Fix architecture applicability

Architecture applicability conditionals were matching checking only in /proc/sys/kernel/osrelease which doesn't contain the architecture on Ubuntu. Added /proc/sys/kernel/arch to the checks and refactored the OVALs to a Jinja macro.
ComplianceAsCode · Jan 10, 2025 · ef722f0 · ef722f0
1 parent 6adfa48
commit ef722f0
Show file tree

Hide file tree

Showing 11 changed files with 46 additions and 138 deletions.
diff --git a/shared/applicability/aarch64_arch.yml b/shared/applicability/aarch64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:aarch64_arch
 title: System architecture is AARCH64
 check_id: proc_sys_kernel_osrelease_arch_aarch64
-bash_conditional: 'grep -q aarch64 /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "aarch64"'
diff --git a/shared/applicability/not_aarch64_arch.yml b/shared/applicability/not_aarch64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:not_aarch64_arch
 title: System architecture is not AARCH64
 check_id: proc_sys_kernel_osrelease_arch_not_aarch64
-bash_conditional: '! grep -q aarch64 /proc/sys/kernel/osrelease'
+bash_conditional: '! grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture != "aarch64"'
diff --git a/shared/applicability/not_s390x_arch.yml b/shared/applicability/not_s390x_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:not_s390x_arch
 title: System architecture is not S390X
 check_id: proc_sys_kernel_osrelease_arch_not_s390x
-bash_conditional: '! grep -q s390x /proc/sys/kernel/osrelease'
+bash_conditional: '! grep -q s390x /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture != "s390x"'
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_aarch64.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_aarch64.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_aarch64"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is aarch64</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is aarch64"
-      test_ref="test_proc_sys_kernel_osrelease_arch_aarch64" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for aarch64 architecture"
-      id="test_proc_sys_kernel_osrelease_arch_aarch64"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_aarch64" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_aarch64" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_aarch64" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_aarch64" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("aarch64") }}}
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_ppc64le.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_ppc64le"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is ppc64le</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is ppc64le"
-      test_ref="test_proc_sys_kernel_osrelease_arch_ppc64le" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for ppc64le architecture"
-      id="test_proc_sys_kernel_osrelease_arch_ppc64le"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_ppc64le" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_ppc64le" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_ppc64le" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("ppc64le") }}}
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_s390x.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_s390x.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_s390x"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is s390x</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is s390x"
-      test_ref="test_proc_sys_kernel_osrelease_arch_s390x" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for s390x architecture"
-      id="test_proc_sys_kernel_osrelease_arch_s390x"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_s390x" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_s390x" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_s390x" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_s390x" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("s390x") }}}
diff --git a/shared/applicability/oval/proc_sys_kernel_osrelease_arch_x86_64.xml b/shared/applicability/oval/proc_sys_kernel_osrelease_arch_x86_64.xml
@@ -1,33 +1 @@
-<def-group>
-  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_x86_64"
-  version="1">
-    <metadata>
-      <title>Test that the architecture is x86_64</title>
-      <affected family="unix">
-        <platform>multi_platform_all</platform>
-      </affected>
-      <description>Check that architecture of kernel in /proc/sys/kernel/osrelease is x86_64</description>
-    </metadata>
-    <criteria>
-      <criterion comment="Architecture is x86_64"
-      test_ref="test_proc_sys_kernel_osrelease_arch_x86_64" />
-    </criteria>
-  </definition>
-  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-      comment="proc_sys_kernel is for x86_64 architecture"
-      id="test_proc_sys_kernel_osrelease_arch_x86_64"
-  version="1">
-    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_x86_64" />
-    <ind:state state_ref="state_proc_sys_kernel_osrelease_arch_x86_64" />
-  </ind:textfilecontent54_test>
-
-  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_x86_64" version="1">
-    <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-    <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-  </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_proc_sys_kernel_osrelease_arch_x86_64" version="1">
-    <ind:subexpression datatype="string" operation="pattern match">^x86_64$</ind:subexpression>
-  </ind:textfilecontent54_state>
-</def-group>
+{{{ oval_check_proc_sys_kernel_osrelease_arch("x86_64") }}}
diff --git a/shared/applicability/ppc64le_arch.yml b/shared/applicability/ppc64le_arch.yml
@@ -1,5 +1,5 @@
 name: "cpe:/a:ppc64le_arch"
 title: "System architecture is ppc64le"
 check_id: proc_sys_kernel_osrelease_arch_ppc64le
-bash_conditional: 'grep -q ppc64le /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q ppc64le /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "ppc64le"'
diff --git a/shared/applicability/s390x_arch.yml b/shared/applicability/s390x_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:s390x_arch
 title: System architecture is S390X
 check_id: proc_sys_kernel_osrelease_arch_s390x
-bash_conditional: 'grep -q s390x /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q s390x /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "s390x"'
diff --git a/shared/applicability/x86_64_arch.yml b/shared/applicability/x86_64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:x86_64_arch
 title: System architecture is x86_64
 check_id: proc_sys_kernel_osrelease_arch_x86_64
-bash_conditional: 'grep -q x86_64 /proc/sys/kernel/osrelease'
+bash_conditional: 'grep -q x86_64 /proc/sys/kernel/{osrelease,arch}'
 ansible_conditional: 'ansible_architecture == "x86_64"'
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
@@ -1724,3 +1724,39 @@ The macros generates the OVAL test including the dependent OVAL object and OVAL
   <ind:subexpression operation="pattern match">altfiles</ind:subexpression>
 </ind:textfilecontent54_state>
 {{%- endmacro -%}}
+
+{{#
+  Macro for checking the machine architecture type via uname machine_class
+
+  :param arch: Machine architecture (x86_64, aarch64, s90x, ppc64le, ...)
+#}}
+{{%- macro oval_check_proc_sys_kernel_osrelease_arch(arch) -%}}
+<def-group>
+  <definition class="inventory" id="proc_sys_kernel_osrelease_arch_{{{ arch }}}"
+  version="1">
+    <metadata>
+      <title>Test that the architecture is {{{ arch }}}</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Check that architecture of kernel in /proc/sys/kernel is {{{ arch }}}</description>
+    </metadata>
+    <criteria>
+      <criterion comment="Architecture is {{{ arch }}}"
+      test_ref="test_proc_sys_kernel_osrelease_arch_{{{ arch }}}" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists"
+      comment="proc_sys_kernel is for {{{ arch }}} architecture"
+      id="test_proc_sys_kernel_osrelease_arch_{{{ arch }}}" version="1">
+    <ind:object object_ref="object_proc_sys_kernel_osrelease_arch_{{{ arch }}}" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_proc_sys_kernel_osrelease_arch_{{{ arch }}}" version="1">
+    <ind:filepath operation="pattern match">/proc/sys/kernel/(osrelease|arch)</ind:filepath>
+    <ind:pattern operation="pattern match">^.*\.{{{ arch }}}$|^{{{ arch }}}$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
+{{%- endmacro -%}}