scap-security-guide/SOURCES/scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch

From 3aae2f86f3d75b8bd931922152b9a6175ed18a6b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 22:27:47 +0200
Subject: [PATCH 1/5] Add check for zipl installed

Based and valid in RHEL, where zipl is part of s390utils-base.
---
 rhel8/cpe/rhel8-cpe-dictionary.xml            |  4 ++
 .../oval/installed_env_has_zipl_package.xml   | 37 +++++++++++++++++++
 ssg/constants.py                              |  1 +
 3 files changed, 42 insertions(+)
 create mode 100644 shared/checks/oval/installed_env_has_zipl_package.xml

diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index 694cbb5a4e..cccb3c5791 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -67,4 +67,8 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:zipl">
+            <title xml:lang="en-us">System uses zipl</title>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+      </cpe-item>
 </cpe-list>
diff --git a/shared/checks/oval/installed_env_has_zipl_package.xml b/shared/checks/oval/installed_env_has_zipl_package.xml
new file mode 100644
index 0000000000..ab6545669d
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_zipl_package.xml
@@ -0,0 +1,37 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_env_has_zipl_package" version="1">
+    <metadata>
+      <title>System uses zIPL</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Checks if system uses zIPL bootloader.</description>
+      <reference ref_id="cpe:/a:zipl" source="CPE" />
+    </metadata>
+    <criteria>
+      <criterion comment="Package s390utils-base is installed" test_ref="test_env_has_zipl_installed" />
+    </criteria>
+  </definition>
+
+{{% if pkg_system == "rpm" %}}
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+  id="test_env_has_zipl_installed" version="1"
+  comment="system has package zipl installed">
+    <linux:object object_ref="obj_env_has_zipl_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_env_has_zipl_installed" version="1">
+    <linux:name>s390utils-base</linux:name>
+  </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+  <linux:dpkginfo_test check="all" check_existence="all_exist"
+  id="test_env_has_zipl_installed" version="1"
+  comment="system has package zipl installed">
+    <linux:object object_ref="obj_env_has_zipl_installed" />
+  </linux:dpkginfo_test>
+  <linux:dpkginfo_object id="obj_env_has_zipl_installed" version="1">
+    <linux:name>s390utils-base</linux:name>
+  </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index fb20fe8107..f03aa87f09 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -506,6 +506,7 @@
     "sssd": "cpe:/a:sssd",
     "systemd": "cpe:/a:systemd",
     "yum": "cpe:/a:yum",
+    "zipl": "cpe:/a:zipl",
 }
 
 # _version_name_map = {

From c70bdc89bf193f2fdf59cb8c3f06672fc43a0505 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 22:33:07 +0200
Subject: [PATCH 2/5] Set zipl and machine platforms for zipl content

Add zipl platform to bootloader-zipl and machine platform to all zipl
rules.
Final applicability of zipl rules is equivalent to "machine and zipl"
CPE platform.
---
 linux_os/guide/system/bootloader-zipl/group.yml                 | 2 +-
 .../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml   | 2 ++
 .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml  | 2 ++
 .../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml   | 2 ++
 .../system/bootloader-zipl/zipl_page_poison_argument/rule.yml   | 2 ++
 .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml     | 2 ++
 .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml    | 2 ++
 .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml      | 2 ++
 8 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
index 36da84530c..64c6c8dffb 100644
--- a/linux_os/guide/system/bootloader-zipl/group.yml
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -8,4 +8,4 @@ description: |-
     options to it.
     The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
 
-platform: machine
+platform: zipl
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 16c0b3f89a..2d31ef8ee7 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -38,3 +38,5 @@ ocil: |-
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
   No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 47a532d50f..40db232257 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
   No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 5aa91c16aa..8d28d5495f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -35,3 +35,5 @@ ocil: |-
     and <tt>/etc/zipl.conf</tt>:
     <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
     No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 8546325752..0a8e9a41e2 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
   No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index eaef25ce40..20c1448cc8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -38,3 +38,5 @@ ocil: |-
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
   No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 68e91a92d6..54ac688ea0 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
   No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 9624b43349..c5979a2016 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -36,3 +36,5 @@ ocil: |-
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
   No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine

From 02f961ecbe8bcafab72f544c2bc0f9141b9fa8fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 23:02:44 +0200
Subject: [PATCH 3/5] Add check for grub2 installed

Apply new CPE grub2 to bootloader-grub2 group.
---
 .../file_groupowner_efi_grub2_cfg/rule.yml    |  2 +
 .../file_groupowner_grub2_cfg/rule.yml        |  2 +
 .../file_owner_efi_grub2_cfg/rule.yml         |  2 +
 .../file_owner_grub2_cfg/rule.yml             |  2 +
 .../guide/system/bootloader-grub2/group.yml   |  2 +-
 .../grub2_admin_username/rule.yml             |  2 +
 .../grub2_enable_iommu_force/rule.yml         |  2 +
 .../grub2_no_removeable_media/rule.yml        |  2 +
 .../bootloader-grub2/grub2_password/rule.yml  |  2 +
 .../grub2_uefi_admin_username/rule.yml        |  2 +
 .../grub2_uefi_password/rule.yml              |  2 +
 .../uefi_no_removeable_media/rule.yml         |  2 +
 .../oval/installed_env_has_grub2_package.xml  | 37 +++++++++++++++++++
 ssg/constants.py                              |  1 +
 14 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 shared/checks/oval/installed_env_has_grub2_package.xml

diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
index b5b583bd28..a6ac6f7b6b 100644
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
@@ -51,6 +51,8 @@ ocil: |-
     {{{ ocil_file_group_owner(file="/boot/efi/EFI/redhat/grub.cfg", group="root") }}}
 {{%- endif %}}
 
+platform: machine
+
 template:
     name: file_groupowner
     vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
index 9d89ff5755..93dbf5222d 100644
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
@@ -39,6 +39,8 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/grub2/grub.cfg", grou
 
 ocil: '{{{ ocil_file_group_owner(file="/boot/grub2/grub.cfg", group="root") }}}'
 
+platform: machine
+
 template:
     name: file_groupowner
     vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
index ed17987478..e2c118cf0a 100644
--- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
@@ -49,6 +49,8 @@ ocil: |-
     {{{ ocil_file_owner(file="/boot/efi/EFI/redhat/grub.cfg", owner="root") }}}
 {{%- endif %}}
 
+platform: machine
+
 template:
     name: file_owner
     vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
index 9ce4c3d60b..5086553921 100644
--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
@@ -37,6 +37,8 @@ ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/grub2/grub.cfg", owner="roo
 
 ocil: '{{{ ocil_file_owner(file="/boot/grub2/grub.cfg", owner="root") }}}'
 
+platform: machine
+
 template:
     name: file_owner
     vars:
diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml
index 69489bc0c2..4ffb40c0e8 100644
--- a/linux_os/guide/system/bootloader-grub2/group.yml
+++ b/linux_os/guide/system/bootloader-grub2/group.yml
@@ -15,4 +15,4 @@ description: |-
     with a password and ensure its configuration file's permissions
     are set properly.
 
-platform: machine
+platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
index 63a6a7a83c..15db01a75f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
@@ -68,3 +68,5 @@ warnings:
 
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index baade9c13e..d4f455e66a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -17,3 +17,5 @@ identifiers:
 
 references:
     anssi: NT28(R11)
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
index 113726d34f..c8956c2f34 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
@@ -37,3 +37,5 @@ ocil: |-
     <tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
     media which should not exist in the line:
     <pre>set root='hd0,msdos1'</pre>
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
index 985b8727d7..b6e9774608 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
@@ -72,3 +72,5 @@ warnings:
 
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
index 1926837db7..5abd86b9d9 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
@@ -75,3 +75,5 @@ warnings:
 
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index 3ce5a2df13..3114d2d27c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -73,3 +73,5 @@ warnings:
 
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
index c94185f3f4..5de05c057a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
@@ -35,3 +35,5 @@ ocil: |-
     <tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
     media which should not exist in the line:
     <pre>set root='hd0,msdos1'</pre>
+
+platform: machine
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
new file mode 100644
index 0000000000..e83f45bc3b
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -0,0 +1,37 @@
+<def-group>
+  <definition class="inventory"
+  id="installed_env_has_grub2_package" version="1">
+    <metadata>
+      <title>Package grub2 is installed</title>
+      <affected family="unix">
+        <platform>multi_platform_all</platform>
+      </affected>
+      <description>Checks if package grub2-pc is installed.</description>
+      <reference ref_id="cpe:/a:grub2" source="CPE" />
+    </metadata>
+    <criteria>
+      <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
+    </criteria>
+  </definition>
+
+{{% if pkg_system == "rpm" %}}
+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+  id="test_env_has_grub2_installed" version="1"
+  comment="system has package grub2-pc installed">
+    <linux:object object_ref="obj_env_has_grub2_installed" />
+  </linux:rpminfo_test>
+  <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
+    <linux:name>grub2-pc</linux:name>
+  </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+  <linux:dpkginfo_test check="all" check_existence="all_exist"
+  id="test_env_has_grub2_installed" version="1"
+  comment="system has package grub2-pc installed">
+    <linux:object object_ref="obj_env_has_grub2_installed" />
+  </linux:dpkginfo_test>
+  <linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
+    <linux:name>grub2-pc</linux:name>
+  </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index f03aa87f09..318763b219 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -498,6 +498,7 @@
     "container": "cpe:/a:container",
     "chrony": "cpe:/a:chrony",
     "gdm": "cpe:/a:gdm",
+    "grub2": "cpe:/a:grub2",
     "libuser": "cpe:/a:libuser",
     "nss-pam-ldapd": "cpe:/a:nss-pam-ldapd",
     "ntp": "cpe:/a:ntp",

From 8bb44ebe9c32b7916a7291b1fa5735b381494cfb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 16:58:14 +0200
Subject: [PATCH 4/5] Move grub2_disable_interactive_boot to grub2 platform

It should have both platforms machine and grub2.
But as the parent group is very broad, I cannot put parent group as
machine.

As a side effect this change makes this rules applicable in containers.
---
 .../accounts-physical/grub2_disable_interactive_boot/rule.yml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
index 3080470aa8..44ea1aa49a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
@@ -48,4 +48,4 @@ ocil: |-
     Presence of a <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> indicates
     that interactive boot is enabled at boot time.
 
-platform: machine
+platform: grub2

From 17ba5bc9ecc955911b7a3ab30bcd221283472b3f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 23:20:18 +0200
Subject: [PATCH 5/5] Update CPE Dictionaries

Again, whenever a package CPE is added, all CPE dictionaries need to be
updated.
Because the project doesn't share CPEs among the products.
---
 debian10/cpe/debian10-cpe-dictionary.xml       | 5 +++++
 debian8/cpe/debian8-cpe-dictionary.xml         | 5 +++++
 debian9/cpe/debian9-cpe-dictionary.xml         | 5 +++++
 fedora/cpe/fedora-cpe-dictionary.xml           | 5 +++++
 ol7/cpe/ol7-cpe-dictionary.xml                 | 5 +++++
 ol8/cpe/ol8-cpe-dictionary.xml                 | 5 +++++
 opensuse/cpe/opensuse-cpe-dictionary.xml       | 5 +++++
 rhel7/cpe/rhel7-cpe-dictionary.xml             | 5 +++++
 rhel8/cpe/rhel8-cpe-dictionary.xml             | 5 +++++
 rhv4/cpe/rhv4-cpe-dictionary.xml               | 5 +++++
 sle11/cpe/sle11-cpe-dictionary.xml             | 5 +++++
 sle12/cpe/sle12-cpe-dictionary.xml             | 5 +++++
 sle15/cpe/sle15-cpe-dictionary.xml             | 5 +++++
 ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml   | 5 +++++
 ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml   | 5 +++++
 ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml   | 5 +++++
 wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 5 +++++
 wrlinux8/cpe/wrlinux8-cpe-dictionary.xml       | 5 +++++
 18 files changed, 90 insertions(+)

diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
index 5cc27ceb79..f2dbd09cfc 100644
--- a/debian10/cpe/debian10-cpe-dictionary.xml
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
index 38d490138a..f385709052 100644
--- a/debian8/cpe/debian8-cpe-dictionary.xml
+++ b/debian8/cpe/debian8-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
index f01770b044..bc90a12bae 100644
--- a/debian9/cpe/debian9-cpe-dictionary.xml
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
index 2964e320c2..ff7cebc322 100644
--- a/fedora/cpe/fedora-cpe-dictionary.xml
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
@@ -62,6 +62,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index c153272121..613f853a6d 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 3fd74e53ca..912fe01346 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
index 1ab4e85ea8..7f485b800e 100644
--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
@@ -42,6 +42,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index a5214e36f0..f232b7ed29 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -57,6 +57,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index cccb3c5791..eab827291f 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -32,6 +32,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
index ce9b06dcae..db1b4b239b 100644
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
@@ -32,6 +32,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
index c732ecb48a..1b6b3e2518 100644
--- a/sle11/cpe/sle11-cpe-dictionary.xml
+++ b/sle11/cpe/sle11-cpe-dictionary.xml
@@ -32,6 +32,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
index 79daa31412..b1b66e1294 100644
--- a/sle12/cpe/sle12-cpe-dictionary.xml
+++ b/sle12/cpe/sle12-cpe-dictionary.xml
@@ -32,6 +32,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml
index 91d3d78b19..0ee5a1b817 100644
--- a/sle15/cpe/sle15-cpe-dictionary.xml
+++ b/sle15/cpe/sle15-cpe-dictionary.xml
@@ -32,6 +32,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
index df5abff723..7f3ce4271b 100644
--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
index 6269344376..83f0c8c516 100644
--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
index ccb285768e..77b78d74ec 100644
--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
@@ -27,6 +27,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index 73e419c9ab..cc4e806a4d 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -26,6 +26,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
index 8449ea1416..824c575a6a 100644
--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
@@ -26,6 +26,11 @@
             <!-- the check references an OVAL file that contains an inventory definition -->
             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
       </cpe-item>
+      <cpe-item name="cpe:/a:grub2">
+            <title xml:lang="en-us">Package grub2 is installed</title>
+            <!-- the check references an OVAL file that contains an inventory definition -->
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+      </cpe-item>
       <cpe-item name="cpe:/a:libuser">
             <title xml:lang="en-us">Package libuser is installed</title>
             <!-- the check references an OVAL file that contains an inventory definition -->