Make sure pattern matching includes subexpressions

Use oval count to get count of subexpression matches per type profile Fix object and variable namings to include rule_id
ComplianceAsCode · Feb 4, 2024 · 21f2fbd · 21f2fbd
1 parent 9f3b7bc
commit 21f2fbd
Showing 1 changed file with 21 additions and 12 deletions.
diff --git a/...x_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/oval/shared.xml b/...x_os/guide/system/apparmor/all_apparmor_profiles_in_enforce_complain_mode/oval/shared.xml
@@ -3,22 +3,22 @@
     {{{ oval_metadata("Ensure AppArmor profiles are in enforce complain mode") }}}
     <criteria operator="AND">
       <criterion comment="Check sum of complaining and enforced profiles equals all profiles"
-        test_ref="test_sum_complain_n_enforced_equal_all" />
+        test_ref="{{{ rule_id }}}_test_sum_complain_n_enforced_equal_all" />
     </criteria>
   </definition>
   <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_profiles" version="1">
     <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
-    <ind:pattern operation="pattern match" datatype="string">^.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_enforced_profiles" version="1">
     <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
-    <ind:pattern operation="pattern match" datatype="string">^\(enforce\)$</ind:pattern>
+    <ind:pattern operation="pattern match" datatype="string">^.*\(enforce\)$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_complaining_profiles" version="1">
     <ind:filepath datatype="string">/sys/kernel/security/apparmor/profiles</ind:filepath>
-    <ind:pattern operation="pattern match" datatype="string">^\(complain\)$</ind:pattern>
+    <ind:pattern operation="pattern match" datatype="string">^.*\(complain\)$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_object id="{{{ rule_id }}}_obj_apparmor_unconfined_profiles" version="1">
@@ -29,16 +29,22 @@
   </ind:textfilecontent54_object>
   <local_variable datatype="int" id="{{{ rule_id }}}_var_num_apparmor_profiles" version="1"
     comment="apparmor profiles">
-    <object_component item_field="subexpression"
-     object_ref="{{{ rule_id }}}_obj_apparmor_profiles" />
+    <count>
+      <object_component item_field="subexpression"
+                        object_ref="{{{ rule_id }}}_obj_apparmor_profiles" />
+    </count>
   </local_variable>
   <local_variable datatype="int" comment="enforced apparmor profiles"
     id="{{{ rule_id }}}_var_num_apparmor_enforced_complaining_profiles" version="1" >
     <arithmetic arithmetic_operation="add">
+      <count>
       <object_component item_field="subexpression"
         object_ref="{{{ rule_id }}}_obj_apparmor_enforced_profiles" />
+      </count>
+      <count>
       <object_component item_field="subexpression"
         object_ref="{{{ rule_id }}}_obj_apparmor_complaining_profiles" />
+      </count>
     </arithmetic>
   </local_variable>
   <local_variable datatype="int" id="{{{ rule_id }}}_var_num_apparmor_unconfined_profiles"
@@ -50,10 +56,13 @@
   <ind:variable_object id="{{{ rule_id }}}_obj_all_apparmor_profiles" version="1">
     <ind:var_ref>{{{ rule_id }}}_var_num_apparmor_profiles</ind:var_ref>
   </ind:variable_object>
-
-  <ind:variable_object id="{{{ rule_id }}}_obj_num_apparmor_enforced_complaining_profiles"
-    version="1">
-    <ind:var_ref>{{{ rule_id }}}_var_num_apparmor_enforced_complaining_profiles</ind:var_ref>
-  </ind:variable_object>
-
+  <ind:variable_state id="{{{ rule_id }}}_state_sum_complain_n_enforced" version="1">
+    <ind:value datatype="int" operation="equals" var_check="all"
+      var_ref="{{{ rule_id }}}_var_num_apparmor_enforced_complaining_profiles"/>
+  </ind:variable_state>
+  <ind:variable_test id="{{{ rule_id }}}_test_sum_complain_n_enforced_equal_all" check="all"
+    version="1" comment="Compare number of profiles with sum of complain and enforced">
+    <ind:object object_ref="{{{ rule_id }}}_obj_all_apparmor_profiles"/>
+    <ind:state state_ref="{{{ rule_id }}}_state_sum_complain_n_enforced"/>
+  </ind:variable_test>
 </def-group>