Open
Conversation
We have snippets, not scripts, shebangs should be added by scanners
Certain checks can be performed at expansion time rather than at execution time
Before, the dollar got double-escaped, because as it is initially escaped for the shell, the regex escape process escaped the escape and the dollar as well.
- Correct examination of array length - Removal of unused variable - Proper array quoting - Proper array concatenation
pam pwhistory remember remediations were almost the same, so they got a macro.
|
This datastream diff is auto generated by the check Click here to see the trimmed diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth' differs:
--- old datastream
+++ new datastream
@@ -5,16 +5,15 @@
var_password_pam_remember_control_flag=''
+
pamFile="/etc/pam.d/password-auth"
# control required is for rhel8, while requisite is for other distros
CONTROL=${var_password_pam_remember_control_flag}
if [ ! -f $pamFile ]; then
- continue
-fi
-
+ true # indeed don't do anything
# is 'password required|requisite pam_pwhistory.so' here?
-if grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
+elif grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
# is the remember option set?
option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile)
if [[ -z $option ]]; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth' differs:
--- old datastream
+++ new datastream
@@ -5,16 +5,15 @@
var_password_pam_remember_control_flag=''
+
pamFile="/etc/pam.d/system-auth"
# control required is for rhel8, while requisite is for other distros
CONTROL=${var_password_pam_remember_control_flag}
if [ ! -f $pamFile ]; then
- continue
-fi
-
+ true # indeed don't do anything
# is 'password required|requisite pam_pwhistory.so' here?
-if grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
+elif grep -q "^password.*pam_pwhistory.so.*" $pamFile; then
# is the remember option set?
option=$(sed -rn 's/^(.*pam_pwhistory\.so.*)(remember=[0-9]+)(.*)$/\2/p' $pamFile)
if [[ -z $option ]]; then
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny' differs:
--- old datastream
+++ new datastream
@@ -8,8 +8,8 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root' differs:
--- old datastream
+++ new datastream
@@ -5,8 +5,8 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_enforce_local' differs:
--- old datastream
+++ new datastream
@@ -5,16 +5,16 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
+else
+ if [ ! $(grep -q '^\s*local_users_only' $FAILLOCK_CONF) ]; then
+ echo "local_users_only" >> $FAILLOCK_CONF
+ fi
+ authselect enable-feature with-faillock
fi
-
-if [ ! $(grep -q '^\s*local_users_only' $FAILLOCK_CONF) ]; then
- echo "local_users_only" >> $FAILLOCK_CONF
-fi
-authselect enable-feature with-faillock
else
>&2 echo 'Remediation is not applicable, nothing was done'
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval' differs:
--- old datastream
+++ new datastream
@@ -4,17 +4,18 @@
var_accounts_passwords_pam_faillock_fail_interval=''
+
+
+
SYSTEM_AUTH="/etc/pam.d/system-auth"
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
-fi
-
-if [ -f $FAILLOCK_CONF ]; then
+elif [ -f $FAILLOCK_CONF ]; then
if $(grep -q '^\s*fail_interval\s*=' $FAILLOCK_CONF); then
sed -i --follow-symlinks "s/^\s*\(fail_interval\s*\)=.*$/\1 = $var_accounts_passwords_pam_faillock_fail_interval/g" $FAILLOCK_CONF
else
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time' differs:
--- old datastream
+++ new datastream
@@ -8,8 +8,8 @@
PASSWORD_AUTH="/etc/pam.d/password-auth"
FAILLOCK_CONF="/etc/security/faillock.conf"
-if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) > 1 ] || \
- [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) > 1 ]; then
+if [ $(grep -c "^\s*auth.*pam_unix.so" $SYSTEM_AUTH) -gt 1 ] || \
+ [ $(grep -c "^\s*auth.*pam_unix.so" $PASSWORD_AUTH) -gt 1 ]; then
echo "Skipping remediation because there are more pam_unix.so entries than expected."
false
fi
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,3 @@
-#!/bin/bash
-
var_accounts_maximum_age_login_defs=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing' differs:
--- old datastream
+++ new datastream
@@ -1,5 +1,3 @@
-#!/bin/bash
-
var_accounts_minimum_age_login_defs=''
bash remediation for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su' differs:
--- old datastream
+++ new datastream
@@ -1,4 +1,3 @@
-#!/bin/bash
# uncomment the option if commented
sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_media_export' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -220,9 +217,6 @@
# file to the list of files to be inspected
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs:
--- old datastream
+++ new datastream
@@ -63,9 +63,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -128,7 +125,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -148,7 +145,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -221,9 +218,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -286,7 +280,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -306,7 +300,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -403,9 +397,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -468,7 +459,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -488,7 +479,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -561,9 +552,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -626,7 +614,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -646,7 +634,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_directory_access_var_log_audit' differs:
--- old datastream
+++ new datastream
@@ -57,9 +57,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -122,7 +119,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -142,7 +139,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -215,9 +212,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -280,7 +274,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -300,7 +294,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -407,9 +401,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -472,7 +463,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -492,7 +483,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -565,9 +556,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -630,7 +618,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -650,7 +638,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -407,9 +401,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -472,7 +463,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -492,7 +483,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -565,9 +556,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -630,7 +618,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -650,7 +638,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
bash remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr' differs:
--- old datastream
+++ new datastream
@@ -64,9 +64,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -129,7 +126,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -149,7 +146,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -222,9 +219,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -287,7 +281,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -307,7 +301,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -407,9 +401,6 @@
fi
fi
-# Indicator that we want to append $full_rule into $audit_file or edit a rule in it
-append_expected_rule=0
-
# After converting to jinja, we cannot return; therefore we skip the rest of the macro if needed instead
skip=1
@@ -472,7 +463,7 @@
done
else
# If there is any candidate rule, it is compliant; skip rest of macro
- if [[ $candidate_rules ]]
+ if [ "${#candidate_rules[@]}" -gt 0 ]
then
skip=0
fi
@@ -492,7 +483,7 @@
if [ -z ${rule_to_edit+x} ]
then
# Build full_rule while avoid adding double spaces when other_filters is empty
- if [[ ${syscall_a} ]]
+ if [ "${#syscall_a[@]}" -gt 0 ]
then
syscall_string=""
for syscall in "${syscall_a[@]}"
@@ -565,9 +556,6 @@
default_file="/etc/audit/audit.rules"
files_to_inspect+=('/etc/audit/audit.rules' )
-# Indicator that we want to append $full_rule in
... The diff is trimmed here ... |
cc3c311 to
b458149
Compare
Open
5a5f615 to
eb1448b
Compare
2c180b9 to
2e2a694
Compare
This was referenced Dec 2, 2025
Merged
Merged
Open
Open
45aaae7 to
af15736
Compare
270df64 to
5d886c5
Compare
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Shellcheck #26) or remove this line if no issue exists.