From 7da7181748581a710e0318ceba833b8df781df9a Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Fri, 18 Oct 2024 15:25:02 -0500
Subject: [PATCH] Update require_emergency_target_auth and
 require_singleuser_auth

To better support drop in config files for RHEL and Fedora.
---
 .../ansible/shared.yml                        |  4 +-
 .../bash/shared.sh                            |  6 +--
 .../oval/shared.xml                           | 39 +++++++++++++------
 .../tests/wrong_value_dropin.fail.sh          |  4 +-
 .../ansible/shared.yml                        |  6 +--
 .../require_singleuser_auth/bash/shared.sh    |  4 +-
 .../require_singleuser_auth/oval/shared.xml   |  2 +-
 .../require_singleuser_auth/rule.yml          |  4 +-
 .../tests/correct_dropin.pass.sh              |  2 +-
 .../tests/correct_value.pass.sh               |  2 +-
 .../tests/wrong_dropin.fail.sh                |  4 +-
 11 files changed, 46 insertions(+), 31 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
index 9bb821f09adc..fe2d974f672e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml
@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = low
 
-{{% if 'sle' in product or 'rhel' in product %}}
+{{% if 'sle' in product or 'rhel' in product or product == 'fedora' %}}
 - name: Require emergency mode password
   ansible.builtin.blockinfile:
       create: yes
@@ -18,7 +18,7 @@
       create: yes
       dest: /usr/lib/systemd/system/emergency.service
       regexp: "^#?ExecStart="
-      {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] -%}}
+      {{% if product in ["ol8", "ol9"] -%}}
       line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency"
       {{%- else -%}}
       line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
index d729332a8d93..22847e2df8e9 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh
@@ -1,19 +1,19 @@
 # platform = multi_platform_all
 
-{{% if 'sle' in product or 'rhel' in product %}}
+{{% if 'sle' in product or 'rhel' in product or product == 'fedora' %}}
 service_dropin_cfg_dir="/etc/systemd/system/emergency.service.d"
 service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf"
 {{% else %}}
 service_file="/usr/lib/systemd/system/emergency.service"
 {{% endif %}}
 
-{{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
+{{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15"] or 'rhel' in product -%}}
 sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"
 {{%- else -%}}
 sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
 {{%- endif %}}
 
-{{% if 'sle' in product or 'rhel' in product %}}
+{{% if 'sle' in product or 'rhel' in product or product == 'fedora' %}}
 mkdir -p "${service_dropin_cfg_dir}"
 echo "[Service]" >> "${service_dropin_file}"
 echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
index a1b6cc16967e..f16fe60c0b26 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
@@ -2,7 +2,7 @@
   <definition class="compliance" id="require_emergency_target_auth" version="1">
     {{{ oval_metadata("The requirement for a password to boot into emergency mode
       should be configured correctly.") }}}
-{{% if 'sle' in product or 'rhel' in product %}}
+{{% if 'sle' in product or 'rhel' in product or product == 'fedora' %}}
     <criteria operator="OR">
 {{% endif %}}
       <criteria operator="AND">
@@ -11,20 +11,19 @@
         <criterion test_ref="test_require_emergency_service_emergency_target" />
         <criterion test_ref="test_no_custom_emergency_target" negate="true"/>
         <criterion test_ref="test_no_custom_emergency_service" negate="true"/>
+        <criterion test_ref="test_{{{ rule_id }}}_drop_in_config_exist" negate="true"/>
       </criteria>
-{{% if 'sle' in product or 'rhel' in product %}}
-      <criteria operator="OR">
-        <criterion comment="Check /usr/lib/* configuration"
-          test_ref="test_require_emergency_service" />
+{{% if 'sle' in product or 'rhel' in product or product == 'fedora' %}}
+      <criteria operator="ONE">
         <criterion comment="Check drop-in configuration"
-          test_ref="test_require_emergency_service_dropin" />
+          test_ref="test_require_emergency_service_drop_in" />
       </criteria>
     </criteria>
 {{% endif %}}
   </definition>
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     comment="Tests that
-    {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
+    {{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15"] or 'rhel' in product -%}}
     /usr/lib/systemd/systemd-sulogin-shell
     {{%- else -%}}
     /sbin/sulogin
@@ -36,7 +35,7 @@
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_require_emergency_service" version="1">
     <ind:filepath>/usr/lib/systemd/system/emergency.service</ind:filepath>
-    {{%- if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "rhel8", "rhel9", "sle12", "sle15"] -%}}
+    {{%- if product in ["fedora", "ol8", "ol9", "kylinserver10", "openeuler2203", "sle12", "sle15"] or 'rhel' in product -%}}
     <ind:pattern operation="pattern match">^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency</ind:pattern>
     {{%- else -%}}
     <ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
@@ -44,16 +43,16 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-{{% if 'sle' in product or 'rhel' in product %}}
+{{% if 'sle' in product or 'rhel' in product or product == 'fedora' %}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     comment="Tests that
     /usr/lib/systemd/systemd-sulogin-shell
     was not removed from the default systemd emergency.service to ensure that a
     password must be entered to access single user mode"
-    id="test_require_emergency_service_dropin" version="1">
-    <ind:object object_ref="obj_require_emergency_service_dropin" />
+    id="test_require_emergency_service_drop_in" version="1">
+    <ind:object object_ref="obj_require_emergency_service_drop_in" />
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="obj_require_emergency_service_dropin" version="1">
+  <ind:textfilecontent54_object id="obj_require_emergency_service_drop_in" version="1">
     <ind:path>/etc/systemd/system/emergency.service.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     <ind:pattern operation="pattern match">^ExecStart=\-/usr/lib/systemd/systemd-sulogin-shell[\s]+emergency</ind:pattern>
@@ -95,4 +94,20 @@
     <unix:path operation="equals">/etc/systemd/system</unix:path>
     <unix:filename operation="pattern match">^emergency.target$</unix:filename>
   </unix:file_object>
+
+  <unix:file_test id="test_{{{ rule_id }}}_drop_in_config_exist"
+                  comment="Look for drop in config files for emergency.service"
+                  version="1"
+                  check="all"
+                  check_existence="at_least_one_exists">
+     <unix:object object_ref="object_{{{ rule_id }}}_drop_in_config_exist" />
+  </unix:file_test>
+
+<unix:file_object id="object_{{{ rule_id }}}_drop_in_config_exist"
+                  comment="Look for drop in config files for emergency.service"
+                  version="1">
+    <unix:path operation="equals">/etc/systemd/system/emergency.service.d</unix:path>
+    <unix:filename operation="pattern match">^.*\.conf$</unix:filename>
+</unix:file_object>
+
 </def-group>
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh
index 73d2f3ad045a..4545cf49f2cb 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/tests/wrong_value_dropin.fail.sh
@@ -2,7 +2,7 @@
 # platform = multi_platform_fedora,multi_platform_rhel,multi_platform_sle
 rm -f /etc/systemd/system/emergency.service
 mkdir -p /etc/systemd/system/emergency.service.d/
-cat << EOF > /etc/systemd/system/emergency.service.d/10-automatus.conf
+cat << EOF > /etc/systemd/system/emergency.service.d/10-oscap.conf
 [Service]
-ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+ExecStart=/bin/bash
 EOF
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml
index e8b284ada0e5..8f202eb31ddc 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml
@@ -4,19 +4,19 @@
 # complexity = low
 # disruption = low
 
-{{% if 'rhel' not in product %}}
+{{% if 'rhel' not in product and product != 'fedora' %}}
 - name: Require single user mode password
   lineinfile:
       create: yes
       dest: /usr/lib/systemd/system/rescue.service
       regexp: "^#?ExecStart="
-      {{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15"] -%}}
+      {{% if product in ["ol8", "ol9", "sle12", "sle15"]-%}}
       line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
       {{%- else -%}}
       line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
       {{%- endif %}}
 {{% else %}}
-- name: "{{{ rule_title }}} - Require single user mode password"
+- name: "{{{ rule_title }}} - Require emergency user mode password"
   community.general.ini_file:
     path: "/etc/systemd/system/rescue.service.d/10-oscap.conf"
     section: "Service"
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh
index 499c22ee7089..39b5667dba98 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh
@@ -1,9 +1,9 @@
 # platform = multi_platform_all
 
 {{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15",] or 'rhel' in product -%}}
-{{% set sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" %}}
+{{% set sulogin="-/usr/lib/systemd/systemd-sulogin-shell rescue" %}}
 {{%- else -%}}
-{{% set sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'  %}}
+{{% set sulogin='-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'  %}}
 {{%- endif %}}
 
 {{{ bash_ensure_ini_config("/etc/systemd/system/rescue.service.d/10-oscap.conf", "Service", "ExecStart", sulogin) }}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
index 28e4a260df26..75f1258e976d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
@@ -25,7 +25,7 @@
     <ind:object object_ref="obj_require_rescue_service" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="obj_require_rescue_service" version="1">
-    {{%- if 'rhel' in product -%}}
+    {{%- if 'rhel' in product or product == 'fedora' -%}}
     <ind:path>/etc/systemd/system/rescue.service.d</ind:path>
     <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
     {{%- else -%}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index ac4b5a7337d4..90c48074eb17 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -54,7 +54,7 @@ ocil: |-
     To check if authentication is required for single-user mode, run the following command:
     <pre>$ grep sulogin /usr/lib/systemd/system/rescue.service</pre>
     The output should be similar to the following, and the line must begin with
-    {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhcos4"] -%}}
+    {{% if product in ["fedora", "ol8", "ol9", "rhcos4"] or 'rhel' in product -%}}
         ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
         <pre>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</pre>
     {{%- else -%}}
@@ -84,7 +84,7 @@ fixtext: |-
     Configure {{{ full_name }}} to require authentication in single user mode.
 
     Add or update the following line in "/usr/lib/systemd/system/rescue.service":
-    {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
+    {{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15"] or 'rhel' in product -%}}
     ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
     {{%- else -%}}
     ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh
index 8d4fa5dc408d..3cf97a45713f 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_dropin.pass.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_fedora,multi_platform_rhel
-
+rm -rf /etc/systemd/system/rescue.service.d
 mkdir -p /etc/systemd/system/rescue.service.d
 cat << EOF > /etc/systemd/system/rescue.service.d/10-automatus.conf
 [Service]
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh
index c786daca324a..5154e96a6b7b 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_fedora,multi_platform_rhel
+# platform = Oracle Linux 8,Oracle Linux 9
 
 service_file="/usr/lib/systemd/system/rescue.service"
 sulogin="/usr/lib/systemd/systemd-sulogin-shell"
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh
index 8d4fa5dc408d..0bb3ce9ff169 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/tests/wrong_dropin.fail.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 # platform = multi_platform_fedora,multi_platform_rhel
-
+rm -rf /etc/systemd/system/rescue.service.d
 mkdir -p /etc/systemd/system/rescue.service.d
 cat << EOF > /etc/systemd/system/rescue.service.d/10-automatus.conf
 [Service]
-ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ExecStart=/bin/bash
 EOF