@@ -8,101 +8,57 @@ set -e -o pipefail
88# non root users
99PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
1010
11- # non root users are not able to access some kernel params, so they get excluded
12- SYSCTL_EXCLUDE='
13- dev.parport.parport0.autoprobe
14- dev.tty.legacy_tiocsti
15- fs.protected_hardlinks
16- fs.protected_fifos
17- fs.protected_regular
18- fs.protected_symlinks
19- kernel.apparmor_display_secid_mode
20- kernel.apparmor_restrict_unprivileged_userns
21- kernel.apparmor_restrict_unprivileged_userns_complain
22- kernel.apparmor_restrict_unprivileged_userns_force
23- kernel.cad_pid
24- kernel.unprivileged_userns_apparmor_policy
25- kernel.usermodehelper.bset
26- kernel.usermodehelper.inheritable
27- net.core.bpf_jit_harden
28- net.core.bpf_jit_kallsyms
29- net.core.bpf_jit_limit
30- net.ipv4.tcp_fastopen_key
31- stable_secret
32- vm.mmap_rnd_bits
33- vm.mmap_rnd_compat_bits
34- vm.stat_refresh'
35-
36- SYSCTL_EXCLUDE_REGEX=" $( printf ' \|%s' $SYSCTL_EXCLUDE ) "
37- # strip leading '\|'
38- SYSCTL_EXCLUDE_REGEX=${SYSCTL_EXCLUDE_REGEX: 2}
39-
4011function perform_test {
41- probecheck " sysctl" || return 255
42-
43- name=$( basename $0 .sh)
44-
45- result=$( mktemp ${name} .res.out.XXXXXX)
46- stderr=$( mktemp ${name} .err.out.XXXXXX)
47- ourNames=$( mktemp ${name} .our.out.XXXXXX)
48- sysctlNames=$( mktemp ${name} .sysctl.out.XXXXXX)
49-
50- echo " Result file: $result "
51- echo " Our names file: $ourNames "
52- echo " Sysctl names file: $sysctlNames "
53- echo " Errors file: $stderr "
54-
55- $OSCAP oval eval --results $result $srcdir /test_sysctl_probe_all.oval.xml > /dev/null 2> $stderr
56-
57- case $( uname) in
58- FreeBSD)
59- sysctl -aN 2> /dev/null > " $sysctlNames "
60- ;;
61- Linux)
62- # sysctl has duplicities in output
63- # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
64- # kernel parameters might use "/" and "." separators interchangeably - normalizing
65- sysctl -aN --deprecated 2> /dev/null | grep -v $SYSCTL_EXCLUDE_REGEX | tr " /" " ." | sort -u > " $sysctlNames "
66- ;;
67- esac
68-
69- grep unix-sys:name " $result " | grep -v $SYSCTL_EXCLUDE_REGEX | xsed -E ' s;.*>(.*)<.*;\1;g' | sort > " $ourNames "
70-
71- # If procps_ver > 3.3.12 we need to filter *stable_secret and vm.stat_refresh
72- # options from the sysctl output, for more details see
73- # https://github.com/OpenSCAP/openscap/issues/1152.
74- procps_ver=" $( package_version procps-ng procps) "
75-
76- lowest_ver=$( echo -e " 3.3.12\n$procps_ver " | sort -V | head -n1)
77- if [ " $procps_ver " != " $lowest_ver " ; then
78- sed -i ' /net.ipv6.conf.*stable_secret$/d' " $sysctlNames "
79- sed -i ' /.*vm.stat_refresh/d' " $sysctlNames "
80- fi
81-
82- if ! grep -q " hugepages" " $ourNames " ; then
83- sed -i " /^.*hugepages.*$/d" " $sysctlNames "
84- fi
85-
86- echo " Diff (sysctlNames / ourNames): ------"
87- diff " $sysctlNames " " $ourNames "
88- echo " -------------------------------------"
89-
90- # remove oscap error message related to permissions from stderr
91- sed -i -E " /^E: oscap: +Can't read sysctl value from /d" " $stderr "
92- sed -i -E " /^E: oscap: +An error.*, Operation not permitted/d" " $stderr "
93-
94- # remove oscap error message related to gibberish binary entries
95- # that can't fit into 8K buffer and result in errno 14
96- # (for example /proc/sys/kernel/spl/hostid could be the case)
97- sed -i -E " /^E: oscap: +An error.*14, Bad address/d" " $stderr "
98- sed -i " /^.*hugepages.*$/d" " $stderr "
99-
100- echo " Errors (without messages related to permissions):"
101- cat " $stderr "
102-
103- [ ! -s $stderr ]
104-
105- rm $stderr $result $ourNames $sysctlNames
12+ probecheck " sysctl" || return 255
13+
14+ name=$( basename $0 .sh)
15+
16+ result=$( mktemp ${name} .res.out.XXXXXX)
17+ stderr=$( mktemp ${name} .err.out.XXXXXX)
18+ ourNames=$( mktemp ${name} .our.out.XXXXXX)
19+ sysctlNames=$( mktemp ${name} .sysctl.out.XXXXXX)
20+
21+ echo " Result file: $result "
22+ echo " Our names file: $ourNames "
23+ echo " Sysctl names file: $sysctlNames "
24+ echo " Errors file: $stderr "
25+
26+ $OSCAP oval eval --results $result $srcdir /test_sysctl_probe_all.oval.xml > /dev/null 2> $stderr
27+
28+ case $( uname) in
29+ FreeBSD)
30+ sysctl -aN 2> /dev/null > " $sysctlNames "
31+ ;;
32+ Linux)
33+ # sysctl has duplicities in output
34+ # hide permission errors like: "sysctl: permission denied on key 'fs.protected_hardlinks'"
35+ # kernel parameters might use "/" and "." separators interchangeably - normalizing
36+ sysctl -a --deprecated 2> /dev/null | tr " /" " ." | cut -d " =" | tr -d " " | sort -u > " $sysctlNames "
37+ ;;
38+ esac
39+
40+ grep unix-sys:name " $result " | xsed -E ' s;.*>(.*)<.*;\1;g' | sort > " $ourNames "
41+
42+ echo " Diff (sysctlNames / ourNames): ------"
43+ diff " $sysctlNames " " $ourNames "
44+ echo " -------------------------------------"
45+
46+ # remove oscap error message related to permissions from stderr
47+ sed -i -E " /^E: oscap: +Can't read sysctl value from /d" " $stderr "
48+ sed -i -E " /^E: oscap: +An error.*, Operation not permitted/d" " $stderr "
49+
50+ # remove oscap error message related to gibberish binary entries
51+ # that can't fit into 8K buffer and result in errno 14
52+ # (for example /proc/sys/kernel/spl/hostid could be the case)
53+ sed -i -E " /^E: oscap: +An error.*14, Bad address/d" " $stderr "
54+ sed -i " /^.*hugepages.*$/d" " $stderr "
55+
56+ echo " Errors (without messages related to permissions):"
57+ cat " $stderr "
58+
59+ [ ! -s $stderr ]
60+
61+ rm $stderr $result $ourNames $sysctlNames
10662}
10763
10864perform_test
0 commit comments