Skip to content

Use platform_package_overrides in bash and ansible macros #10626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
maage wants to merge 9 commits into from
Closed

Use platform_package_overrides in bash and ansible macros #10626

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
fd898bd
feature: bash_package_{install,remove}: support platform_package_over…
maage May 23, 2023
a525d53
feature: jinja: add filter join_comma_and
maage Jun 19, 2023
fe71b46
feature: jinja: add ansible_package_install
maage May 23, 2023
c3b215e
fix: aide: use ansible_package_install to install packages
maage May 23, 2023
ec964b6
fix: network-firewalld: use ansible_package_install to install packages
maage Jun 19, 2023
ad24b9d
fix: firewalld_sshd_port_enabled: use ansible_package_install to inst…
maage Jun 19, 2023
f780086
fix: accounts_passwords_pam_faillock_dir: use ansible_package_install…
maage Jun 19, 2023
4de8613
fix: wireless_disable_interfaces: use ansible_package_install to inst…
maage Jun 19, 2023
bb6bcec
fix: fips: use ansible_package_install to install packages
maage Jun 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/templates/template_reference.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1118,6 +1118,9 @@ escape_yaml_key
- Escape uppercase letters and `^` with additional `^` and convert letters
to lovercase. This is because of OVAL's name argument limitations.

join_comma_and
- Join list using comma and "and". Example ["a", "b", "c"] -> "a, b and c".

quote
- Escape string to be used as POSIX shell value. Like Ansible `quote`.

Expand Down
8 changes: 1 addition & 7 deletions linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,7 @@

{{{ ansible_instantiate_variables("firewalld_sshd_zone") }}}

- name: '{{{ rule_title }}} - Ensure firewalld and NetworkManager packages are installed'
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- firewalld
- NetworkManager
{{{ ansible_package_install(["firewalld", "NetworkManager"]) }}}

- name: '{{{ rule_title }}} - Collect facts about system services'
ansible.builtin.service_facts:
Expand Down
9 changes: 1 addition & 8 deletions ...-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,7 @@
{{{ ansible_pam_faillock_enable() }}}
{{{ ansible_pam_faillock_parameter_value("dir", "var_accounts_passwords_pam_faillock_dir") }}}

- name: '{{{ rule_title }}} - Ensure necessary SELinux packages are installed'
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- python3-libselinux
- python3-policycoreutils
- policycoreutils-python-utils
{{{ ansible_package_install(["python3-libselinux", "python3-policycoreutils", "policycoreutils-python-utils"], "necessary SELinux") }}}

- name: '{{{ rule_title }}} - Create the tally directory if it does not exist'
ansible.builtin.file:
Expand Down
7 changes: 1 addition & 6 deletions ...-firewalld/ruleset_modifications/firewalld_loopback_traffic_restricted/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,7 @@
# strategy = configure
# disruption = low

- name: '{{{ rule_title }}} - Ensure firewalld Package is Installed'
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- firewalld
{{{ ansible_package_install(["firewalld"]) }}}

- name: '{{{ rule_title }}} - Collect Facts About System Services'
ansible.builtin.service_facts:
Expand Down
7 changes: 1 addition & 6 deletions ...ork-firewalld/ruleset_modifications/firewalld_loopback_traffic_trusted/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,7 @@
# strategy = configure
# disruption = low

- name: '{{{ rule_title }}} - Ensure firewalld Package is Installed'
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- firewalld
{{{ ansible_package_install(["firewalld"]) }}}

- name: '{{{ rule_title }}} - Collect Facts About System Services'
ansible.builtin.service_facts:
Expand Down
7 changes: 1 addition & 6 deletions ...network/network-wireless/wireless_software/wireless_disable_interfaces/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,7 @@
# complexity = low
# disruption = medium

- name: Ensure NetworkManager is installed
ansible.builtin.package:
name: "{{ item }}"
state: present
with_items:
- NetworkManager
{{{ ansible_package_install(["NetworkManager"]) }}}
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny Jun 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attention at the task below this. The task uses "when:" statement where the package name will have to be overridden as well


- name: Deactivate Wireless Network Interfaces
command: nmcli radio wifi off
Expand Down
10 changes: 2 additions & 8 deletions linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,11 @@
register: aesni_supported
check_mode: no

- name: Ensure dracut-fips-aesni is installed
package:
name: dracut-fips-aesni
state: present
{{{ ansible_package_install(["dracut-fips-aesni"]) }}}
when:
- aesni_supported.rc == 0

- name: Install dracut-fips
package:
name: dracut-fips
state: present
{{{ ansible_package_install(["dracut-fips"]) }}}

- name: Rebuild initramfs
command: dracut -f
Expand Down
5 changes: 1 addition & 4 deletions ...ide/system/software/integrity/fips/package_dracut-fips-aesni_installed/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,6 @@
register: aesni_supported
check_mode: no

- name: Ensure dracut-fips-aesni is installed
package:
name: dracut-fips-aesni
state: present
{{{ ansible_package_install(["dracut-fips-aesni"]) }}}
when:
- aesni_supported.rc == 0
8 changes: 2 additions & 6 deletions .../system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,8 @@
# strategy = restrict
# complexity = low
# disruption = low
- name: "Ensure AIDE is installed"
package:
name: "{{ item }}"
state: present
with_items:
- aide

{{{ ansible_package_install(['aide'], name="AIDE") }}}

- name: "Build and Test AIDE Database"
{{% if 'sle' in product %}}
Expand Down
8 changes: 1 addition & 7 deletions ...stem/software/integrity/software-integrity/aide/aide_check_audit_tools/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,7 @@
# complexity = low
# disruption = low

- name: Ensure aide is installed
package:
name: "{{ item }}"
state: present
with_items:
- aide

{{{ ansible_package_install(['aide'], name="AIDE") }}}

- name: Set audit_tools fact
set_fact:
Expand Down
8 changes: 2 additions & 6 deletions ...software/integrity/software-integrity/aide/aide_periodic_cron_checking/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,8 @@
# strategy = restrict
# complexity = low
# disruption = low
- name: "Ensure AIDE is installed"
package:
name:
- aide
- crontabs
state: present

{{{ ansible_package_install(['aide', 'crontabs'], name="AIDE") }}}

- name: Set cron package name - RedHat
set_fact:
Expand Down
7 changes: 1 addition & 6 deletions ...stem/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,7 @@
# disruption = low
- (xccdf-var var_aide_scan_notification_email)

- name: "Ensure AIDE is installed"
package:
name:
- aide
- crontabs
state: present
{{{ ansible_package_install(['aide', 'crontabs'], name="AIDE") }}}

- name: "{{{ rule_title }}}"
cron:
Expand Down
31 changes: 31 additions & 0 deletions shared/macros/10-ansible.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -771,6 +771,37 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
{{%- endmacro -%}}


{{#
Ansible ansible.builtin.package wrapping macro, ensure package(s) are installed

:param package: Package(s) to ensure are installed
:type package: str | list[str]
:param name: Name used in task name. If not set, package names joined with comma and "and".
:type name: None | str

#}}
{{%- macro ansible_package_install(package, name=none) -%}}
{{%- if (package is sequence) and (package is not mapping) and (package is not string) -%}}
{{%- set packages = package -%}}
{{%- else %}}
{{%- set packages = [package] -%}}
{{%- endif %}}
{{%- if name is none %}}
{{%- set name = "the " ~ (packages | join_comma_and) -%}}
{{%- endif %}}
- name: "{{{ rule_title }}} - Ensure {{{ name }}} {{% if packages | length > 1 %}}Packages Are{{% else %}}Package Is{{% endif %}} Installed"
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny Jun 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better if the overridden package name would be also used in the task name.

ansible.builtin.package:
name:
{{%- for p in packages %}}
{{%- if p in platform_package_overrides %}}
{{%- set p = platform_package_overrides[p] %}}
{{%- endif %}}
- "{{{ p }}}"
{{%- endfor %}}
state: present
{{%- endmacro -%}}


{{#
Macro used to check if authselect files are intact. When used, it will exit the respective
script if any authselect file was modified without proper use of authselect tool and
Expand Down
6 changes: 6 additions & 0 deletions shared/macros/10-bash.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -603,6 +603,9 @@ done

#}}
{{%- macro bash_package_install(package) -%}}
{{%- if package in platform_package_overrides -%}}
{{%- set package = platform_package_overrides[package] -%}}
{{%- endif -%}}
{{%- if pkg_manager is defined -%}}
{{%- if pkg_manager == "yum" or pkg_manager == "dnf" -%}}
if ! rpm -q --quiet "{{{ package }}}" ; then
Expand Down Expand Up @@ -632,6 +635,9 @@ zypper install -y "{{{ package }}}"

#}}
{{%- macro bash_package_remove(package) -%}}
{{%- if package in platform_package_overrides -%}}
{{%- set package = platform_package_overrides[package] -%}}
{{%- endif -%}}
{{%- if pkg_manager is defined -%}}
{{%- if pkg_manager == "yum" or pkg_manager == "dnf" -%}}
if rpm -q --quiet "{{{ package }}}" ; then
Expand Down
2 changes: 2 additions & 0 deletions ssg/jinja.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
escape_id,
escape_regex,
escape_yaml_key,
join_comma_and,
sha256
)

Expand Down Expand Up @@ -95,6 +96,7 @@ def _get_jinja_environment(substitutions_dict):
_get_jinja_environment.env.filters['escape_id'] = escape_id
_get_jinja_environment.env.filters['escape_regex'] = escape_regex
_get_jinja_environment.env.filters['escape_yaml_key'] = escape_yaml_key
_get_jinja_environment.env.filters['join_comma_and'] = join_comma_and
_get_jinja_environment.env.filters['quote'] = shell_quote
_get_jinja_environment.env.filters['sha256'] = sha256

Expand Down
4 changes: 4 additions & 0 deletions ssg/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -470,3 +470,7 @@ def apply_formatting_on_dict_values(source_dict, string_dict, ignored_keys=froze
else:
new_dict[k] = v
return new_dict


def join_comma_and(lst):
return ", ".join(lst[:-2] + [" and ".join(lst[-2:])])
8 changes: 8 additions & 0 deletions tests/unit/ssg-module/test_jinja.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,11 @@ def test_macro_expansion():

complete_defs = get_definitions_with_substitution(dict(global_var="value"))
assert complete_defs["expand_to_global_var"]() == "value"


def test_join_comma_and():
assert ssg.jinja.join_comma_and([]) == ""
assert ssg.jinja.join_comma_and(["first"]) == "first"
assert ssg.jinja.join_comma_and(["first", "last"]) == "first and last"
assert ssg.jinja.join_comma_and(["first", "b", "last"]) == "first, b and last"
assert ssg.jinja.join_comma_and(["first", "b", "c", "last"]) == "first, b, c and last"