From c4378073f7f01508aec891d6acba29f2352d9adf Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Thu, 7 Mar 2024 09:24:17 -0500
Subject: [PATCH 1/2] Ensure default fapolicyd rules are present

Running newer versions of `ocap` in remediation-mode will horribly break
a system if one doesn't ensure that suitable fapolicyd rule-files are
present when `oscap` enables "default-deny" mode. This modification
necessary to do some questionable logical-assumptions in Red Hat's
installation-routines for the fapolicyd RPM
---
 .../files/fapolicyd_rules-helper.sh           | 51 +++++++++++++++++++
 ash-linux/el8/VendorSTIG/remediate.sls        | 16 ++++++
 2 files changed, 67 insertions(+)
 create mode 100755 ash-linux/el8/VendorSTIG/files/fapolicyd_rules-helper.sh

diff --git a/ash-linux/el8/VendorSTIG/files/fapolicyd_rules-helper.sh b/ash-linux/el8/VendorSTIG/files/fapolicyd_rules-helper.sh
new file mode 100755
index 000000000..ba6e59271
--- /dev/null
+++ b/ash-linux/el8/VendorSTIG/files/fapolicyd_rules-helper.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+#
+set -euo pipefail
+#
+# Helper-script to handle conditional creation of fapolicyd default-rules so 
+# that enabling fapolicyd in "deny-all" mode doesn't break the system
+#
+################################################################################
+
+DEF_RULE_FILE="/usr/share/fapolicyd/default-ruleset.known-libs"
+DEF_RULE_LIST=()
+NEW_RULES=0
+RULE_DEST_DIR="/etc/fapolicyd/rules.d"
+RULE_SORC_DIR="/usr/share/fapolicyd/sample-rules"
+
+# Bomb out if the fapolicyd RPM isn't installed
+if [[ $(  rpm -q --quiet fapolicyd )$? -ne 0 ]]
+then
+  echo "Missing dependency: fapolicyd RPM" >&2
+  exit 1
+fi
+
+# Read contents of DEF_RULE_FILE into DEF_RULE_LIST array
+mapfile -t DEF_RULE_LIST <  "${DEF_RULE_FILE}"
+
+# Create rules as necessary
+if [[ ${#DEF_RULE_LIST[*]} -gt 0 ]]
+then
+  echo "Creating necessary rule-files in ${RULE_DEST_DIR}"
+
+  for RULE_FILE in "${DEF_RULE_LIST[@]}"
+  do
+    if [[ ! -e ${RULE_DEST_DIR}/${RULE_FILE} ]]
+    then
+      printf "Creating %s/%s... " "${RULE_DEST_DIR}" "${RULE_FILE}"
+      install -bDm 0600 "${RULE_SORC_DIR}/${RULE_FILE}" \
+        "${RULE_DEST_DIR}/${RULE_FILE}" || \
+          ( echo FAILED ; exit 1 )
+      echo SUCCESS
+      NEW_RULES=$(( NEW_RULES += 1 ))
+    fi
+  done
+  if [[ ${NEW_RULES} -eq 0 ]]
+  then
+    echo  # an empty line here so the next line will be the last.
+    echo "changed=no comment='No creation of rule-files necessary'"
+  else
+    echo  # an empty line here so the next line will be the last.
+    echo "changed=yes comment='Created ${NEW_RULES} files'"
+  fi
+fi
diff --git a/ash-linux/el8/VendorSTIG/remediate.sls b/ash-linux/el8/VendorSTIG/remediate.sls
index 293005c2d..e1da83b8f 100644
--- a/ash-linux/el8/VendorSTIG/remediate.sls
+++ b/ash-linux/el8/VendorSTIG/remediate.sls
@@ -22,10 +22,26 @@
 {%- set pillProf = salt.pillar.get('ash-linux:lookup:scap-profile', 'common') %}
 {%- set scapProf = 'xccdf_org.ssgproject.content_profile_' ~ pillProf %}
 
+
+install fapolicyd:
+  pkg.installed:
+    - pkgs:
+      - fapolicyd
+
+script_fapolicyd_rule-files:
+  cmd.script:
+    - cwd: /root
+    - require:
+      - pkg: 'install fapolicyd'
+    - source: 'salt://{{ helperLoc }}/fapolicyd_rules-helper.sh'
+    - stateful: True
+
 run_{{ stig_id }}-remediate:
   cmd.run:
     - name: 'oscap xccdf eval --remediate --profile {{ scapProf }} {{ dsfile }} > >(tee /var/log/oscap.log) 2>&1'
     - cwd: '/root'
+    - require:
+      - cmd: 'script_fapolicyd_rule-files'
     - shell: '/bin/bash'
     - success_retcodes:
       - 2

From 9df3e87b9939aaca7e49a1d988e1b58f31170213 Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Thu, 7 Mar 2024 10:10:37 -0500
Subject: [PATCH 2/2] Fix path in helperLoc declaration

---
 ash-linux/el8/VendorSTIG/remediate.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ash-linux/el8/VendorSTIG/remediate.sls b/ash-linux/el8/VendorSTIG/remediate.sls
index e1da83b8f..0b43fcbcf 100644
--- a/ash-linux/el8/VendorSTIG/remediate.sls
+++ b/ash-linux/el8/VendorSTIG/remediate.sls
@@ -4,7 +4,7 @@
 #
 #################################################################
 {%- set stig_id = 'VendorSTIG-top' %}
-{%- set helperLoc = 'ash-linux-formula/ash-linux/el8/VendorSTIG/files' %}
+{%- set helperLoc = tpldir ~ '/files' %}
 {%- set sudoerFiles = salt.file.find('/etc/sudoers.d', maxdepth=1, type='f') %}
 {%- if salt.grains.get('os')|lower == 'redhat' %}
   {%- set dsos = 'rhel' %}