From 68f360253ce124de0fb998ab37a1c3dcdc98924b Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Thu, 7 Nov 2024 10:58:56 +0100
Subject: [PATCH 1/4] fix system_with_kernel applicability for debian derived
 operating systems

---
 shared/applicability/oval/system_with_kernel.xml |  4 +++-
 shared/applicability/system_with_kernel.yml      | 10 ++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/shared/applicability/oval/system_with_kernel.xml b/shared/applicability/oval/system_with_kernel.xml
index 233bc4352ac..2621909f630 100644
--- a/shared/applicability/oval/system_with_kernel.xml
+++ b/shared/applicability/oval/system_with_kernel.xml
@@ -5,7 +5,9 @@
       <criterion comment="kernel is installed" test_ref="inventory_test_kernel_installed" />
     </criteria>
   </definition>
-{{% if 'sle' in product or 'slmicro' in product %}}
+{{% if 'debian' in product or 'ubuntu' in product %}}
+{{{ oval_test_package_installed(package="linux-base", test_id="inventory_test_kernel_installed") }}}
+{{% elif 'sle' in product or 'slmicro' in product %}}
 {{{ oval_test_package_installed(package="kernel-default", test_id="inventory_test_kernel_installed") }}}
 {{% else %}}
 {{{ oval_test_package_installed(package="kernel", test_id="inventory_test_kernel_installed") }}}
diff --git a/shared/applicability/system_with_kernel.yml b/shared/applicability/system_with_kernel.yml
index 1ea9313ed3b..25326d3d8a1 100644
--- a/shared/applicability/system_with_kernel.yml
+++ b/shared/applicability/system_with_kernel.yml
@@ -22,9 +22,15 @@ bash_conditional: "rpm --quiet -q kernel-default"
 bash_conditional: "rpm --quiet -q kernel"
 {{% endif %}}
 {{% else %}}
-bash_conditional: "dpkg-query --show --showformat='${db:Status-Status}\n' 'kernel' 2>/dev/null | grep -q installed"
+{{% if "debian" in product or "ubuntu" in product %}}
+bash_conditional: "dpkg-query --show --showformat='${db:Status-Status}\n' 'linux-base' 2>/dev/null | grep -q ^installed"
+{{% else %}}
+bash_conditional: "dpkg-query --show --showformat='${db:Status-Status}\n' 'kernel' 2>/dev/null | grep -q ^installed"
 {{% endif %}}
-{{% if "sle" in product or "slmicro" in product %}}
+{{% endif %}}
+{{% if "debian" in product or "ubuntu" in product %}}
+ansible_conditional: '"linux-base" in ansible_facts.packages'
+{{% elif "sle" in product or "slmicro" in product %}}
 ansible_conditional: '"kernel-default" in ansible_facts.packages'
 {{% else %}}
 ansible_conditional: '"kernel" in ansible_facts.packages'

From f549594129553624b842bdc5abc747cf474bc3d4 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Thu, 7 Nov 2024 11:28:03 +0100
Subject: [PATCH 2/4] fix accounts_users_home_files_groupownership bash
 remediation to handle symlinks properly

---
 .../accounts_users_home_files_groupownership/bash/shared.sh     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
index 8c65f743176..f3fb63b3654 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_groupownership/bash/shared.sh
@@ -10,5 +10,5 @@ for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}}
     # Only update the group-ownership when necessary. This will avoid changing the inode timestamp
     # when the group is already defined as expected, therefore not impacting in possible integrity
     # check systems that also check inodes timestamps.
-    find $home_dir -not -group $group -exec chgrp -f $group {} \;
+    find $home_dir -not -group $group -exec chgrp -f --no-dereference $group {} \;
 done

From 7adc6dbc2a53bcf171e06c7f87c45705a1455b00 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Thu, 7 Nov 2024 11:42:23 +0100
Subject: [PATCH 3/4] fix accounts_users_home_files_ownership bash remediation
 to handle symlinks properly

---
 .../accounts_users_home_files_ownership/bash/shared.sh          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
index 1c46cc50c69..55b12552a10 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_ownership/bash/shared.sh
@@ -9,5 +9,5 @@ for user in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid }}}
     # Only update the ownership when necessary. This will avoid changing the inode timestamp
     # when the owner is already defined as expected, therefore not impacting in possible integrity
     # check systems that also check inodes timestamps.
-    find $home_dir -not -user $user -exec chown -f $user {} \;
+    find $home_dir -not -user $user -exec chown -f --no-dereference $user {} \;
 done

From d18e07f6769ffce4ce579fbc576a786e7bb751d0 Mon Sep 17 00:00:00 2001
From: Alexandre Skrzyniarz <alexandre.skrzyniarz@laposte.net>
Date: Thu, 7 Nov 2024 18:55:02 +0100
Subject: [PATCH 4/4] fix accounts_users_home_files_permissions to handle
 symlinks properly

chmod syscall doesn't apply to symlinks, so they shall be ignored when
setting user files permissions.

- OVAL check now filters out symlinks
- bash_restrict_permissions_home_directories macro now ignore symlinks
---
 .../accounts_users_home_files_permissions/oval/shared.xml     | 4 ++++
 shared/macros/10-bash.jinja                                   | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
index 94bf720a340..f95ab09f377 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_users_home_files_permissions/oval/shared.xml
@@ -24,11 +24,15 @@
     <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>
     <unix:filename xsi:nil="true" />
   </unix:file_object>
+  <unix:file_state id="state_accounts_users_home_files_permissions_is_symlink" version="1">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
   <unix:file_object id="object_accounts_users_home_files_permissions_files" version="1">
     <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1"
                     recurse_file_system="local"/>
     <unix:path var_ref="var_accounts_users_home_files_permissions_dirs" var_check="at least one"/>
     <unix:filename operation="pattern match">^[^\.].*</unix:filename>
+    <filter action="exclude">state_accounts_users_home_files_permissions_is_symlink</filter>
   </unix:file_object>
   <!-- #### creation of state #### -->
   <unix:file_state id="state_accounts_users_home_files_permissions_dirs" version="1" operator='AND'>
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 883f8929ddf..d9ad023124a 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1432,9 +1432,9 @@ for home_dir in $(awk -F':' '{ if ($3 >= {{{ uid_min }}} && $3 != {{{ nobody_uid
     # the permission is already defined as expected, therefore not impacting in possible integrity
     # check systems that also check inodes timestamps.
     {{%- if recursive %}}
-    find "$home_dir" -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
+    find "$home_dir" -perm /7027 \! -type l -exec chmod u-s,g-w-s,o=- {} \;
     {{%- else %}}
-    find "$home_dir" -maxdepth 0 -perm /7027 -exec chmod u-s,g-w-s,o=- {} \;
+    find "$home_dir" -maxdepth 0 -perm /7027 \! -type l -exec chmod u-s,g-w-s,o=- {} \;
     {{%- endif %}}
 done
 {{%- endmacro -%}}