Use opening parenthesis in the switch case condition of RHEL-08-020041

[ggbecker]

Description:

• Use opening parenthesis in the switch case condition of RHEL-08-020041.

Rationale:

• This change is to align with DISA STIG since it's also a valid syntax and they have not changed their SCAP content. The OVAL file should still accept a configuration without the opening parenthesis by making it optional in the regex.

With this change we will be able to remove the waiver from the STIG alignment test: https://gitlab.com/redhat/rhel/tests/scap-security-guide/-/blob/master/Library/ssg-test-suite/disa_alignment_waivers/rhel8#L2

@mildas See the above.

Fixes: #9309

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
@@ -1,12 +1,12 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q tmux; then
 
-if ! grep -x ' case "$name" in sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
+if ! grep -x ' case "$name" in (sshd|login) tmux ;; esac' /etc/bashrc /etc/profile.d/*.sh; then
 cat >> /etc/profile.d/tmux.sh <<'EOF'
 if [ "$PS1" ]; then
 parent=$(ps -o ppid= -p $$)
 name=$(ps -o comm= -p $parent)
- case "$name" in sshd|login) tmux ;; esac
+ case "$name" in (sshd|login) tmux ;; esac
 fi
 EOF
 chmod 0644 /etc/profile.d/tmux.sh

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
@@ -16,7 +16,7 @@
 ansible.builtin.find:
 paths: /etc
 patterns: bashrc
- contains: .*case "$name" in sshd|login) tmux ;; esac.*
+ contains: .*case "$name" in (sshd|login) tmux ;; esac.*
 register: tmux_in_bashrc
 when: '"tmux" in ansible_facts.packages'
 tags:
@@ -34,7 +34,7 @@
 ansible.builtin.find:
 paths: /etc/profile.d
 patterns: '*.sh'
- contains: .*case "$name" in sshd|login) tmux ;; esac.*
+ contains: .*case "$name" in (sshd|login) tmux ;; esac.*
 register: tmux_in_profile_d
 when: '"tmux" in ansible_facts.packages'
 tags:
@@ -55,7 +55,7 @@
 if [ "$PS1" ]; then
 parent=$(ps -o ppid= -p $$)
 name=$(ps -o comm= -p $parent)
- case "$name" in sshd|login) tmux ;; esac
+ case "$name" in (sshd|login) tmux ;; esac
 fi
 create: true
 when:

[mildas]

@ggbecker After testing, it's unfortunately still misaligned. Not because the string, but because of not running tmux, which is not part of our check/remediation.

OVAL test results details

/etc/profile.d/*.sh contains a shell script to initialize the tmux terminal multiplexer as each shell is called.  oval:mil.disa.stig.rhel8:tst:19400  true

Following items have been found on the system:

Path	Content
/etc/profile.d/tmux.sh	if [ "$PS1" ]; then parent=$(ps -o ppid= -p $) name=$(ps -o comm= -p $parent) case "$name" in (sshd|login) tmux ;; esac fi

The tmux process is running.  oval:mil.disa.stig.rhel8:tst:19401  false

No items have been found conforming to the following objects:

Object oval:mil.disa.stig.rhel8:obj:19401 of type process58_object

Command line	Pid
^(/usr/bin/)?tmux\b	1

[ggbecker]

@ggbecker After testing, it's unfortunately still misaligned. Not because the string, but because of not running tmux, which is not part of our check/remediation.
OVAL test results details

Okay, but I'm not sure if running tmux in the remediation would be the correct approach. Furthermore, the only change we requested DISA was to change the parenthesis thing, I don't recall anything about the running tmux, so I'm not sure exactly what to do here.

Is it the case that a reboot would fix the misalignment? Because new shells would spawn tmux and then the requirement would be met for example.

[codeclimate]

Code Climate has analyzed commit 97fa904 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 52.4% (0.0% change).

View more on Code Climate.

[ggbecker]

The Automatus CS9 fails because the rule is not part of the RHEL9 DS:

content/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_tmux/rule.yml

Line 3 in 3d9b19c

prodtype: ol8,rhel8

So it should be safe to ignore.

[jan-cerny]

@mildas @yuumasato PING

[ggbecker]

@mildas @yuumasato PING

This should be quite safe to merge IMO.

[yuumasato]

Thank you for this patch, indeed the opening parenthesis is allowed:
https://www.gnu.org/software/bash/manual/bash.html#index-case

[yuumasato]

@ggbecker After testing, it's unfortunately still misaligned. Not because the string, but because of not running tmux, which is not part of our check/remediation.
OVAL test results details

We had a check for "tmux running" before and decided to remove it:
#8246