sysctl_kernel_core_pattern_empty_string: align with template#14448
Merged
jan-cerny merged 1 commit intoComplianceAsCode:masterfrom Feb 24, 2026
Merged
Conversation
…ule similar to the templated one Ansible, BAsh, OVAL Template not used, because empty string is tricky to implement in the current sysctl template and I decided that reengineering the whole template is not worth the result.
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled'.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -9,18 +9,15 @@
SELINUX=enforcing
OR
SELINUX=permissive
-If SELinux is currently disabled or not configured, ensure that all files have correct SELinux
-labels by running:
+Ensure that all files have correct SELinux labels by running:
fixfiles onboot
Then reboot the system.
[warning]:
-The automated remediation checks the SELinux configuration in /etc/selinux/config.
-If SELinux is already set to "enforcing" or "permissive", the current state is preserved
-and no changes are made. If SELinux is "disabled" or not configured, the remediation will
-adopt a conservative approach and set it to "permissive" in order to avoid any system
-disruption and give the administrator the opportunity to assess the impact and necessary
-efforts before setting it to "enforcing", which is strongly recommended.
+In case the SELinux is "disabled", the automated remediation will adopt a more
+conservative approach and set it to "permissive" in order to avoid any system disruption
+and give the administrator the opportunity to assess the impact and necessary efforts
+before setting it to "enforcing", which is strongly recommended.
[reference]:
1.3.1.4
bash remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -1,17 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then
-# Check current SELinux state in config file
-selinux_current_state=""
-if [ -f "/etc/selinux/config" ]; then
- selinux_current_state=$(grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config || true)
-fi
-
-# Only remediate if SELinux is disabled or not configured
-# If already set to enforcing or permissive, it's compliant - preserve the current state
-if [ "$selinux_current_state" != "enforcing" ] && [ "$selinux_current_state" != "permissive" ]; then
- # SELinux is disabled or not configured, set to permissive as a conservative approach
- if [ -e "/etc/selinux/config" ] ; then
+if [ -e "/etc/selinux/config" ] ; then
LC_ALL=C sed -i "/^SELINUX=/Id" "/etc/selinux/config"
else
@@ -25,8 +15,8 @@
printf '%s\n' "SELINUX=permissive" >> "/etc/selinux/config"
# Clean up after ourselves.
rm "/etc/selinux/config.bak"
- fixfiles onboot
-fi
+
+fixfiles onboot
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -10,13 +10,12 @@
- restrict_strategy
- selinux_not_disabled
-- name: Ensure SELinux is Not Disabled - Check current SELinux configuration
+- name: Ensure SELinux is Not Disabled - Check current SELinux state
ansible.builtin.command:
- cmd: grep -oP '^\s*SELINUX=\K(enforcing|permissive|disabled)' /etc/selinux/config
- register: selinux_config_state
+ cmd: getenforce
+ register: current_selinux_state
check_mode: false
changed_when: false
- failed_when: false
when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86151-8
@@ -27,49 +26,35 @@
- restrict_strategy
- selinux_not_disabled
-- name: Ensure SELinux is Not Disabled - Set SELinux state to permissive if disabled
- or not configured
+- name: Ensure SELinux is Not Disabled
block:
- - name: Ensure SELinux is Not Disabled
- block:
+ - name: Check for duplicate values
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ state: absent
+ check_mode: true
+ changed_when: false
+ register: dupes
- - name: Check for duplicate values
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- state: absent
- check_mode: true
- changed_when: false
- register: dupes
+ - name: Deduplicate values from /etc/selinux/config
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ state: absent
+ when: dupes.found is defined and dupes.found > 1
- - name: Deduplicate values from /etc/selinux/config
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- state: absent
- when: dupes.found is defined and dupes.found > 1
-
- - name: Insert correct line to /etc/selinux/config
- ansible.builtin.lineinfile:
- path: /etc/selinux/config
- create: true
- regexp: (?i)^SELINUX=
- line: SELINUX=permissive
- state: present
-
- - name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next
- boot
- ansible.builtin.file:
- path: /.autorelabel
- state: touch
- access_time: preserve
- modification_time: preserve
- when:
- - '"kernel-core" in ansible_facts.packages'
- - selinux_config_state.stdout not in ['enforcing', 'permissive']
+ - name: Insert correct line to /etc/selinux/config
+ ansible.builtin.lineinfile:
+ path: /etc/selinux/config
+ create: true
+ regexp: (?i)^SELINUX=
+ line: SELINUX=permissive
+ state: present
+ when: '"kernel-core" in ansible_facts.packages'
tags:
- CCE-86151-8
- high_severity
@@ -78,3 +63,21 @@
- reboot_required
- restrict_strategy
- selinux_not_disabled
+
+- name: Ensure SELinux is Not Disabled - Mark system to relabel SELinux on next boot
+ ansible.builtin.file:
+ path: /.autorelabel
+ state: touch
+ access_time: preserve
+ modification_time: preserve
+ when:
+ - '"kernel-core" in ansible_facts.packages'
+ - current_selinux_state.stdout | lower != "permissive"
+ tags:
+ - CCE-86151-8
+ - high_severity
+ - low_complexity
+ - low_disruption
+ - reboot_required
+ - restrict_strategy
+ - selinux_not_disabled |
jan-cerny
approved these changes
Feb 24, 2026
Collaborator
jan-cerny
left a comment
There was a problem hiding this comment.
I have run a custom productization pipeline on RHEL 9.8 that executed the tests listed in #14373 with this PR and they all pass.
Also the automatus's test pass on RHEL 9.
jcerny@fedora:~/work/git/scap-security-guide (pr/14448)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 sysctl_kernel_core_pattern_empty_string
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-02-24-1409/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern_empty_string
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_with_spaces.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script wrong_value_d_directory.fail.sh using profile (all) OK
INFO - Script wrong_value_runtime.fail.sh using profile (all) OK
INFO - Script wrong_value_three_entries.fail.sh using profile (all) OK
INFO - Script wrong_value_two_entries.fail.sh using profile (all) OK
jcerny@fedora:~/work/git/scap-security-guide (pr/14448)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 --remediate-using ansible sysctl_kernel_core_pattern_empty_string
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2026-02-24-1411/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern_empty_string
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script correct_value_with_spaces.pass.sh using profile (all) OK
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script wrong_value_d_directory.fail.sh using profile (all) OK
INFO - Script wrong_value_runtime.fail.sh using profile (all) OK
INFO - Script wrong_value_three_entries.fail.sh using profile (all) OK
INFO - Script wrong_value_two_entries.fail.sh using profile (all) OK
| <ind:textfilecontent54_object id="object_static_usr_lib_sysctld_sysctl_kernel_core_pattern_empty_string" version="1"> | ||
| <ind:path>/usr/lib/sysctl.d</ind:path> | ||
| <ind:filename operation="pattern match">^.*\.conf$</ind:filename> | ||
| <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern> |
Collaborator
There was a problem hiding this comment.
Minor suggestion: The regular expression repeats multiple times in the OVAL. It would be better to extract the regular expression to a Jinja variable so that it would be defined only once and therefore easier to change in the future.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Align the custom Bash, Ansible, and OVAL implementations of
sysctl_kernel_core_pattern_empty_stringwith the patterns used by thesysctltemplate (as seen in the sibling rulesysctl_kernel_core_pattern). The rule cannot use the template directly because the sysctl template does not support empty string values without significant reengineering.Bash: Add bootc/container guard (
bash_not_bootc_build) aroundsysctl -wcall, add/usr/local/lib/sysctl.d/to the comment-out loop, add--follow-symlinksto sed, add systemd-sysctl symlink skip, write to/etc/sysctl.d/kernel_core_pattern.confinstead of/etc/sysctl.conf, usebash_replace_or_appendmacro with CCE identifiers.Ansible: Add
set_factforsysctl_pathsincluding/usr/local/lib/sysctl.d/, add task to comment out entries from/etc/sysctl.conf, write to/etc/sysctl.d/kernel_core_pattern.confinstead of/etc/sysctl.conf.OVAL: Rewrite static check to use the template's OR-based structure (user files correct OR user files missing AND package-managed files correct), add
/usr/local/lib/sysctl.d/and/usr/lib/sysctl.d/directory checks, drop custom "defined_in_one_file" and symlink handling checks.Rationale:
The custom Bash remediation called
sysctl -wdirectly without thebash_not_bootc_build()guard, causing remediation failures in container/bootc build environments. Aligning the implementation with the template also brings consistency in directory coverage and config file handling.Fixes sysctl_kernel_core_pattern_empty_string fails on RHEL9.8 #14373
Review Hints:
Affected products: rhel9, rhel10. Build with:
./build_product --datastream-only rhel10Automatus tests all pass (7 scenarios × 2 remediation types = 14/14 on rhel10):
The rendered OVAL closely mirrors the template-generated OVAL for
sysctl_kernel_core_pattern, except it uses[[:blank:]]instead of[\s]in regex patterns (to avoid a cross-newline matching issue) and checks for an empty string value instead of|/bin/false.Review all changes together — they form a single cohesive update.