On 4/7/14, 6:12 AM, Jan Lieskovsky wrote:
When checking /etc/sysconfig/init file for the PROMPT row, don't allow whitespace characters around the equal sign, since it's invalid configuration [*].But comments can be present after the setting, so count with them (don't fail when the settings meets the criteria, but there's comment present at the same line yet). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team [*] /etc/sysconfig/init script has format of a Bash script -- is run within e.g. /etc/init.d/functions script by each service status check etc. Whitespace around equal sign result into warning like: /etc/sysconfig/init: line 28: no: command not found when the PROMPT line has had the form of: ^PROMPT=\tno But comments are allowed (no warning in the same situation when PROMPT line has the proper syntax) 0001-RHEL-6-Don-t-allow-whitespace-around-equal-sign-in-e.patch From d14395814d42ee5c732ce4805c1cbbe521268a4a Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky<[email protected]> Date: Mon, 7 Apr 2014 14:56:41 +0200 Subject: [PATCH] [RHEL/6] Don't allow whitespace around equal sign in /etc/sysconfig/init, when retrieving PROMPT value (it's invalid setting). But allow trailing comments. Signed-off-by: Jan Lieskovsky<[email protected]> --- RHEL/6/input/checks/disable_interactive_boot.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/RHEL/6/input/checks/disable_interactive_boot.xml b/RHEL/6/input/checks/disable_interactive_boot.xml index 1a4f55b..bf5e89c 100644 --- a/RHEL/6/input/checks/disable_interactive_boot.xml +++ b/RHEL/6/input/checks/disable_interactive_boot.xml @@ -1,5 +1,5 @@ <def-group> - <definition class="compliance" id="disable_interactive_boot" version="1"> + <definition class="compliance" id="disable_interactive_boot" version="2"> <metadata> <title>Disable Interactive Boot</title> <affected family="unix"> @@ -7,7 +7,7 @@ </affected> <description>The ability for users to perform interactive startups should be disabled.</description> - <reference source="swells" ref_id="20130914" ref_url="test_attestation" /> + <reference source="JL" ref_id="20140407" ref_url="test_attestation" /> </metadata> <criteria> <criterion test_ref="test_disable_interactive_boot" /> @@ -21,9 +21,9 @@ </ind:textfilecontent54_test><ind:textfilecontent54_object id="object_disable_interactive_boot"- version="1"> + version="2"> <ind:filepath>/etc/sysconfig/init</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*PROMPT[\s]*=[\s]*no[\s]*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*PROMPT=no[\s]+</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>-- 1.8.3.1
Great bugfix! This doesn't appear to have been acked. Ack
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
