855 lines
42 KiB
Diff
855 lines
42 KiB
Diff
|
From 51a826878ade2ebb564405991937ba0e2b2b7717 Mon Sep 17 00:00:00 2001
|
||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||
|
Date: Wed, 2 Feb 2022 14:25:30 +0100
|
||
|
Subject: [PATCH 1/8] create two macros
|
||
|
|
||
|
one provides description for grub2_argument templated rules
|
||
|
the second provides ocil for those cases
|
||
|
---
|
||
|
shared/macros.jinja | 56 +++++++++++++++++++++++++++++++++++++++++++++
|
||
|
1 file changed, 56 insertions(+)
|
||
|
|
||
|
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||
|
index 00358e2f67c..3d41c998b0c 100644
|
||
|
--- a/shared/macros.jinja
|
||
|
+++ b/shared/macros.jinja
|
||
|
@@ -1620,3 +1620,59 @@ The audit daemon must be restarted for the changes to take effect.
|
||
|
- no_ovirt
|
||
|
{{%- endif %}}
|
||
|
{{% endmacro %}}
|
||
|
+
|
||
|
+{{#
|
||
|
+ Describe how to configure Grub2 to add an argument to the default kernel command line.
|
||
|
+ The parameter should be in form `parameter=value`.
|
||
|
+#}}
|
||
|
+{{%- macro describe_grub2_argument(arg_name_value) -%}}
|
||
|
+{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||
|
+To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
|
||
|
+argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
|
||
|
+default Grub2 command line for Linux operating systems. Modify the line within
|
||
|
+<tt>/etc/default/grub</tt> as shown below:
|
||
|
+<pre>GRUB_CMDLINE_LINUX="... {{{ arg_name_value }}} ..."</pre>
|
||
|
+Run the following command to update command line for already installed kernels:
|
||
|
+{{%- if 'ubuntu' in product -%}}
|
||
|
+<pre># update-grub</pre>
|
||
|
+{{%- else -%}}
|
||
|
+<pre># grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"</pre>
|
||
|
+{{%- endif -%}}
|
||
|
+{{%- else -%}}
|
||
|
+Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
|
||
|
+<pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"</pre>
|
||
|
+{{%- endif -%}}
|
||
|
+{{%- endmacro -%}}
|
||
|
+
|
||
|
+{{#
|
||
|
+ Provide OCIL for checking if an argument for kernel command line is configured with Grub2.
|
||
|
+ The parameter should have form `parameter=value`.
|
||
|
+#}}
|
||
|
+{{%- macro ocil_grub2_argument(arg_name_value) -%}}
|
||
|
+{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||
|
+Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
+in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
|
||
|
+then auditinng will be enabled for newly installed kernels.
|
||
|
+First check if the GRUB recovery is enabled:
|
||
|
+<pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||
|
+If this option is set to true, then check that a line is output by the following command:
|
||
|
+<pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>
|
||
|
+If the recovery is disabled, check the line with
|
||
|
+<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
|
||
|
+{{%- if 'ubuntu' in product -%}}
|
||
|
+Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||
|
+<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
|
||
|
+This command should not return any output.
|
||
|
+{{%- else -%}}
|
||
|
+Moreover, command line parameters for currently installed kernels should be checked as well.
|
||
|
+Run the following command:
|
||
|
+<pre># grubby --info=ALL | grep args | grep -v '{{{ arg_name_value }}}'</pre>
|
||
|
+The command should not return any output.
|
||
|
+{{%- endif -%}}
|
||
|
+{{%- else -%}}
|
||
|
+Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
|
||
|
+is enabled at boot time.
|
||
|
+<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
+{{%- endif -%}}
|
||
|
+{{%- endmacro -%}}
|
||
|
|
||
|
From c8cb579db19bd55eebcb0bdc4b1432368a5c1b77 Mon Sep 17 00:00:00 2001
|
||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||
|
Date: Wed, 2 Feb 2022 14:26:26 +0100
|
||
|
Subject: [PATCH 2/8] use new macros in grub2_audit_argument
|
||
|
|
||
|
---
|
||
|
.../auditing/grub2_audit_argument/rule.yml | 45 ++-----------------
|
||
|
1 file changed, 3 insertions(+), 42 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
|
index 96dbe67699e..aff0521ee73 100644
|
||
|
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
|
@@ -7,15 +7,8 @@ title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
|
||
|
description: |-
|
||
|
To ensure all processes can be audited, even those which start
|
||
|
prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
|
||
|
- GRUB 2 command line for the Linux operating system in
|
||
|
-{{% if product in ["rhel7", "ol7"] %}}
|
||
|
- <tt>/etc/default/grub</tt>, so that the line looks similar to
|
||
|
- <pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
|
||
|
- In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
|
||
|
-{{% else %}}
|
||
|
- <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
|
||
|
- <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
|
||
|
-{{% endif %}}
|
||
|
+ GRUB 2 command line for the Linux operating system.
|
||
|
+ {{{ describe_grub2_argument("audit=1") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
Each process on the system carries an "auditable" flag which indicates whether
|
||
|
@@ -59,39 +52,7 @@ references:
|
||
|
ocil_clause: 'auditing is not enabled at boot time'
|
||
|
|
||
|
ocil: |-
|
||
|
-{{% if product in ["rhel7", "ol7", "sle12","sle15"] %}}
|
||
|
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
- in <tt>/etc/default/grub</tt>. If it includes <tt>audit=1</tt>, then auditing
|
||
|
- is enabled at boot time.
|
||
|
- First check if the GRUB recovery is enabled:
|
||
|
- <pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||
|
- If this option is set to true, then check that a line is output by the following command:
|
||
|
- <pre>$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub</pre>
|
||
|
- If the recovery is disabled, check the line with
|
||
|
- <pre>$ grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub</pre>.
|
||
|
- Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||
|
- <pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'audit=1'</pre>
|
||
|
- This command should not return any output. If it does, update the configuration with
|
||
|
- <pre># grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
|
||
|
- <br /><br />
|
||
|
- Alternatively, to ensure <tt>audit=1</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"</pre>
|
||
|
- <br />
|
||
|
-{{% else %}}
|
||
|
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
- in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>audit=1</tt>, then auditing
|
||
|
- is enabled at boot time.
|
||
|
- <pre># grep 'kernelopts.*audit=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
- <br /><br />
|
||
|
- To ensure <tt>audit=1</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre>
|
||
|
- <br />
|
||
|
-{{% endif %}}
|
||
|
-
|
||
|
+ {{{ ocil_grub2_argument("audit=1") | indent(4) }}}
|
||
|
|
||
|
warnings:
|
||
|
- management: |-
|
||
|
|
||
|
From 3ff2c245408d3fe892222eee8171e2f84868f705 Mon Sep 17 00:00:00 2001
|
||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||
|
Date: Thu, 3 Feb 2022 14:25:34 +0100
|
||
|
Subject: [PATCH 3/8] fix omission in ocil jinja macro
|
||
|
|
||
|
---
|
||
|
shared/macros.jinja | 6 +++---
|
||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||
|
index 3d41c998b0c..16a0404b668 100644
|
||
|
--- a/shared/macros.jinja
|
||
|
+++ b/shared/macros.jinja
|
||
|
@@ -1652,7 +1652,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
|
||
|
{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||
|
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
|
||
|
-then auditinng will be enabled for newly installed kernels.
|
||
|
+then the parameter will be configured for newly installed kernels.
|
||
|
First check if the GRUB recovery is enabled:
|
||
|
<pre>$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||
|
If this option is set to true, then check that a line is output by the following command:
|
||
|
@@ -1671,8 +1671,8 @@ The command should not return any output.
|
||
|
{{%- endif -%}}
|
||
|
{{%- else -%}}
|
||
|
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then auditing
|
||
|
-is enabled at boot time.
|
||
|
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||
|
+is configured at boot time.
|
||
|
<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
{{%- endif -%}}
|
||
|
{{%- endmacro -%}}
|
||
|
|
||
|
From 976da69681d03d9b9380fc57216c30c7b4891f50 Mon Sep 17 00:00:00 2001
|
||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||
|
Date: Thu, 3 Feb 2022 14:26:33 +0100
|
||
|
Subject: [PATCH 4/8] use new jinja macros in all grub2 related rules
|
||
|
|
||
|
---
|
||
|
.../rule.yml | 15 ++-----
|
||
|
.../grub2_enable_iommu_force/rule.yml | 9 +++-
|
||
|
.../grub2_init_on_alloc_argument/rule.yml | 18 ++------
|
||
|
.../grub2_kernel_trust_cpu_rng/rule.yml | 11 ++---
|
||
|
.../grub2_pti_argument/rule.yml | 15 ++-----
|
||
|
.../grub2_vsyscall_argument/rule.yml | 15 ++-----
|
||
|
.../grub2_ipv6_disable_argument/rule.yml | 45 ++-----------------
|
||
|
.../grub2_page_poison_argument/rule.yml | 15 ++-----
|
||
|
.../grub2_slub_debug_argument/rule.yml | 15 ++-----
|
||
|
9 files changed, 33 insertions(+), 125 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
|
index f94ddab2fe1..868d525014f 100644
|
||
|
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
|
@@ -7,9 +7,8 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon'
|
||
|
description: |-
|
||
|
To improve the kernel capacity to queue all log events, even those which occurred
|
||
|
prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
|
||
|
- GRUB 2 command line for the Linux operating system in
|
||
|
- <tt>/etc/default/grub</tt>, in the manner below:
|
||
|
- <pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"</pre>
|
||
|
+ GRUB 2 command line for the Linux operating system.
|
||
|
+ {{{ describe_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
audit_backlog_limit sets the queue length for audit events awaiting transfer
|
||
|
@@ -40,15 +39,7 @@ references:
|
||
|
ocil_clause: 'audit backlog limit is not configured'
|
||
|
|
||
|
ocil: |-
|
||
|
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
- in <tt>/etc/default/grub</tt>. If they include <tt>audit=1</tt>, then auditing
|
||
|
- is enabled at boot time.
|
||
|
- <br /><br />
|
||
|
- To ensure <tt>audit_backlog_limit=8192</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192"</pre>
|
||
|
- <br />
|
||
|
+ {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
|
||
|
|
||
|
warnings:
|
||
|
- management: |-
|
||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||
|
index 0a0d76aeb23..1ff5a4d5f26 100644
|
||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
|
||
|
@@ -5,9 +5,10 @@ title: 'IOMMU configuration directive'
|
||
|
description: |-
|
||
|
On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
|
||
|
of the system critical units such as the memory.
|
||
|
+ {{{ describe_grub2_argument("iommu=force") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
- On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by
|
||
|
+ On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by
|
||
|
hardware devices.
|
||
|
|
||
|
severity: unknown
|
||
|
@@ -22,6 +23,12 @@ references:
|
||
|
|
||
|
platform: machine
|
||
|
|
||
|
+ocil_clause: 'I/OMMU is not activated'
|
||
|
+
|
||
|
+ocil: |-
|
||
|
+ {{{ ocil_grub2_argument("iommu=force") | indent(4) }}}
|
||
|
+
|
||
|
+
|
||
|
warnings:
|
||
|
- functionality:
|
||
|
Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities.
|
||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||
|
index a9253c74cc6..3bb645dadb7 100644
|
||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
|
||
|
@@ -6,12 +6,8 @@ title: 'Configure kernel to zero out memory before allocation'
|
||
|
|
||
|
description: |-
|
||
|
To configure the kernel to zero out memory before allocating it, add the
|
||
|
- <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line for
|
||
|
- the Linux operating system in <tt>/etc/default/grub</tt>, in the manner
|
||
|
- below:
|
||
|
- <pre>GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"</pre>
|
||
|
- Update the boot parameter for existing kernels by running the following command:
|
||
|
- <pre># grubby --update-kernel=ALL --args="init_on_alloc=1"</pre>
|
||
|
+ <tt>init_on_alloc=1</tt> argument to the default GRUB 2 command line.
|
||
|
+ {{{ describe_grub2_argument("init_on_alloc=1") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
When the kernel configuration option <tt>init_on_alloc</tt> is enabled,
|
||
|
@@ -27,15 +23,7 @@ identifiers:
|
||
|
ocil_clause: 'the kernel is not configured to zero out memory before allocation'
|
||
|
|
||
|
ocil: |-
|
||
|
- Make sure that the kernel is configured to zero out memory before
|
||
|
- allocation. Ensure that the parameter is configured in
|
||
|
- <tt>/etc/default/grub</tt>:
|
||
|
- <pre>grep GRUB_CMDLINE_LINUX /etc/default/grub</pre>
|
||
|
- The output should contain <tt>init_on_alloc=1</tt>.
|
||
|
- Run the following command to display command line parameters of all
|
||
|
- installed kernels:
|
||
|
- <pre># grubby --info=ALL | grep args</pre>
|
||
|
- Ensure that each line contains the <tt>init_on_alloc=1</tt> parameter.
|
||
|
+ {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
|
||
|
|
||
|
platform: machine
|
||
|
|
||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||
|
index 308ae9cb735..d6bfc02f345 100644
|
||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
|
||
|
@@ -11,8 +11,8 @@ description: |-
|
||
|
<tt>Y</tt>, make sure that it is not overridden with the boot parameter.
|
||
|
There must not exist the boot parameter <tt>random.trust_cpu=off</tt>. If
|
||
|
the option is not compiled in, make sure that <tt>random.trust_cpu=on</tt>
|
||
|
- is configured as a boot parameter by running the following command:
|
||
|
- <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"</pre>
|
||
|
+ is configured as a boot parameter.
|
||
|
+ {{{ describe_grub2_argument("random.trust_cpu=on") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
The Linux kernel offers an option which signifies if the kernel should trust
|
||
|
@@ -44,11 +44,8 @@ ocil: |-
|
||
|
option is not overridden through a boot parameter:
|
||
|
<pre>sudo grep 'kernelopts.*random\.trust_cpu=off.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
The command should not return any output. If the option is not compiled into
|
||
|
- the kernel, check that the option is configured through boot parameter with
|
||
|
- the following command:
|
||
|
- <pre>sudo grep 'kernelopts.*random\.trust_cpu=on.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
- If the command does not return any output, then the boot parameter is
|
||
|
- missing.
|
||
|
+ the kernel, check that the option is configured through boot parameter.
|
||
|
+ {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
|
||
|
|
||
|
platform: machine
|
||
|
|
||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
|
index f4f3fa39510..51b0a284746 100644
|
||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
|
@@ -7,9 +7,8 @@ title: 'Enable Kernel Page-Table Isolation (KPTI)'
|
||
|
description: |-
|
||
|
To enable Kernel page-table isolation,
|
||
|
add the argument <tt>pti=on</tt> to the default
|
||
|
- GRUB 2 command line for the Linux operating system in
|
||
|
- <tt>/etc/default/grub</tt>, in the manner below:
|
||
|
- <pre>GRUB_CMDLINE_LINUX="pti=on"</pre>
|
||
|
+ GRUB 2 command line for the Linux operating system.
|
||
|
+ {{{ describe_grub2_argument("pti=on") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
Kernel page-table isolation is a kernel feature that mitigates
|
||
|
@@ -33,15 +32,7 @@ references:
|
||
|
ocil_clause: 'Kernel page-table isolation is not enabled'
|
||
|
|
||
|
ocil: |-
|
||
|
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
- in <tt>/etc/default/grub</tt>. If they include <tt>pti=on</tt>,
|
||
|
- then Kernel page-table isolation is enabled at boot time.
|
||
|
- <br /><br />
|
||
|
- To ensure <tt>pti=on</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="pti=on</pre>
|
||
|
- <br />
|
||
|
+ {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
|
||
|
|
||
|
warnings:
|
||
|
- management: |-
|
||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
|
index 9f38a1c13b9..1b88d13bd3c 100644
|
||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
|
@@ -7,9 +7,8 @@ title: 'Disable vsyscalls'
|
||
|
description: |-
|
||
|
To disable use of virtual syscalls,
|
||
|
add the argument <tt>vsyscall=none</tt> to the default
|
||
|
- GRUB 2 command line for the Linux operating system in
|
||
|
- <tt>/etc/default/grub</tt>, in the manner below:
|
||
|
- <pre>GRUB_CMDLINE_LINUX="vsyscall=none"</pre>
|
||
|
+ GRUB 2 command line for the Linux operating system.
|
||
|
+ {{{ describe_grub2_argument("vsyscall=none") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
Virtual Syscalls provide an opportunity of attack for a user who has control
|
||
|
@@ -33,15 +32,7 @@ references:
|
||
|
ocil_clause: 'vsyscalls are enabled'
|
||
|
|
||
|
ocil: |-
|
||
|
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
- in <tt>/etc/default/grub</tt>. If they include <tt>vsyscall=none</tt>,
|
||
|
- then virtyal syscalls are not enabled at boot time.
|
||
|
- <br /><br />
|
||
|
- To ensure <tt>vsyscall=none</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none</pre>
|
||
|
- <br />
|
||
|
+ {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
|
||
|
|
||
|
warnings:
|
||
|
- management: |-
|
||
|
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||
|
index b8ff66c7d6e..c0fda343a1a 100644
|
||
|
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||
|
@@ -7,20 +7,8 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter'
|
||
|
description: |-
|
||
|
To disable IPv6 protocol support in the Linux kernel,
|
||
|
add the argument <tt>ipv6.disable=1</tt> to the default
|
||
|
- GRUB2 command line for the Linux operating system in
|
||
|
-{{% if product in ["rhel7", "ol7"] %}}
|
||
|
- <tt>/etc/default/grub</tt>, so that the line looks similar to
|
||
|
- <pre>GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."</pre>
|
||
|
- In case the <tt>GRUB_DISABLE_RECOVERY</tt> is set to true, then the parameter should be added to the <tt>GRUB_CMDLINE_LINUX_DEFAULT</tt> instead.
|
||
|
- Run one of following command to ensure that the configuration is applied when booting currently installed kernels:
|
||
|
- <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
|
||
|
- or
|
||
|
- <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
|
||
|
-{{% else %}}
|
||
|
- <tt>{{{ grub2_boot_path }}}/grubenv</tt>, in the manner below:
|
||
|
- <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
|
||
|
-{{% endif %}}
|
||
|
-
|
||
|
+ GRUB2 command line for the Linux operating system.
|
||
|
+ {{{ describe_grub2_argument("ipv6.disable=1") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
Any unnecessary network stacks, including IPv6, should be disabled to reduce
|
||
|
@@ -40,34 +28,7 @@ references:
|
||
|
ocil_clause: 'IPv6 is not disabled'
|
||
|
|
||
|
ocil: |-
|
||
|
- {{% if product in ["rhel7", "ol7"] %}}
|
||
|
- Inspect the form of default GRUB2 command line for the Linux operating system
|
||
|
- in <tt>/etc/default/grub</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
|
||
|
- First check if the GRUB recovery is enabled:
|
||
|
- <pre>grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub</pre>
|
||
|
- If this option is set to true, then check that the following line is output by the following command:
|
||
|
- <pre>grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub</pre>
|
||
|
- If the recovery is disabled, check the line with
|
||
|
- <pre>grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub</pre>.
|
||
|
- Moreover, current GRUB2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||
|
- <pre>sudo grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'ipv6.disable=1'</pre>
|
||
|
- This command should not return any output. If it does, update the configuration with one of following commands:
|
||
|
- <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
|
||
|
- or
|
||
|
- <pre>sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"</pre>
|
||
|
- <br />
|
||
|
-{{% else %}}
|
||
|
- Inspect the form of default GRUB2 command line for the Linux operating system
|
||
|
- in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. Check if it includes <tt>ipv6.disable=1</tt>.
|
||
|
- <pre>sudo grep 'kernelopts.*ipv6.disable=1.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
- <br /><br />
|
||
|
- To ensure <tt>ipv6.disable=1</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre>sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</pre>
|
||
|
- <br />
|
||
|
-{{% endif %}}
|
||
|
-
|
||
|
+ {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
|
||
|
|
||
|
warnings:
|
||
|
- management: |-
|
||
|
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
|
index 3bf592fb4d8..1f4e183d9e7 100644
|
||
|
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
|
@@ -7,9 +7,8 @@ title: 'Enable page allocator poisoning'
|
||
|
description: |-
|
||
|
To enable poisoning of free pages,
|
||
|
add the argument <tt>page_poison=1</tt> to the default
|
||
|
- GRUB 2 command line for the Linux operating system in
|
||
|
- <tt>/etc/default/grub</tt>, in the manner below:
|
||
|
- <pre>GRUB_CMDLINE_LINUX="page_poison=1"</pre>
|
||
|
+ GRUB 2 command line for the Linux operating system.
|
||
|
+ {{{ describe_grub2_argument("page_poison=1") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
Poisoning writes an arbitrary value to freed pages, so any modification or
|
||
|
@@ -35,15 +34,7 @@ references:
|
||
|
ocil_clause: 'page allocator poisoning is not enabled'
|
||
|
|
||
|
ocil: |-
|
||
|
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
- in <tt>/etc/default/grub</tt>. If they include <tt>page_poison=1</tt>,
|
||
|
- then page poisoning is enabled at boot time.
|
||
|
- <br /><br />
|
||
|
- To ensure <tt>page_poison=1</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1</pre>
|
||
|
- <br />
|
||
|
+ {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
|
||
|
|
||
|
warnings:
|
||
|
- management: |-
|
||
|
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
|
index 9964399650a..bb5dbc6c125 100644
|
||
|
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
|
@@ -7,9 +7,8 @@ title: 'Enable SLUB/SLAB allocator poisoning'
|
||
|
description: |-
|
||
|
To enable poisoning of SLUB/SLAB objects,
|
||
|
add the argument <tt>slub_debug=P</tt> to the default
|
||
|
- GRUB 2 command line for the Linux operating system in
|
||
|
- <tt>/etc/default/grub</tt>, in the manner below:
|
||
|
- <pre>GRUB_CMDLINE_LINUX="slub_debug=P"</pre>
|
||
|
+ GRUB 2 command line for the Linux operating system.
|
||
|
+ {{{ describe_grub2_argument("slub_debug=P") | indent(4) }}}
|
||
|
|
||
|
rationale: |-
|
||
|
Poisoning writes an arbitrary value to freed objects, so any modification or
|
||
|
@@ -35,15 +34,7 @@ references:
|
||
|
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
||
|
|
||
|
ocil: |-
|
||
|
- Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
- in <tt>/etc/default/grub</tt>. If they include <tt>slub_debug=P</tt>,
|
||
|
- then SLUB/SLAB poisoning is enabled at boot time.
|
||
|
- <br /><br />
|
||
|
- To ensure <tt>slub_debug=P</tt> is configured on all installed kernels, the
|
||
|
- following command may be used:
|
||
|
- <br />
|
||
|
- <pre>$ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P</pre>
|
||
|
- <br />
|
||
|
+ {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
|
||
|
|
||
|
warnings:
|
||
|
- management: |-
|
||
|
|
||
|
From 5c39cf81d49f0eb5bb73337057fb95356784e5c6 Mon Sep 17 00:00:00 2001
|
||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||
|
Date: Wed, 9 Feb 2022 16:05:59 +0100
|
||
|
Subject: [PATCH 5/8] fix an error in ubuntu version of macro
|
||
|
|
||
|
---
|
||
|
shared/macros.jinja | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||
|
index 16a0404b668..54d2b299a47 100644
|
||
|
--- a/shared/macros.jinja
|
||
|
+++ b/shared/macros.jinja
|
||
|
@@ -1660,7 +1660,7 @@ If this option is set to true, then check that a line is output by the following
|
||
|
If the recovery is disabled, check the line with
|
||
|
<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
|
||
|
{{%- if 'ubuntu' in product -%}}
|
||
|
-Moreover, current Grub2 config file in <tt>/etc/grub2/grub.cfg</tt> must be checked.
|
||
|
+Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
|
||
|
<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
|
||
|
This command should not return any output.
|
||
|
{{%- else -%}}
|
||
|
|
||
|
From f100d190833d168127715215e788347f806736f3 Mon Sep 17 00:00:00 2001
|
||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||
|
Date: Wed, 9 Feb 2022 16:16:21 +0100
|
||
|
Subject: [PATCH 6/8] remove warnings from rules
|
||
|
|
||
|
they are no longer relevant, we do not use grub2-mkconfig anymore
|
||
|
---
|
||
|
.../auditing/grub2_audit_argument/rule.yml | 18 ------------------
|
||
|
.../rule.yml | 18 ------------------
|
||
|
.../grub2_pti_argument/rule.yml | 18 ------------------
|
||
|
.../grub2_vsyscall_argument/rule.yml | 18 ------------------
|
||
|
.../grub2_ipv6_disable_argument/rule.yml | 18 ------------------
|
||
|
.../grub2_page_poison_argument/rule.yml | 18 ------------------
|
||
|
.../grub2_slub_debug_argument/rule.yml | 18 ------------------
|
||
|
7 files changed, 126 deletions(-)
|
||
|
|
||
|
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
|
index aff0521ee73..00a4ded2738 100644
|
||
|
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
|
||
|
@@ -54,24 +54,6 @@ ocil_clause: 'auditing is not enabled at boot time'
|
||
|
ocil: |-
|
||
|
{{{ ocil_grub2_argument("audit=1") | indent(4) }}}
|
||
|
|
||
|
-warnings:
|
||
|
- - management: |-
|
||
|
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||
|
- is automatically updated each time a new kernel is installed. Note that any
|
||
|
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||
|
- file. To update the GRUB 2 configuration file manually, use the
|
||
|
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||
|
- <ul>
|
||
|
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||
|
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||
|
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||
|
-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||
|
-{{% else %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||
|
-{{% endif %}}
|
||
|
- </ul>
|
||
|
-
|
||
|
platform: grub2
|
||
|
|
||
|
template:
|
||
|
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
|
index 868d525014f..efbc3dae1c1 100644
|
||
|
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
|
||
|
@@ -41,24 +41,6 @@ ocil_clause: 'audit backlog limit is not configured'
|
||
|
ocil: |-
|
||
|
{{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}}
|
||
|
|
||
|
-warnings:
|
||
|
- - management: |-
|
||
|
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||
|
- is automatically updated each time a new kernel is installed. Note that any
|
||
|
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||
|
- file. To update the GRUB 2 configuration file manually, use the
|
||
|
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||
|
- <ul>
|
||
|
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||
|
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||
|
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||
|
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||
|
-{{% else %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||
|
-{{% endif %}}
|
||
|
- </ul>
|
||
|
-
|
||
|
platform: grub2
|
||
|
|
||
|
template:
|
||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
|
index 51b0a284746..52a308e3247 100644
|
||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
|
||
|
@@ -34,24 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
|
||
|
ocil: |-
|
||
|
{{{ ocil_grub2_argument("pti=on") | indent(4) }}}
|
||
|
|
||
|
-warnings:
|
||
|
- - management: |-
|
||
|
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||
|
- is automatically updated each time a new kernel is installed. Note that any
|
||
|
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||
|
- file. To update the GRUB 2 configuration file manually, use the
|
||
|
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||
|
- <ul>
|
||
|
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||
|
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||
|
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||
|
-{{% if product in ["rhel8", "ol8"] %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||
|
-{{% else %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||
|
-{{% endif %}}
|
||
|
- </ul>
|
||
|
-
|
||
|
platform: machine
|
||
|
|
||
|
template:
|
||
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
|
index 1b88d13bd3c..93eb31dad7b 100644
|
||
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
|
||
|
@@ -34,24 +34,6 @@ ocil_clause: 'vsyscalls are enabled'
|
||
|
ocil: |-
|
||
|
{{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
|
||
|
|
||
|
-warnings:
|
||
|
- - management: |-
|
||
|
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||
|
- is automatically updated each time a new kernel is installed. Note that any
|
||
|
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||
|
- file. To update the GRUB 2 configuration file manually, use the
|
||
|
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||
|
- <ul>
|
||
|
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||
|
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||
|
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||
|
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||
|
-{{% else %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||
|
-{{% endif %}}
|
||
|
- </ul>
|
||
|
-
|
||
|
platform: machine
|
||
|
|
||
|
template:
|
||
|
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||
|
index c0fda343a1a..9e1ca48efe0 100644
|
||
|
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
||
|
@@ -30,24 +30,6 @@ ocil_clause: 'IPv6 is not disabled'
|
||
|
ocil: |-
|
||
|
{{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}}
|
||
|
|
||
|
-warnings:
|
||
|
- - management: |-
|
||
|
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||
|
- is automatically updated each time a new kernel is installed. Note that any
|
||
|
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||
|
- file. To update the GRUB 2 configuration file manually, use the
|
||
|
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||
|
- <ul>
|
||
|
- <li>On BIOS-based machines, issue the following command:
|
||
|
- <pre>sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||
|
- <li>On UEFI-based machines, issue the following command:
|
||
|
-{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}}
|
||
|
- <pre>sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||
|
-{{% else %}}
|
||
|
- <pre>sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||
|
-{{% endif %}}
|
||
|
- </ul>
|
||
|
-
|
||
|
platform: grub2
|
||
|
|
||
|
template:
|
||
|
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
|
index 1f4e183d9e7..1ad6c6b3c44 100644
|
||
|
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
|
||
|
@@ -36,24 +36,6 @@ ocil_clause: 'page allocator poisoning is not enabled'
|
||
|
ocil: |-
|
||
|
{{{ ocil_grub2_argument("page_poison=1") | indent(4) }}}
|
||
|
|
||
|
-warnings:
|
||
|
- - management: |-
|
||
|
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||
|
- is automatically updated each time a new kernel is installed. Note that any
|
||
|
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||
|
- file. To update the GRUB 2 configuration file manually, use the
|
||
|
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||
|
- <ul>
|
||
|
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||
|
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||
|
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||
|
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||
|
-{{% else %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||
|
-{{% endif %}}
|
||
|
- </ul>
|
||
|
-
|
||
|
platform: grub2
|
||
|
|
||
|
template:
|
||
|
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
|
index bb5dbc6c125..e40f5377c61 100644
|
||
|
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
|
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
|
||
|
@@ -36,24 +36,6 @@ ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
||
|
ocil: |-
|
||
|
{{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}}
|
||
|
|
||
|
-warnings:
|
||
|
- - management: |-
|
||
|
- The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
||
|
- is automatically updated each time a new kernel is installed. Note that any
|
||
|
- changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
||
|
- file. To update the GRUB 2 configuration file manually, use the
|
||
|
- <pre>grub2-mkconfig -o</pre> command as follows:
|
||
|
- <ul>
|
||
|
- <li>On BIOS-based machines, issue the following command as <tt>root</tt>:
|
||
|
- <pre>~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre></li>
|
||
|
- <li>On UEFI-based machines, issue the following command as <tt>root</tt>:
|
||
|
-{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li>
|
||
|
-{{% else %}}
|
||
|
- <pre>~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg</pre></li>
|
||
|
-{{% endif %}}
|
||
|
- </ul>
|
||
|
-
|
||
|
platform: grub2
|
||
|
|
||
|
template:
|
||
|
|
||
|
From bbc3cc093004efd0457ccb33722a4fb14b0b2fb8 Mon Sep 17 00:00:00 2001
|
||
|
From: vojtapolasek <krecoun@gmail.com>
|
||
|
Date: Mon, 14 Feb 2022 14:29:15 +0100
|
||
|
Subject: [PATCH 7/8] Update shared/macros.jinja
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
Co-authored-by: Matěj Týč <matej.tyc@gmail.com>
|
||
|
---
|
||
|
shared/macros.jinja | 7 ++++++-
|
||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||
|
index 54d2b299a47..392181e2b24 100644
|
||
|
--- a/shared/macros.jinja
|
||
|
+++ b/shared/macros.jinja
|
||
|
@@ -1671,7 +1671,12 @@ The command should not return any output.
|
||
|
{{%- endif -%}}
|
||
|
{{%- else -%}}
|
||
|
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
-in <tt>{{{ grub2_boot_path }}}/grubenv</tt>. If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||
|
+{{% if grub2_boot_path == grub2_uefi_boot_path or not grub2_uefi_boot_path -%}}
|
||
|
+in <tt>{{{ grub2_boot_path }}}/grubenv</tt>.
|
||
|
+{{%- else -%}}
|
||
|
+in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
|
||
|
+{{%- endif %}}
|
||
|
+If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||
|
is configured at boot time.
|
||
|
<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
{{%- endif -%}}
|
||
|
|
||
|
From 8121376668b43d21cf0f9700994bc011c3e313d7 Mon Sep 17 00:00:00 2001
|
||
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
||
|
Date: Mon, 14 Feb 2022 15:17:33 +0100
|
||
|
Subject: [PATCH 8/8] more modifications to description and ocil
|
||
|
|
||
|
final touches
|
||
|
---
|
||
|
shared/macros.jinja | 15 ++++++++++-----
|
||
|
1 file changed, 10 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/shared/macros.jinja b/shared/macros.jinja
|
||
|
index 392181e2b24..a89bac12f53 100644
|
||
|
--- a/shared/macros.jinja
|
||
|
+++ b/shared/macros.jinja
|
||
|
@@ -1626,7 +1626,7 @@ The audit daemon must be restarted for the changes to take effect.
|
||
|
The parameter should be in form `parameter=value`.
|
||
|
#}}
|
||
|
{{%- macro describe_grub2_argument(arg_name_value) -%}}
|
||
|
-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||
|
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
|
||
|
To ensure that <tt>{{{ arg_name_value }}}</tt> is added as a kernel command line
|
||
|
argument to newly installed kernels, ad <tt>{{{ arg_name_value }}}</tt> to the
|
||
|
default Grub2 command line for Linux operating systems. Modify the line within
|
||
|
@@ -1649,7 +1649,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}
|
||
|
The parameter should have form `parameter=value`.
|
||
|
#}}
|
||
|
{{%- macro ocil_grub2_argument(arg_name_value) -%}}
|
||
|
-{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}}
|
||
|
+{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}}
|
||
|
Inspect the form of default GRUB 2 command line for the Linux operating system
|
||
|
in <tt>/etc/default/grub</tt>. If it includes <tt>{{{ arg_name_value }}}</tt>,
|
||
|
then the parameter will be configured for newly installed kernels.
|
||
|
@@ -1660,8 +1660,12 @@ If this option is set to true, then check that a line is output by the following
|
||
|
If the recovery is disabled, check the line with
|
||
|
<pre>$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub</pre>.
|
||
|
{{%- if 'ubuntu' in product -%}}
|
||
|
-Moreover, current Grub2 config file in <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> must be checked.
|
||
|
-<pre># grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'</pre>
|
||
|
+Moreover, current Grub config file <tt>grub.cfg</tt> must be checked. The file can be found
|
||
|
+either in <tt>{{{ grub2_boot_path }}}</tt> in case of legacy BIOS systems, or in <tt>{{{ grub2_uefi_boot_path }}}</tt> in case of UEFI systems.
|
||
|
+If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||
|
+is configured at boot time.
|
||
|
+<pre># grep vmlinuz GRUB_CFG_FILE_PATH | grep -v '{{{ arg_name_value }}}'</pre>
|
||
|
+Fill in <tt>GRUB_CFG_FILE_PATH</tt> based on information above.
|
||
|
This command should not return any output.
|
||
|
{{%- else -%}}
|
||
|
Moreover, command line parameters for currently installed kernels should be checked as well.
|
||
|
@@ -1678,6 +1682,7 @@ in <tt>grubenv</tt> that can be found either in <tt>{{{ grub2_boot_path }}}</tt>
|
||
|
{{%- endif %}}
|
||
|
If they include <tt>{{{ arg_name_value }}}</tt>, then the parameter
|
||
|
is configured at boot time.
|
||
|
-<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv</pre>
|
||
|
+<pre># grep 'kernelopts.*{{{ arg_name_value }}}.*' GRUBENV_FILE_LOCATION</pre>
|
||
|
+Fill in <tt>GRUBENV_FILE_LOCATION</tt> based on information above.
|
||
|
{{%- endif -%}}
|
||
|
{{%- endmacro -%}}
|