fix inputs

Author: pwong2021

controls/SV-238197.rb

@@ -63,10 +63,11 @@
   tag 'container'
 
   xorg_status = command('which Xorg').exit_status
+  gdm3_config_file = input('gdm3_config_file')
 
   if xorg_status == 0
     describe 'banner-message-enable must be set to true' do
-      subject { command('grep banner-message-enable /etc/gdm3/greeter.dconf-defaults').stdout.strip }
+      subject { command("grep banner-message-enable #{gdm3_config_file}").stdout.strip }
       it { should match(/banner-message-enable\s*=\s*true/) }
     end
   else

controls/SV-238236.rb

@@ -55,6 +55,7 @@
 
   file_integrity_tool = input('file_integrity_tool')
   expected_aide_sha1sum = input('expected_aide_sha1sum')
+  aide_conf_path = input('aide_conf_path')
 
   if file_integrity_tool == 'aide'
     cron_script_path = '/etc/cron.daily/dailyaidecheck'
@@ -73,7 +74,7 @@
       end
     end
     # Verify aide.conf matches expected vendor default SHA-1 (provided via input)
-    describe command("sha1sum /etc/aide/aide.conf | awk '{print $1}' | tr -d '\n'") do
+    describe command("sha1sum #{aide_conf_path} | awk '{print $1}' | tr -d '\n'") do
       its('exit_status') { should eq 0 }
       its('stdout') { should cmp expected_aide_sha1sum }
     end

controls/SV-238303.rb

@@ -50,17 +50,18 @@
   audit_tools = input('audit_tools')
   audit_rule_suffix = 'p+i+n+u+g+s+b+acl+xattrs+sha512'
   file_integrity_tool = input('file_integrity_tool')
+  aide_conf_path = input('aide_conf_path')
 
   if file_integrity_tool == 'aide'
-    describe file('/etc/aide/aide.conf') do
+    describe file(aide_conf_path) do
       it { should exist }
     end
 
     describe 'AIDE audit tools selection lines' do
       it 'must include exact lines for all audit tools' do
-        config = parse_config_file('/etc/aide/aide.conf', assignment_regex: %r{^\s*(/\S+)\s+(.*?)\s*$})
+        config = parse_config_file(aide_conf_path, assignment_regex: %r{^\s*(/\S+)\s+(.*?)\s*$})
         missing = audit_tools.reject { |tool| config[tool].to_s == audit_rule_suffix }
-        expect(missing).to be_empty, "Missing or incorrect lines in /etc/aide/aide.conf for: #{missing.join(', ')}"
+        expect(missing).to be_empty, "Missing or incorrect lines in #{aide_conf_path} for: #{missing.join(', ')}"
       end
     end
   else

controls/SV-238330.rb

@@ -32,9 +32,10 @@
   tag 'container'
 
   days_of_inactivity = input('days_of_inactivity')
+  useradd_config_file = input('useradd_config_file')
 
   describe 'Useradd configuration' do
-    useradd_config = parse_config_file('/etc/default/useradd')
+    useradd_config = parse_config_file(useradd_config_file)
 
     context 'when INACTIVE is set' do
       it 'should exist' do

controls/SV-238356.rb

@@ -56,7 +56,7 @@
 
     if chrony_conf_exists
       describe 'time sources' do
-        server_entries = command('grep "^server" /etc/chrony/chrony.conf').stdout.strip.split("\n").entries
+        server_entries = command("grep \"^server\" #{chrony_conf}").stdout.strip.split("\n").entries
 
         server_entries.each do |entry|
           describe entry do

controls/SV-238363.rb

@@ -30,7 +30,9 @@
     !%w[docker podman kubepods lxc].include?(virtualization.system)
   }
 
-  describe command('grep -i 1 /proc/sys/crypto/fips_enabled') do
+  fips_config_file = input('fips_config_file')
+
+  describe command("grep -i 1 #{fips_config_file}") do
     its('stdout') { should match('1') }
   end
 end

controls/SV-274855.rb

@@ -71,7 +71,7 @@
       skip 'This system is not using PKI for authentication so the controls is Not Applicable.'
     end
   else
-    config_file = '/etc/sssd/sssd.conf'
+    config_file = input('sssd_conf_path')
     config_file_exists = file(config_file).exist?
 
     if config_file_exists
@@ -89,7 +89,7 @@
         it { should be true }
       end
     else
-      describe '/etc/sssd/sssd.conf exists' do
+      describe "#{config_file} exists" do
         subject { config_file_exists }
         it { should be true }
       end

controls/SV-274856.rb

@@ -25,7 +25,8 @@
   tag nist: ['IA-5 (13)']
   tag 'host'
 
-  sssd_config = parse_config_file('/etc/sssd/sssd.conf')
+  sssd_conf_path = input('sssd_conf_path')
+  sssd_config = parse_config_file(sssd_conf_path)
 
   only_if('This control is Not Applicable to containers', impact: 0.0) {
     !%w[docker podman kubepods lxc].include?(virtualization.system)

controls/SV-274857.rb

@@ -23,7 +23,7 @@
     !%w[docker podman kubepods lxc].include?(virtualization.system)
   }
 
-  sssd_conf = '/etc/sssd/sssd.conf'
+  sssd_conf = input('sssd_conf_path')
 
   describe file(sssd_conf) do
     it { should exist }

inspec.yml

@@ -62,11 +62,6 @@ inputs:
       '/sbin/augenrules'
     ]
 
-  - name: standard_audit_log_size
-    description: Set audit log size in bytes (default:1073741824 per control specification)
-    type: Numeric
-    value: 8894028
-
   - name: aide_conf_path
     description: Path to aide.conf
     type: String
@@ -78,11 +73,6 @@ inputs:
     type: string
     value: root
 
-  - name: maxlogins
-    description: Maximum number of concurrent sessions
-    type: Numeric
-    value: 10
-
   # SV-238334
   - name: is_kdump_required
     description: Is kdump service required? (check with SA and documented with ISSO)
@@ -107,19 +97,6 @@ inputs:
     type: string
     value: (9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)
 
-  - name: allowed_network_interfaces
-    description: Array of allowed network interfaces (wired & wireless)
-    type: Array
-    value: [
-      'lo',
-      'eth0'
-    ]
-
-  - name: audit_sp_remote_server
-    description: Address of the remote server receiving the audit log
-    type: String
-    value: '192.0.0.1'
-
   # SV-252704
   - name: approved_wireless_interfaces
     description: List of approved wireless interfaces
@@ -154,16 +131,12 @@ inputs:
     type: String
     value: '/etc/rsyslog.d/50-default.conf'
 
-  - name: auditoffload_config_file
-    description: Location of audit offload config file
+  # SV-238321
+  - name: audit_offload_script
+    description: Location of audit offload script
     type: String
     value: '/etc/cron.weekly/audit-offload'
 
-  - name: audispremote_config_file
-    description: Location of audisp-remote plugin config file
-    type: String
-    value: '/etc/audisp/plugins.d/au-remote.conf'
-
   # SV-238198
   - name: gdm3_config_file
     description: Location of gdm3 config file