Skip to content

Commit

Permalink
Refactor to prevent code duplication
Browse files Browse the repository at this point in the history
  • Loading branch information
jan-cerny committed Nov 6, 2024
1 parent 927a116 commit 22174e1
Showing 1 changed file with 46 additions and 38 deletions.
84 changes: 46 additions & 38 deletions shared/templates/sysctl/sce-bash.template
Original file line number Diff line number Diff line change
Expand Up @@ -4,68 +4,73 @@
# check-export = sysctl_{{{ SYSCTLID }}}_value=sysctl_{{{ SYSCTLID }}}_value
{{% endif %}}

{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}}
FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
{{% else %}}
{{% if product in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}}
FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
{{% else %}}
FILES_NOT_MANAGED_BY_PACKAGES=("/etc/sysctl.conf" "/etc/sysctl.d/*.conf" "/lib/sysctl.d/*.conf" "/usr/local/lib/sysctl.d/*.conf" "/run/sysctl.d/*.conf")
{{% endif %}}
FILES_MANAGED_BY_PACKAGES=("/usr/lib/sysctl.d/*.conf")

function check_sysctl_configuration()
function pass_if_set_correctly()
{
local sysctlvar="$1"
local expected_value="$2"

regex="^\s*$sysctlvar\s*=\s*(.*)\s*"

# kernel static parameter $sysctlvar set to $sysctlvar in sysctl files not managed by packages
found=0
for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do
local filelist="$1"
local regex="$2"
local expected_value="$3"
local found=0
for files in $filelist ; do
[[ -e "$files" ]] || continue
found_value=$(grep -P "$regex" $files | sed -E "s/$regex/\1/")
if [[ -n "$found_value" ]] ; then
if [[ "$found_value" == "$expected_value" ]] ; then
found=1
else
return $XCCDF_RESULT_FAIL
return 0
fi
fi
done
if [[ $found != 0 ]] ; then
return $XCCDF_RESULT_PASS
fi
return 1
}

# kernel static parameter $sysctlvar missing in sysctl files not managed by packages
for files in ${FILES_NOT_MANAGED_BY_PACKAGES[@]} ; do
function pass_if_missing()
{
local filelist="$1"
local regex="$2"
for files in $filelist ; do
[[ -e "$files" ]] || continue
if grep -P "$regex" $files ; then
return $XCCDF_RESULT_FAIL
return 1
fi
done
return 0
}

function check_sysctl_configuration()
{
local sysctlvar="$1"
local expected_value="$2"

regex="^\s*$sysctlvar\s*=\s*(.*)\s*"

# kernel static parameter $sysctlvar set to $sysctlvar in sysctl files not managed by packages
pass_if_set_correctly "${FILES_NOT_MANAGED_BY_PACKAGES[*]}" "$regex" "$expected_value"
set_correctly_in_not_managed="$?"

# kernel static parameter $sysctlvar missing in sysctl files not managed by packages
pass_if_missing "${FILES_NOT_MANAGED_BY_PACKAGES[*]}" "$regex"
missing_in_not_managed="$?"

# kernel static parameter $sysctlvar set to $sysctlval in sysctl files managed by packages
found=0
for files in ${FILES_MANAGED_BY_PACKAGES[@]} ; do
[[ -e "$files" ]] || continue
if [[ -n "$found_value" ]] ; then
if [[ "$found_value" == "$expected_value" ]] ; then
found=1
else
return $XCCDF_RESULT_FAIL
fi
fi
done
if [[ $found != 0 ]] ; then
return $XCCDF_RESULT_PASS
fi
pass_if_set_correctly "${FILES_MANAGED_BY_PACKAGES[*]}" "$regex" "$expected_value"
set_correctly_in_managed="$?"

return $XCCDF_RESULT_FAIL
if [[ "$set_correctly_in_not_managed" == 0 || ( "$missing_in_not_managed" == 0 && "$set_correctly_in_managed" == 0 ) ]] ; then
return 0
fi
return 1
}

{{% if IPV6 == "true" -%}}
# pass if IPv6 is disabled
check_sysctl_configuration "net.ipv6.conf.all.disable_ipv6" "1"
if [[ $? == $XCCDF_RESULT_PASS ]] ; then
if [[ $? == 0 ]] ; then
exit $XCCDF_RESULT_PASS
fi
{{% endif %}}
Expand All @@ -76,4 +81,7 @@ expected_value="$XCCDF_VALUE_sysctl_{{{ SYSCTLID }}}_value"
expected_value="{{{ SYSCTLVAL }}}"
{{%- endif %}}
check_sysctl_configuration "{{{ SYSCTLVAR }}}" "$expected_value"
exit $?
if [[ $? == 0 ]] ; then
exit $XCCDF_RESULT_PASS
fi
exit $XCCDF_RESULT_FAIL

0 comments on commit 22174e1

Please sign in to comment.