Hello Jan, ----- Original Message ----- > From: "Jan Ruzicka" <[email protected]> > To: "SCAP Security Guide" <[email protected]> > Sent: Monday, April 21, 2014 8:00:46 PM > Subject: Re: [PATCH] [RHEL/6] Don't allow whitespace around equal sign in > /etc/sysconfig/init > > On Apr 18, 2014, at 00:00, Shawn Wells wrote: > > > > > On 4/7/14, 6:12 AM, Jan Lieskovsky wrote: > > > > When checking /etc/sysconfig/init file for the PROMPT row, > don't allow whitespace characters around the equal sign, since > it's invalid configuration [*]. > > But comments can be present after the setting, so count with > them (don't fail when the settings meets the criteria, but > there's comment present at the same line yet). > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > [*] /etc/sysconfig/init script has format of a Bash script -- > is run within e.g. /etc/init.d/functions script by each > service status check etc. Whitespace around equal sign > result into warning like: > > /etc/sysconfig/init: line 28: no: command not found > > when the PROMPT line has had the form of: > > ^PROMPT=\tno > > But comments are allowed (no warning in the same situation > when PROMPT line has the proper syntax) > > 0001-RHEL-6-Don-t-allow-whitespace-around-equal-sign-in-e.patch > From d14395814d42ee5c732ce4805c1cbbe521268a4a Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Mon, 7 Apr 2014 14:56:41 > +0200 > Subject: [PATCH] [RHEL/6] Don't allow whitespace around equal sign in > /etc/sysconfig/init, when retrieving PROMPT value (it's invalid > setting). But allow trailing comments. > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > RHEL/6/input/checks/disable_interactive_boot.xml | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/RHEL/6/input/checks/disable_interactive_boot.xml > b/RHEL/6/input/checks/disable_interactive_boot.xml > index 1a4f55b..bf5e89c 100644 > --- a/RHEL/6/input/checks/disable_interactive_boot.xml > +++ b/RHEL/6/input/checks/disable_interactive_boot.xml > @@ -1,5 +1,5 @@ > <def-group> > - <definition class="compliance" id="disable_interactive_boot" version="1"> > + <definition class="compliance" id="disable_interactive_boot" version="2"> > <metadata> > <title>Disable Interactive Boot</title> > <affected family="unix"> > @@ -7,7 +7,7 @@ > </affected> > <description>The ability for users to perform interactive startups > should > be disabled.</description> > - <reference source="swells" ref_id="20130914" > ref_url="test_attestation" /> > + <reference source="JL" ref_id="20140407" ref_url="test_attestation" /> > </metadata> > <criteria> > <criterion test_ref="test_disable_interactive_boot" /> > @@ -21,9 +21,9 @@ > </ind:textfilecontent54_test> > > <ind:textfilecontent54_object id="object_disable_interactive_boot" > - version="1"> > + version="2"> > <ind:filepath>/etc/sysconfig/init</ind:filepath> > - <ind:pattern operation="pattern > match">^[\s]*PROMPT[\s]*=[\s]*no[\s]*$</ind:pattern> > + <ind:pattern operation="pattern > match">^[\s]*PROMPT=no[\s]+</ind:pattern> > <ind:instance datatype="int">1</ind:instance> > </ind:textfilecontent54_object> > -- > 1.8.3.1 > > Great bugfix! This doesn't appear to have been acked. > > Ack > > Will the pattern allow line containing only "PROMPT=no" ?
From what I have tested yes. You mean the case when the PROMPT= line would be listed as the last line in the /etc/sysconfig/init file? > The RE expects at least one space after the "no", but the space is not > mentioned in comment nor e-mail. Not exactly space, but rather any whitespace character (at least one). So newline | EOF would satisfy that regex too (newline in the case PROMPT= is listed somewhere "in the middle" of the file, EOF when it's last line in the file). > > The example in e-mail would not match. Which example you mean? This ^PROMPT=\tno ? If so, that's expected since it's invalid Bash variable assignment / definition. Was just example of case when previous implementation would pass, but the syntax was actually invalid. Please clarify on the points above. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > Jan > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
