation code will detect the environment. It won't depend on the OSCAP_BOOTC_BUILD environment variable. Specifically, Jinja macros bash_bootc_build() and bash_not_bootc_build() will be reworked to contain a detection condition. We already do it similar way in IB, where the environment variable container sets them to bwrap-osbuild.