Merge pull request ComplianceAsCode#12815 from mpurg/fix_arch_applica…

…bility_2 Fix the bash conditional for checking system architecture
alanmcanonical · Jan 17, 2025 · 6ef42a2 · 6ef42a2
2 parents c6783f4 + f941679
commit 6ef42a2
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 6 deletions.
diff --git a/shared/applicability/aarch64_arch.yml b/shared/applicability/aarch64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:aarch64_arch
 title: System architecture is AARCH64
 check_id: proc_sys_kernel_osrelease_arch_aarch64
-bash_conditional: 'grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
+bash_conditional: {{{ bash_arch_conditional("aarch64") }}}
 ansible_conditional: 'ansible_architecture == "aarch64"'
diff --git a/shared/applicability/not_aarch64_arch.yml b/shared/applicability/not_aarch64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:not_aarch64_arch
 title: System architecture is not AARCH64
 check_id: proc_sys_kernel_osrelease_arch_not_aarch64
-bash_conditional: '! grep -q aarch64 /proc/sys/kernel/{osrelease,arch}'
+bash_conditional: '! {{{ bash_arch_conditional("aarch64") }}}'
 ansible_conditional: 'ansible_architecture != "aarch64"'
diff --git a/shared/applicability/not_s390x_arch.yml b/shared/applicability/not_s390x_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:not_s390x_arch
 title: System architecture is not S390X
 check_id: proc_sys_kernel_osrelease_arch_not_s390x
-bash_conditional: '! grep -q s390x /proc/sys/kernel/{osrelease,arch}'
+bash_conditional: '! {{{ bash_arch_conditional("s390x") }}}'
 ansible_conditional: 'ansible_architecture != "s390x"'
diff --git a/shared/applicability/ppc64le_arch.yml b/shared/applicability/ppc64le_arch.yml
@@ -1,5 +1,5 @@
 name: "cpe:/a:ppc64le_arch"
 title: "System architecture is ppc64le"
 check_id: proc_sys_kernel_osrelease_arch_ppc64le
-bash_conditional: 'grep -q ppc64le /proc/sys/kernel/{osrelease,arch}'
+bash_conditional: {{{ bash_arch_conditional("ppc64le") }}}
 ansible_conditional: 'ansible_architecture == "ppc64le"'
diff --git a/shared/applicability/s390x_arch.yml b/shared/applicability/s390x_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:s390x_arch
 title: System architecture is S390X
 check_id: proc_sys_kernel_osrelease_arch_s390x
-bash_conditional: 'grep -q s390x /proc/sys/kernel/{osrelease,arch}'
+bash_conditional: {{{ bash_arch_conditional("s390x") }}}
 ansible_conditional: 'ansible_architecture == "s390x"'
diff --git a/shared/applicability/x86_64_arch.yml b/shared/applicability/x86_64_arch.yml
@@ -1,5 +1,5 @@
 name: cpe:/a:x86_64_arch
 title: System architecture is x86_64
 check_id: proc_sys_kernel_osrelease_arch_x86_64
-bash_conditional: 'grep -q x86_64 /proc/sys/kernel/{osrelease,arch}'
+bash_conditional: {{{ bash_arch_conditional("x86_64") }}}
 ansible_conditional: 'ansible_architecture == "x86_64"'
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
@@ -2668,3 +2668,14 @@ if the remediation is not performed during a build of a bootable container image
 {{%- macro bash_not_bootc_build() -%}}
 [[ "$OSCAP_BOOTC_BUILD" != "YES" ]]
 {{%- endmacro -%}}
+
+
+{{#
+This macro creates a Bash conditional which checks the system architecture in /proc/sys/kernel/{osrelease,arch}
+
+  :param arch: system architecture (x86_64, aarch64, s90x, ppc64le, ...)
+  :type arch: str
+#}}
+{{%- macro bash_arch_conditional(arch) -%}}
+( grep -sqE "^.*\.{{{ arch }}}$" /proc/sys/kernel/osrelease || grep -sqE "^{{{ arch }}}$" /proc/sys/kernel/arch; )
+{{%- endmacro -%}}
diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja
@@ -1729,6 +1729,7 @@ The macros generates the OVAL test including the dependent OVAL object and OVAL
   Macro for checking the system architecture in /proc/sys/kernel/{osrelease,arch}
 
   :param arch: system architecture (x86_64, aarch64, s90x, ppc64le, ...)
+  :type arch: str
 #}}
 {{%- macro oval_check_proc_sys_kernel_osrelease_arch(arch) -%}}
 <def-group>