🧹 Revert the grub audit matchers (#191)

micheelengronne · web-flow · commit f8c52d6cdff5 · 2023-04-03T10:35:33.000+02:00
I would revert the GRUB audit matchers. The current one does not work.

---------

Signed-off-by: Michée lengronne &lt;michee.lengronne@limawi.io&gt;
diff --git a/core/mondoo-linux-security.mql.yaml b/core/mondoo-linux-security.mql.yaml
@@ -1105,16 +1105,16 @@ queries:
     impact: 80
     mql: |
       if( file("/boot/grub2/grub.cfg" ).exists) {
-        file("/boot/grub2/grub.cfg").content.lines.where( _ == /^[^#]/ ).contains("audit\=(\s+)?1")
+        file("/boot/grub2/grub.cfg").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\s+)?\=(\s+)?1/)
       }
       if( file("/boot/grub/grub.cfg").exists ) {
-        file("/boot/grub/grub.cfg").content.lines.where( _ == /^[^#]/ ).contains("audit\=(\s+)?1")
+        file("/boot/grub/grub.cfg").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\s+)?\=(\s+)?1/)
       }
       if( file("/boot/grub/grub.conf").exists ) {
-        file("/boot/grub/grub.conf").content.lines.where( _ == /^[^#]/ ).contains("audit\=(\s+)?1")
+        file("/boot/grub/grub.conf").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\s+)?\=(\s+)?1/)
       }
       if( file('/etc/secboot/config.json').exists ) {
-        parse.json('/etc/secboot/config.json').params['kernel-params'].contains('audit\=(\s+)?1')
+        parse.json('/etc/secboot/config.json').params['kernel-params'] == /audit(\s+)?\=(\s+)?1/
       }
     docs:
       desc: |-

Original file line number	Diff line number	Diff line change
`@@ -1105,16 +1105,16 @@ queries:`
`1105`	`1105`	`impact: 80`
`1106`	`1106`	`mql: \|`
`1107`	`1107`	`if( file("/boot/grub2/grub.cfg" ).exists) {`
`1108`		`- file("/boot/grub2/grub.cfg").content.lines.where( _ == /^[^#]/ ).contains("audit\=(\s+)?1")`
	`1108`	`+ file("/boot/grub2/grub.cfg").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\s+)?\=(\s+)?1/)`
`1109`	`1109`	`}`
`1110`	`1110`	`if( file("/boot/grub/grub.cfg").exists ) {`
`1111`		`- file("/boot/grub/grub.cfg").content.lines.where( _ == /^[^#]/ ).contains("audit\=(\s+)?1")`
	`1111`	`+ file("/boot/grub/grub.cfg").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\s+)?\=(\s+)?1/)`
`1112`	`1112`	`}`
`1113`	`1113`	`if( file("/boot/grub/grub.conf").exists ) {`
`1114`		`- file("/boot/grub/grub.conf").content.lines.where( _ == /^[^#]/ ).contains("audit\=(\s+)?1")`
	`1114`	`+ file("/boot/grub/grub.conf").content.lines.where( _ == /^[^#]/ ).any(_ == /audit(\s+)?\=(\s+)?1/)`
`1115`	`1115`	`}`
`1116`	`1116`	`if( file('/etc/secboot/config.json').exists ) {`
`1117`		`- parse.json('/etc/secboot/config.json').params['kernel-params'].contains('audit\=(\s+)?1')`
	`1117`	`+ parse.json('/etc/secboot/config.json').params['kernel-params'] == /audit(\s+)?\=(\s+)?1/`
`1118`	`1118`	`}`
`1119`	`1119`	`docs:`
`1120`	`1120`	`desc: \|-`