import scap-security-guide-0.1.50-16.el8_3

This commit is contained in:
CentOS Sources 2020-11-03 19:59:14 -05:00 committed by Andrew Lukoshko
parent 156c539340
commit 61c0c12b34
17 changed files with 4635 additions and 1 deletions

View File

@ -0,0 +1,737 @@
From 3aae2f86f3d75b8bd931922152b9a6175ed18a6b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 22:27:47 +0200
Subject: [PATCH 1/5] Add check for zipl installed
Based and valid in RHEL, where zipl is part of s390utils-base.
---
rhel8/cpe/rhel8-cpe-dictionary.xml | 4 ++
.../oval/installed_env_has_zipl_package.xml | 37 +++++++++++++++++++
ssg/constants.py | 1 +
3 files changed, 42 insertions(+)
create mode 100644 shared/checks/oval/installed_env_has_zipl_package.xml
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index 694cbb5a4e..cccb3c5791 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -67,4 +67,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/shared/checks/oval/installed_env_has_zipl_package.xml b/shared/checks/oval/installed_env_has_zipl_package.xml
new file mode 100644
index 0000000000..ab6545669d
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_zipl_package.xml
@@ -0,0 +1,37 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_zipl_package" version="1">
+ <metadata>
+ <title>System uses zIPL</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if system uses zIPL bootloader.</description>
+ <reference ref_id="cpe:/a:zipl" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package s390utils-base is installed" test_ref="test_env_has_zipl_installed" />
+ </criteria>
+ </definition>
+
+{{% if pkg_system == "rpm" %}}
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_zipl_installed" version="1"
+ comment="system has package zipl installed">
+ <linux:object object_ref="obj_env_has_zipl_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_zipl_installed" version="1">
+ <linux:name>s390utils-base</linux:name>
+ </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
+ id="test_env_has_zipl_installed" version="1"
+ comment="system has package zipl installed">
+ <linux:object object_ref="obj_env_has_zipl_installed" />
+ </linux:dpkginfo_test>
+ <linux:dpkginfo_object id="obj_env_has_zipl_installed" version="1">
+ <linux:name>s390utils-base</linux:name>
+ </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index fb20fe8107..f03aa87f09 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -506,6 +506,7 @@
"sssd": "cpe:/a:sssd",
"systemd": "cpe:/a:systemd",
"yum": "cpe:/a:yum",
+ "zipl": "cpe:/a:zipl",
}
# _version_name_map = {
From c70bdc89bf193f2fdf59cb8c3f06672fc43a0505 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 22:33:07 +0200
Subject: [PATCH 2/5] Set zipl and machine platforms for zipl content
Add zipl platform to bootloader-zipl and machine platform to all zipl
rules.
Final applicability of zipl rules is equivalent to "machine and zipl"
CPE platform.
---
linux_os/guide/system/bootloader-zipl/group.yml | 2 +-
.../guide/system/bootloader-zipl/zipl_audit_argument/rule.yml | 2 ++
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 ++
.../guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml | 2 ++
.../system/bootloader-zipl/zipl_page_poison_argument/rule.yml | 2 ++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 2 ++
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 ++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 2 ++
8 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
index 36da84530c..64c6c8dffb 100644
--- a/linux_os/guide/system/bootloader-zipl/group.yml
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -8,4 +8,4 @@ description: |-
options to it.
The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
-platform: machine
+platform: zipl
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 16c0b3f89a..2d31ef8ee7 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -38,3 +38,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 47a532d50f..40db232257 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 5aa91c16aa..8d28d5495f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -35,3 +35,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 8546325752..0a8e9a41e2 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index eaef25ce40..20c1448cc8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -38,3 +38,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 68e91a92d6..54ac688ea0 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -39,3 +39,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 9624b43349..c5979a2016 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -36,3 +36,5 @@ ocil: |-
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
+
+platform: machine
From 02f961ecbe8bcafab72f544c2bc0f9141b9fa8fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 23:02:44 +0200
Subject: [PATCH 3/5] Add check for grub2 installed
Apply new CPE grub2 to bootloader-grub2 group.
---
.../file_groupowner_efi_grub2_cfg/rule.yml | 2 +
.../file_groupowner_grub2_cfg/rule.yml | 2 +
.../file_owner_efi_grub2_cfg/rule.yml | 2 +
.../file_owner_grub2_cfg/rule.yml | 2 +
.../guide/system/bootloader-grub2/group.yml | 2 +-
.../grub2_admin_username/rule.yml | 2 +
.../grub2_enable_iommu_force/rule.yml | 2 +
.../grub2_no_removeable_media/rule.yml | 2 +
.../bootloader-grub2/grub2_password/rule.yml | 2 +
.../grub2_uefi_admin_username/rule.yml | 2 +
.../grub2_uefi_password/rule.yml | 2 +
.../uefi_no_removeable_media/rule.yml | 2 +
.../oval/installed_env_has_grub2_package.xml | 37 +++++++++++++++++++
ssg/constants.py | 1 +
14 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 shared/checks/oval/installed_env_has_grub2_package.xml
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
index b5b583bd28..a6ac6f7b6b 100644
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/rule.yml
@@ -51,6 +51,8 @@ ocil: |-
{{{ ocil_file_group_owner(file="/boot/efi/EFI/redhat/grub.cfg", group="root") }}}
{{%- endif %}}
+platform: machine
+
template:
name: file_groupowner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
index 9d89ff5755..93dbf5222d 100644
--- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/rule.yml
@@ -39,6 +39,8 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file="/boot/grub2/grub.cfg", grou
ocil: '{{{ ocil_file_group_owner(file="/boot/grub2/grub.cfg", group="root") }}}'
+platform: machine
+
template:
name: file_groupowner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
index ed17987478..e2c118cf0a 100644
--- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/rule.yml
@@ -49,6 +49,8 @@ ocil: |-
{{{ ocil_file_owner(file="/boot/efi/EFI/redhat/grub.cfg", owner="root") }}}
{{%- endif %}}
+platform: machine
+
template:
name: file_owner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
index 9ce4c3d60b..5086553921 100644
--- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/rule.yml
@@ -37,6 +37,8 @@ ocil_clause: '{{{ ocil_clause_file_owner(file="/boot/grub2/grub.cfg", owner="roo
ocil: '{{{ ocil_file_owner(file="/boot/grub2/grub.cfg", owner="root") }}}'
+platform: machine
+
template:
name: file_owner
vars:
diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml
index 69489bc0c2..4ffb40c0e8 100644
--- a/linux_os/guide/system/bootloader-grub2/group.yml
+++ b/linux_os/guide/system/bootloader-grub2/group.yml
@@ -15,4 +15,4 @@ description: |-
with a password and ensure its configuration file's permissions
are set properly.
-platform: machine
+platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
index 63a6a7a83c..15db01a75f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/rule.yml
@@ -68,3 +68,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index baade9c13e..d4f455e66a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -17,3 +17,5 @@ identifiers:
references:
anssi: NT28(R11)
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
index 113726d34f..c8956c2f34 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_no_removeable_media/rule.yml
@@ -37,3 +37,5 @@ ocil: |-
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the line:
<pre>set root='hd0,msdos1'</pre>
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
index 985b8727d7..b6e9774608 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/rule.yml
@@ -72,3 +72,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
index 1926837db7..5abd86b9d9 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/rule.yml
@@ -75,3 +75,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
index 3ce5a2df13..3114d2d27c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
@@ -73,3 +73,5 @@ warnings:
Also, do NOT manually add the superuser account and password to the
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
index c94185f3f4..5de05c057a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/rule.yml
@@ -35,3 +35,5 @@ ocil: |-
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the line:
<pre>set root='hd0,msdos1'</pre>
+
+platform: machine
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
new file mode 100644
index 0000000000..e83f45bc3b
--- /dev/null
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -0,0 +1,37 @@
+<def-group>
+ <definition class="inventory"
+ id="installed_env_has_grub2_package" version="1">
+ <metadata>
+ <title>Package grub2 is installed</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Checks if package grub2-pc is installed.</description>
+ <reference ref_id="cpe:/a:grub2" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
+ </criteria>
+ </definition>
+
+{{% if pkg_system == "rpm" %}}
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
+ id="test_env_has_grub2_installed" version="1"
+ comment="system has package grub2-pc installed">
+ <linux:object object_ref="obj_env_has_grub2_installed" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
+ <linux:name>grub2-pc</linux:name>
+ </linux:rpminfo_object>
+{{% elif pkg_system == "dpkg" %}}
+ <linux:dpkginfo_test check="all" check_existence="all_exist"
+ id="test_env_has_grub2_installed" version="1"
+ comment="system has package grub2-pc installed">
+ <linux:object object_ref="obj_env_has_grub2_installed" />
+ </linux:dpkginfo_test>
+ <linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
+ <linux:name>grub2-pc</linux:name>
+ </linux:dpkginfo_object>
+{{% endif %}}
+
+</def-group>
diff --git a/ssg/constants.py b/ssg/constants.py
index f03aa87f09..318763b219 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -498,6 +498,7 @@
"container": "cpe:/a:container",
"chrony": "cpe:/a:chrony",
"gdm": "cpe:/a:gdm",
+ "grub2": "cpe:/a:grub2",
"libuser": "cpe:/a:libuser",
"nss-pam-ldapd": "cpe:/a:nss-pam-ldapd",
"ntp": "cpe:/a:ntp",
From 8bb44ebe9c32b7916a7291b1fa5735b381494cfb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 16:58:14 +0200
Subject: [PATCH 4/5] Move grub2_disable_interactive_boot to grub2 platform
It should have both platforms machine and grub2.
But as the parent group is very broad, I cannot put parent group as
machine.
As a side effect this change makes this rules applicable in containers.
---
.../accounts-physical/grub2_disable_interactive_boot/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
index 3080470aa8..44ea1aa49a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/rule.yml
@@ -48,4 +48,4 @@ ocil: |-
Presence of a <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> indicates
that interactive boot is enabled at boot time.
-platform: machine
+platform: grub2
From 17ba5bc9ecc955911b7a3ab30bcd221283472b3f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Jun 2020 23:20:18 +0200
Subject: [PATCH 5/5] Update CPE Dictionaries
Again, whenever a package CPE is added, all CPE dictionaries need to be
updated.
Because the project doesn't share CPEs among the products.
---
debian10/cpe/debian10-cpe-dictionary.xml | 5 +++++
debian8/cpe/debian8-cpe-dictionary.xml | 5 +++++
debian9/cpe/debian9-cpe-dictionary.xml | 5 +++++
fedora/cpe/fedora-cpe-dictionary.xml | 5 +++++
ol7/cpe/ol7-cpe-dictionary.xml | 5 +++++
ol8/cpe/ol8-cpe-dictionary.xml | 5 +++++
opensuse/cpe/opensuse-cpe-dictionary.xml | 5 +++++
rhel7/cpe/rhel7-cpe-dictionary.xml | 5 +++++
rhel8/cpe/rhel8-cpe-dictionary.xml | 5 +++++
rhv4/cpe/rhv4-cpe-dictionary.xml | 5 +++++
sle11/cpe/sle11-cpe-dictionary.xml | 5 +++++
sle12/cpe/sle12-cpe-dictionary.xml | 5 +++++
sle15/cpe/sle15-cpe-dictionary.xml | 5 +++++
ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 5 +++++
ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 5 +++++
ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 5 +++++
wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 5 +++++
wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 5 +++++
18 files changed, 90 insertions(+)
diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
index 5cc27ceb79..f2dbd09cfc 100644
--- a/debian10/cpe/debian10-cpe-dictionary.xml
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
index 38d490138a..f385709052 100644
--- a/debian8/cpe/debian8-cpe-dictionary.xml
+++ b/debian8/cpe/debian8-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
index f01770b044..bc90a12bae 100644
--- a/debian9/cpe/debian9-cpe-dictionary.xml
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
index 2964e320c2..ff7cebc322 100644
--- a/fedora/cpe/fedora-cpe-dictionary.xml
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
@@ -62,6 +62,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index c153272121..613f853a6d 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 3fd74e53ca..912fe01346 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
index 1ab4e85ea8..7f485b800e 100644
--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
@@ -42,6 +42,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index a5214e36f0..f232b7ed29 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -57,6 +57,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index cccb3c5791..eab827291f 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
index ce9b06dcae..db1b4b239b 100644
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
index c732ecb48a..1b6b3e2518 100644
--- a/sle11/cpe/sle11-cpe-dictionary.xml
+++ b/sle11/cpe/sle11-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
index 79daa31412..b1b66e1294 100644
--- a/sle12/cpe/sle12-cpe-dictionary.xml
+++ b/sle12/cpe/sle12-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml
index 91d3d78b19..0ee5a1b817 100644
--- a/sle15/cpe/sle15-cpe-dictionary.xml
+++ b/sle15/cpe/sle15-cpe-dictionary.xml
@@ -32,6 +32,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
index df5abff723..7f3ce4271b 100644
--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
index 6269344376..83f0c8c516 100644
--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
index ccb285768e..77b78d74ec 100644
--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
@@ -27,6 +27,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index 73e419c9ab..cc4e806a4d 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -26,6 +26,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->
diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
index 8449ea1416..824c575a6a 100644
--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
@@ -26,6 +26,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->

View File

@ -0,0 +1,595 @@
From 2c354a6bfbcedee3f92fd8cbdd42ce0f0861fcaf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 25 May 2020 14:33:06 +0200
Subject: [PATCH 1/5] Add zIPL bootloader group
---
linux_os/guide/system/bootloader-zipl/group.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/group.yml
diff --git a/linux_os/guide/system/bootloader-zipl/group.yml b/linux_os/guide/system/bootloader-zipl/group.yml
new file mode 100644
index 0000000000..36da84530c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/group.yml
@@ -0,0 +1,11 @@
+documentation_complete: true
+
+title: 'zIPL bootloader configuration'
+
+description: |-
+ During the boot process, the bootloader is
+ responsible for starting the execution of the kernel and passing
+ options to it.
+ The default {{{ full_name }}} boot loader for s390x systems is called zIPL.
+
+platform: machine
From 13c11b539e5c8cc929a5ccbc4b117a98bb35d915 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 25 May 2020 15:26:19 +0200
Subject: [PATCH 2/5] Add zIPL rule for early audit capability
---
.../zipl_audit_argument/rule.yml | 40 +++++++++++++++++++
1 file changed, 40 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
new file mode 100644
index 0000000000..ce2bd60c59
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
+
+description: |-
+ To ensure all processes can be audited, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to enable audit,
+ add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Each process on the system carries an "auditable" flag which indicates whether
+ its activities can be audited. Although <tt>auditd</tt> takes care of enabling
+ this for all processes which launch after it does, adding the kernel argument
+ ensures it is set for every process during boot.
+
+severity: medium
+
+ocil_clause: 'auditing is not enabled at boot time'
+
+ocil: |-
+ To check that audit is enabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable audit.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
From 221979b3aebfe6dda39e1a446140454138e231bf Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 26 May 2020 15:06:12 +0200
Subject: [PATCH 3/5] Add few more zIPL kernel option rules
Add rules for following options:
- audit_backlog_limit
- selinux
- audit_backlog_limit
- enable_selinux
- page_poison
- pti
- slub_debug
- vsyscall
---
.../rule.yml | 41 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 37 +++++++++++++++++
.../zipl_page_poison_argument/rule.yml | 41 +++++++++++++++++++
.../zipl_pti_argument/rule.yml | 40 ++++++++++++++++++
.../zipl_slub_debug_argument/rule.yml | 41 +++++++++++++++++++
.../zipl_vsyscall_argument/rule.yml | 41 +++++++++++++++++++
6 files changed, 241 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
new file mode 100644
index 0000000000..08c5b53207
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
+
+description: |-
+ To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ audit_backlog_limit sets the queue length for audit events awaiting transfer
+ to the audit daemon. Until the audit daemon is up and running, all log messages
+ are stored in this queue. If the queue is overrun during boot process, the action
+ defined by audit failure flag is taken.
+
+severity: medium
+
+ocil_clause: 'audit backlog limit is not configured'
+
+ocil: |-
+ To check that all boot entries extend the backlog limit;
+ Check that all boot entries extend the log events queue:
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not extend the log events queue.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
new file mode 100644
index 0000000000..e7a455b90c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure SELinux Not Disabled in zIPL'
+
+description: |-
+ To ensure SELinux is not disabled at boot time,
+ check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+rationale: |-
+ Disabling a major host protection feature, such as SELinux, at boot time prevents
+ it from confining system services at boot time. Further, it increases
+ the chances that it will remain off during system operation.
+
+severity: medium
+
+ocil_clause: 'SELinux is disabled at boot time'
+
+ocil: |-
+ To check that selinux is not disabled at boot time;
+ Check that no boot entry disables selinux:
+ <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that disables SELinux.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
new file mode 100644
index 0000000000..b8a2eecee6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable page allocator poisoning in zIPL'
+
+description: |-
+ To enable poisoning of free pages,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to enable page poisoning,
+ add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed pages, so any modification or
+ reference to that page after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'page allocator poisoning is not enabled'
+
+ocil: |-
+ To check that page poisoning is enabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
new file mode 100644
index 0000000000..4757871a5f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
+
+description: |-
+ To enable Kernel page-table isolation,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to enable page-table isolation,
+ add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Kernel page-table isolation is a kernel feature that mitigates
+ the Meltdown security vulnerability and hardens the kernel
+ against attempts to bypass kernel address space layout
+ randomization (KASLR).
+
+severity: medium
+
+ocil_clause: 'Kernel page-table isolation is not enabled'
+
+ocil: |-
+ To check that page-table isolation is enabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
new file mode 100644
index 0000000000..166dd41afd
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
+
+description: |-
+ To enable poisoning of SLUB/SLAB objects,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed objects, so any modification or
+ reference to that object after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
+
+ocil: |-
+ To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
+ <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that does not enable poisoning.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
new file mode 100644
index 0000000000..6b95d16fb8
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Disable vsyscalls in zIPL'
+
+description: |-
+ To disable use of virtual syscalls,
+ check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
+ included in its options.
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
+ And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+
+ To ensure that new kernels and boot entries continue to disable virtual syscalls,
+ add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
+
+rationale: |-
+ Poisoning writes an arbitrary value to freed pages, so any modification or
+ reference to that page after being freed or before being initialized will be
+ detected and prevented.
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
+ Also prevents leak of data and detection of corrupted memory.
+
+severity: medium
+
+ocil_clause: 'vsyscalls are enabled'
+
+ocil: |-
+ To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
+ <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
+ No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
+
+ Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned zipl may load a different kernel than intended.
+
+ And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
From a45ba0eaa12de63abb43449c6caee4776100005c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 2 Jun 2020 13:29:39 +0200
Subject: [PATCH 4/5] Fix formatting of zIPL rules
<pre> is renderend in a separate line, while <tt> is rendered inline.
Add line breaks for better readability.
---
.../bootloader-zipl/zipl_audit_argument/rule.yml | 10 +++++-----
.../zipl_audit_backlog_limit_argument/rule.yml | 10 +++++-----
.../bootloader-zipl/zipl_enable_selinux/rule.yml | 8 ++++----
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 10 +++++-----
.../system/bootloader-zipl/zipl_pti_argument/rule.yml | 10 +++++-----
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 10 +++++-----
.../bootloader-zipl/zipl_vsyscall_argument/rule.yml | 10 +++++-----
7 files changed, 34 insertions(+), 34 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index ce2bd60c59..16c0b3f89a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable Auditing to Start Prior to the Audit Daemon in zIPL'
description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
- add <pre>audit=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Each process on the system carries an "auditable" flag which indicates whether
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 08c5b53207..47a532d50f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon in zIPL'
description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
- add <pre>audit_backlog_limit=8192</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
audit_backlog_limit sets the queue length for audit events awaiting transfer
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index e7a455b90c..5aa91c16aa 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -7,10 +7,10 @@ title: 'Ensure SELinux Not Disabled in zIPL'
description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
Disabling a major host protection feature, such as SELinux, at boot time prevents
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index b8a2eecee6..8546325752 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable page allocator poisoning in zIPL'
description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
To ensure that new kernels and boot entries continue to enable page poisoning,
- add <pre>page_poison=1</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Poisoning writes an arbitrary value to freed pages, so any modification or
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 4757871a5f..eaef25ce40 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable page-table isolation,
- add <pre>pti=on</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Kernel page-table isolation is a kernel feature that mitigates
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 166dd41afd..68e91a92d6 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Enable SLUB/SLAB allocator poisoning in zIPL'
description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
- add <pre>slub_debug=P</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Poisoning writes an arbitrary value to freed objects, so any modification or
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 6b95d16fb8..8d39337f9e 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -7,13 +7,13 @@ title: 'Disable vsyscalls in zIPL'
description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
- included in its options.
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <pre>image = </pre> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
- And run <pre>zipl</pre> command so that <tt>/boot/bootmap</tt> is updated.
+ included in its options.<br />
+ Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
+ as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
+ And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to disable virtual syscalls,
- add <pre>vsyscall=none</pre> to <tt>/etc/kernel/cmdline</tt>.
+ add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
Poisoning writes an arbitrary value to freed pages, so any modification or
From ae8f9252c3c5c1d1ac1bed201e0981c0d50168aa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 3 Jun 2020 13:08:07 +0200
Subject: [PATCH 5/5] zipl_vsyscall_argument: Fix rationale
copy-pasta error
---
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 8d39337f9e..9624b43349 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -16,11 +16,8 @@ description: |-
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
- Poisoning writes an arbitrary value to freed pages, so any modification or
- reference to that page after being freed or before being initialized will be
- detected and prevented.
- This prevents many types of use-after-free vulnerabilities at little performance cost.
- Also prevents leak of data and detection of corrupted memory.
+ Virtual Syscalls provide an opportunity of attack for a user who has control
+ of the return instruction pointer.
severity: medium

View File

@ -0,0 +1,29 @@
From c7d49a79cffdbfb2e1231077f665cbb940b50a98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 13 Jul 2020 17:52:35 +0200
Subject: [PATCH] Fix SCAPVAL error SRC-15
The CPE `cpe:/a:grub2` is used in `xccdf-1.2:platform` element
in group `bootloader-grub2`, but this CPE isn't defined in the
RHEL 6 CPE dictionary. All used CPEs should be defined in the
dictionary.
---
rhel6/cpe/rhel6-cpe-dictionary.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
index bca8986f7a..1b696b88d3 100644
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
@@ -47,6 +47,11 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_gdm_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:grub2">
+ <title xml:lang="en-us">Package grub2 is installed</title>
+ <!-- the check references an OVAL file that contains an inventory definition -->
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_grub2_package</check>
+ </cpe-item>
<cpe-item name="cpe:/a:libuser">
<title xml:lang="en-us">Package libuser is installed</title>
<!-- the check references an OVAL file that contains an inventory definition -->

View File

@ -0,0 +1,250 @@
From d1b9040748605416220e09feb56fc5a6b6402f1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 7 Jul 2020 16:37:30 +0200
Subject: [PATCH] Add zipl to CPE dictionaries in all Linux products
The CPE platform `cpe:/a:zipl` has been set as a platform for XCCDF
group `bootloader-zipl` but the definition of the CPE was missing from
the CPE dictionary in some datastreams, for example fedora datastream.
This triggered error SRC-15 in NIST scapval tool.
---
debian10/cpe/debian10-cpe-dictionary.xml | 4 ++++
debian8/cpe/debian8-cpe-dictionary.xml | 4 ++++
debian9/cpe/debian9-cpe-dictionary.xml | 4 ++++
fedora/cpe/fedora-cpe-dictionary.xml | 4 ++++
ol7/cpe/ol7-cpe-dictionary.xml | 4 ++++
ol8/cpe/ol8-cpe-dictionary.xml | 4 ++++
opensuse/cpe/opensuse-cpe-dictionary.xml | 4 ++++
rhel6/cpe/rhel6-cpe-dictionary.xml | 4 ++++
rhel7/cpe/rhel7-cpe-dictionary.xml | 4 ++++
rhv4/cpe/rhv4-cpe-dictionary.xml | 4 ++++
sle11/cpe/sle11-cpe-dictionary.xml | 4 ++++
sle12/cpe/sle12-cpe-dictionary.xml | 4 ++++
ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 4 ++++
ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 4 ++++
ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 4 ++++
wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 4 ++++
wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 4 ++++
19 files changed, 76 insertions(+)
diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
index f2dbd09cfc..ddb68c34bd 100644
--- a/debian10/cpe/debian10-cpe-dictionary.xml
+++ b/debian10/cpe/debian10-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml
index f385709052..24bbca69cd 100644
--- a/debian8/cpe/debian8-cpe-dictionary.xml
+++ b/debian8/cpe/debian8-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
index bc90a12bae..d5595fd594 100644
--- a/debian9/cpe/debian9-cpe-dictionary.xml
+++ b/debian9/cpe/debian9-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
index ff7cebc322..bef1337fc9 100644
--- a/fedora/cpe/fedora-cpe-dictionary.xml
+++ b/fedora/cpe/fedora-cpe-dictionary.xml
@@ -107,4 +107,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index 613f853a6d..5d4691aaf6 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 912fe01346..35167b1f70 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -67,4 +67,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml
index 7f485b800e..6b95e46d3f 100644
--- a/opensuse/cpe/opensuse-cpe-dictionary.xml
+++ b/opensuse/cpe/opensuse-cpe-dictionary.xml
@@ -87,4 +87,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
index 2c8a82ebc5..bca8986f7a 100644
--- a/rhel6/cpe/rhel6-cpe-dictionary.xml
+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
@@ -87,4 +87,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index f232b7ed29..bc2aa869e8 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -102,4 +102,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml
index db1b4b239b..02450d6efc 100644
--- a/rhv4/cpe/rhv4-cpe-dictionary.xml
+++ b/rhv4/cpe/rhv4-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml
index 1b6b3e2518..b7cb4e1fd5 100644
--- a/sle11/cpe/sle11-cpe-dictionary.xml
+++ b/sle11/cpe/sle11-cpe-dictionary.xml
@@ -77,4 +77,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml
index b1b66e1294..73cddd7740 100644
--- a/sle12/cpe/sle12-cpe-dictionary.xml
+++ b/sle12/cpe/sle12-cpe-dictionary.xml
@@ -77,4 +77,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
index 7f3ce4271b..3f5447741b 100644
--- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
+++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
index 83f0c8c516..e3e842842b 100644
--- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
+++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
index 77b78d74ec..897673c6f5 100644
--- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
+++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml
@@ -72,4 +72,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index cc4e806a4d..ef7e803505 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -71,4 +71,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>
diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
index 824c575a6a..7184ebfd0b 100644
--- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
+++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml
@@ -71,4 +71,8 @@
<!-- the check references an OVAL file that contains an inventory definition -->
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_yum_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:zipl">
+ <title xml:lang="en-us">System uses zipl</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
+ </cpe-item>
</cpe-list>

View File

@ -0,0 +1,88 @@
From d455dc468ef51dd595ce6184f1d31ebf4c20ab9c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 22 Jul 2020 09:52:50 +0200
Subject: [PATCH] Add grub2 platform to grub2 kernel option rules
This will make sure these rules are applicable only when grub2
(grub2-pc) is installed.
---
linux_os/guide/system/auditing/grub2_audit_argument/rule.yml | 2 ++
.../system/auditing/grub2_audit_backlog_limit_argument/rule.yml | 2 +-
.../system/permissions/mounting/grub2_nousb_argument/rule.yml | 2 ++
.../guide/system/permissions/restrictions/poisoning/group.yml | 2 ++
.../restrictions/poisoning/grub2_page_poison_argument/rule.yml | 2 +-
.../restrictions/poisoning/grub2_slub_debug_argument/rule.yml | 2 +-
7 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
index 00cb7f9b6c..5f3a47a776 100644
--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml
@@ -102,6 +102,8 @@ warnings:
{{% endif %}}
</ul>
+platform: grub2
+
template:
name: grub2_bootloader_argument
vars:
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
index 6cab6f7bfe..aa95957b58 100644
--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml
@@ -60,7 +60,7 @@ warnings:
{{% endif %}}
</ul>
-platform: machine
+platform: grub2
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
index a3c1f48231..407ba2c069 100644
--- a/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
+++ b/linux_os/guide/system/permissions/mounting/grub2_nousb_argument/rule.yml
@@ -37,3 +37,5 @@ warnings:
Disabling all kernel support for USB will cause problems for systems
with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.
+
+platform: grub2
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
index 6a7a370f2b..030a3e9918 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
@@ -6,3 +6,5 @@ description: |-
Memory Poisoning consists of writing a special value to uninitialized or freed memory.
Poisoning can be used as a mechanism to prevent leak of information and detection of
corrupted memory.
+
+platform: machine
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
index e3047ef223..2d97ec75ea 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml
@@ -60,7 +60,7 @@ warnings:
{{% endif %}}
</ul>
-platform: machine
+platform: grub2
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
index 024c93f18b..39ca33b77a 100644
--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml
@@ -60,7 +60,7 @@ warnings:
{{% endif %}}
</ul>
-platform: machine
+platform: grub2
template:
name: grub2_bootloader_argument

View File

@ -0,0 +1,954 @@
From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Jul 2020 16:12:35 +0200
Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template
Create initial version of zIPL specific BLS entries
template by copying bls_entries_option template.
---
.../template_OVAL_zipl_bls_entries_option | 32 +++++++++++++++++++
ssg/templates.py | 5 +++
2 files changed, 37 insertions(+)
create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
new file mode 100644
index 0000000000..a19bd5a89c
--- /dev/null
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -0,0 +1,32 @@
+<def-group>
+ <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
+ <metadata>
+ <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ version="1">
+ <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
+ version="1">
+ <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/ssg/templates.py b/ssg/templates.py
index 2795267abd..fc09416abe 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):
return data
+@template(["oval"])
+def bls_entries_option(data, lang):
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
+ if lang == "oval":
+ # escape dot, this is used in oval regex
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+ # replace . with _, this is used in test / object / state ids
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
+ return data
+
+
+@template(["oval"])
+def zipl_bls_entries_option(data, lang):
+ return bls_entries_option(data, lang)
+
+
class Builder(object):
"""
Class for building all templated content for a given product.
From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:11:04 +0200
Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install
Extend zipl_bls_entries_option template to check that the kernel option
is also configure in /etc/kernel/cmdline.
The presence of the argument in /etc/kernel/cmdline ensures that newly
installed kernels will be configure if the option.
---
.../template_OVAL_zipl_bls_entries_option | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
index a19bd5a89c..9af1bcfbee 100644
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -6,8 +6,10 @@
<description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
</metadata>
<criteria operator="AND">
- <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
</criteria>
</definition>
@@ -25,6 +27,19 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_test id="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ version="1">
+ <ind:filepath>/etc/kernel/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:12:32 +0200
Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash
---
.../template_ANSIBLE_zipl_bls_entries_option | 48 +++++++++++++++++++
.../template_BASH_zipl_bls_entries_option | 12 +++++
ssg/templates.py | 2 +-
3 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option
create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
new file mode 100644
index 0000000000..c0cb131b82
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
@@ -0,0 +1,48 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
+ block:
+ - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
+ find:
+ paths: "/boot/loader/entries/"
+ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
+ patterns: "*.conf"
+ register: entries_options
+
+ - name: "Update boot entries options"
+ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ when: entries_options is defined and entries_options.examined != entries_options.matched
+ # The conditional above assumes that only *.conf files are present in /boot/loader/entries
+ # Then, the number of conf files is the same as examined files
+
+ - name: "Check if /etc/kernel/cmdline exists"
+ stat:
+ path: /etc/kernel/cmdline
+ register: cmdline_stat
+
+ - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ find:
+ paths: "/etc/kernel/"
+ patterns: "cmdline"
+ contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
+ register: cmdline_find
+
+ - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ lineinfile:
+ create: yes
+ path: "/etc/kernel/cmdline"
+ line: '{{{ ARG_NAME_VALUE }}}'
+ when: cmdline_stat is defined and not cmdline_stat.stat.exists
+
+ - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ lineinfile:
+ path: "/etc/kernel/cmdline"
+ backrefs: yes
+ regexp: "^(.*)$"
+ line: '\1 {{{ ARG_NAME_VALUE }}}'
+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
+
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
new file mode 100644
index 0000000000..9fc8865486
--- /dev/null
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+
+# Ensure new kernels and boot entries retain the boot option
+if [ ! -f /etc/kernel/cmdline ]; then
+ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
+elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
+ echo " audit=1" >> /etc/kernel/cmdline
+ sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
+fi
diff --git a/ssg/templates.py b/ssg/templates.py
index fc09416abe..a27fbb6cb6 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):
return data
-@template(["oval"])
+@template(["ansible", "bash", "oval"])
def zipl_bls_entries_option(data, lang):
return bls_entries_option(data, lang)
From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 3 Jul 2020 15:50:56 +0200
Subject: [PATCH 04/18] Enable zIPL in argument rules
---
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 6 ++++++
.../zipl_audit_backlog_limit_argument/rule.yml | 6 ++++++
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 6 ++++++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 6 ++++++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 6 ++++++
6 files changed, 36 insertions(+)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 624b4e7041..894bf7995f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable audit.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: audit
+ arg_value: '1'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index faf114591a..12334c9905 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: audit_backlog_limit
+ arg_value: '8192'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 866664c01b..f5a36ee1b3 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: page_poison
+ arg_value: '1'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 2f02d9668c..168dae46a1 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -27,3 +27,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: pti
+ arg_value: 'on'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 0cb10d3cd8..84a374e36f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that does not enable poisoning.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: slub_debug
+ arg_value: 'P'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index f79adeb083..c37e8bbefd 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -25,3 +25,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: vsyscall
+ arg_value: 'none'
From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sat, 4 Jul 2020 01:15:49 +0200
Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo
Fix typo
---
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 12334c9905..15729dc6b6 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'
ocil: |-
To check that all boot entries extend the backlog limit;
Check that all boot entries extend the log events queue:
- <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
platform: machine
From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 12:00:10 +0200
Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description
Description about how to ensure that new boot entries continue compliant
was incorrect due to copy-pasta mistake.
---
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 84a374e36f..83e043179d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,7 +8,7 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 12:06:56 +0200
Subject: [PATCH 07/18] Add CCEs to zIPL argument rules
---
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 3 +++
.../zipl_audit_backlog_limit_argument/rule.yml | 3 +++
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 3 +++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 3 +++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++
7 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 894bf7995f..b1307ef3f2 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83321-0
+
ocil_clause: 'auditing is not enabled at boot time'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 15729dc6b6..18391bee6c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -19,6 +19,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83341-8
+
ocil_clause: 'audit backlog limit is not configured'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index f5a36ee1b3..7ffea8ce6a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83351-7
+
ocil_clause: 'page allocator poisoning is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 168dae46a1..6fd1082292 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -19,6 +19,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83361-6
+
ocil_clause: 'Kernel page-table isolation is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 83e043179d..c499140c35 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83371-5
+
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index c37e8bbefd..7edd43074f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -17,6 +17,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83381-4
+
ocil_clause: 'vsyscalls are enabled'
ocil: |-
From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:36:28 +0200
Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile
These rules check and ensure configuration of BLS boot options used by
zIPL.
---
rhel8/profiles/ospp.profile | 8 ++++++++
rhel8/profiles/stig.profile | 6 ++++++
2 files changed, 14 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 80e4b71fff..d3732fa805 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -419,3 +419,11 @@ selections:
# zIPl specific rules
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
+ - zipl_audit_argument
+ - zipl_audit_backlog_limit_argument
+ - zipl_slub_debug_argument
+ - zipl_page_poison_argument
+ - zipl_vsyscall_argument
+ - zipl_vsyscall_argument.role=unscored
+ - zipl_vsyscall_argument.severity=info
+ - zipl_pti_argument
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index cfc2160be1..69d5222a32 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -49,3 +49,9 @@ selections:
# Unselect zIPL rules from OSPP
- "!zipl_bls_entries_only"
- "!zipl_bootmap_is_up_to_date"
+ - "!zipl_audit_argument"
+ - "!zipl_audit_backlog_limit_argument"
+ - "!zipl_page_poison_argument"
+ - "!zipl_pti_argument"
+ - "!zipl_slub_debug_argument"
+ - "!zipl_vsyscall_argument"
From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 22:30:25 +0200
Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements
Just like rule selection, allows rule refinements to be unselected, or "undone".
---
build-scripts/compile_profiles.py | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py
index 0967252348..d1ce8984b2 100644
--- a/build-scripts/compile_profiles.py
+++ b/build-scripts/compile_profiles.py
@@ -3,6 +3,7 @@
import argparse
import sys
import os.path
+from copy import deepcopy
from glob import glob
import ssg.build_yaml
@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
updated_variables.update(self.variables)
self.variables = updated_variables
- updated_refinements = dict(extended_profile.refine_rules)
+ extended_refinements = deepcopy(extended_profile.refine_rules)
+ updated_refinements = self._subtract_refinements(extended_refinements)
updated_refinements.update(self.refine_rules)
self.refine_rules = updated_refinements
@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
self.resolved = True
+ def _subtract_refinements(self, extended_refinements):
+ """
+ Given a dict of rule refinements from the extended profile,
+ "undo" every refinement prefixed with '!' in this profile.
+ """
+ for rule, refinements in list(self.refine_rules.items()):
+ if rule.startswith("!"):
+ for prop, val in refinements:
+ extended_refinements[rule[1:]].remove((prop, val))
+ del self.refine_rules[rule]
+ return extended_refinements
+
def create_parser():
parser = argparse.ArgumentParser()
From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 22:32:32 +0200
Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules
Remove the zIPl rule refinementes from STIG profile
---
rhel8/profiles/stig.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 69d5222a32..53647475aa 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -55,3 +55,5 @@ selections:
- "!zipl_pti_argument"
- "!zipl_slub_debug_argument"
- "!zipl_vsyscall_argument"
+ - "!zipl_vsyscall_argument.role=unscored"
+ - "!zipl_vsyscall_argument.severity=info"
From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 09:38:57 +0200
Subject: [PATCH 11/18] Update stable test for OSPP Profile
I just copied the resolved profile to profile_stability directory.
---
tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 08dcccf24c..5aa3592496 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -168,6 +168,7 @@ selections:
- service_rngd_enabled
- service_systemd-coredump_disabled
- service_usbguard_enabled
+- ssh_client_rekey_limit
- sshd_disable_empty_passwords
- sshd_disable_gssapi_auth
- sshd_disable_kerb_auth
@@ -213,8 +214,14 @@ selections:
- sysctl_user_max_user_namespaces
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
+- zipl_audit_argument
+- zipl_audit_backlog_limit_argument
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
+- zipl_page_poison_argument
+- zipl_pti_argument
+- zipl_slub_debug_argument
+- zipl_vsyscall_argument
- var_sshd_set_keepalive=0
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
@@ -238,11 +245,12 @@ selections:
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
- grub2_vsyscall_argument.role=unscored
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
-- ssh_client_rekey_limit
-- var_ssh_client_rekey_limit_size=1G
-- var_ssh_client_rekey_limit_time=1hour
+- zipl_vsyscall_argument.role=unscored
+- zipl_vsyscall_argument.severity=info
title: Protection Profile for General Purpose Operating Systems
From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 15:15:25 +0200
Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios
---
.../tests/correct_option.pass.sh | 16 ++++++++++++++++
.../tests/missing_in_cmdline.fail.sh | 14 ++++++++++++++
.../tests/missing_in_entry.fail.sh | 14 ++++++++++++++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
new file mode 100644
index 0000000000..a9bd49dd0b
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+ sed -i '/^options / s/$/audit=1/' "$file"
+ fi
+done
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
new file mode 100644
index 0000000000..d4d1d978c8
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+ sed -i '/^options / s/$/audit=1/' "$file"
+ fi
+done
+
+# Make sure /etc/kernel/cmdline doesn't contain audit=1
+sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
new file mode 100644
index 0000000000..3e412c0542
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Remove audit=1 from all boot entries
+sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains audit=1
+sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+fi
From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 15:34:52 +0200
Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values
The template shouldn't have any hardcoded values.
---
shared/templates/template_BASH_zipl_bls_entries_option | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
index 9fc8865486..dde8c948f7 100644
--- a/shared/templates/template_BASH_zipl_bls_entries_option
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
if [ ! -f /etc/kernel/cmdline ]; then
echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
- echo " audit=1" >> /etc/kernel/cmdline
- sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
+ sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
fi
From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:08:26 +0200
Subject: [PATCH 14/18] Improve conditional check for the grubby command
Let's not trust that /boot/loader/entries/ only contains *.conf files.
Count the number of conf files and how many set the propper options.
---
.../template_ANSIBLE_zipl_bls_entries_option | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
index c0cb131b82..bccad2267c 100644
--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
@@ -6,18 +6,22 @@
- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
block:
- - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
+ - name: "Check how many boot entries exist "
+ find:
+ paths: "/boot/loader/entries/"
+ patterns: "*.conf"
+ register: n_entries
+
+ - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
find:
paths: "/boot/loader/entries/"
contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
patterns: "*.conf"
- register: entries_options
+ register: n_entries_options
- name: "Update boot entries options"
command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
- when: entries_options is defined and entries_options.examined != entries_options.matched
- # The conditional above assumes that only *.conf files are present in /boot/loader/entries
- # Then, the number of conf files is the same as examined files
+ when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
- name: "Check if /etc/kernel/cmdline exists"
stat:
From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:17:27 +0200
Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario
Append "audit=1" space from last option.
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index a9bd49dd0b..5fcbcc5667 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -6,7 +6,7 @@
for file in /boot/loader/entries/*.conf
do
if ! grep -q '^options.*audit=1.*$' "$file" ; then
- sed -i '/^options / s/$/audit=1/' "$file"
+ sed -i '/^options / s/$/ audit=1/' "$file"
fi
done
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
index d4d1d978c8..b75165f904 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -6,7 +6,7 @@
for file in /boot/loader/entries/*.conf
do
if ! grep -q '^options.*audit=1.*$' "$file" ; then
- sed -i '/^options / s/$/audit=1/' "$file"
+ sed -i '/^options / s/$/ audit=1/' "$file"
fi
done
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index 3e412c0542..e3d342d533 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -5,7 +5,7 @@
# Remove audit=1 from all boot entries
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
# But make sure one boot loader entry contains audit=1
-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
+sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
# Make sure /etc/kernel/cmdline contains audit=1
From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:29:06 +0200
Subject: [PATCH 16/18] Extend scenarios platform and allow remediation
These test scenarios can be run on any OS that supports BLS and provides
grubby.
But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
has s390utils-base installed).
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 3 +--
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 3 +--
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 3 +--
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index 5fcbcc5667..73ed0eae0f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Make sure boot loader entries contain audit=1
for file in /boot/loader/entries/*.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
index b75165f904..3af83d30d8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Make sure boot loader entries contain audit=1
for file in /boot/loader/entries/*.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index e3d342d533..142f75ba60 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Remove audit=1 from all boot entries
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:35:55 +0200
Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
shared/templates/template_OVAL_zipl_bls_entries_option | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
index 9af1bcfbee..502d5e7d9a 100644
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -7,7 +7,7 @@
</metadata>
<criteria operator="AND">
<criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
<criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
</criteria>
From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 17:15:46 +0200
Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages
/etc/kernel/cmdline is not always present. Lest suppress any error
message about absent file in the test scenarios.
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index 73ed0eae0f..7a828837fe 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -10,6 +10,6 @@ do
done
# Make sure /etc/kernel/cmdline contains audit=1
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
echo "audit=1" >> /etc/kernel/cmdline
fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index 142f75ba60..5650cc0a74 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
# Make sure /etc/kernel/cmdline contains audit=1
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
echo "audit=1" >> /etc/kernel/cmdline
fi

View File

@ -0,0 +1,884 @@
From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:29:31 +0200
Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS
Instead of having each zIPL argument rule check for BLS compliance,
let's split into its own rule.
---
.../zipl_audit_argument/rule.yml | 6 -----
.../rule.yml | 6 -----
.../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 6 -----
.../zipl_page_poison_argument/rule.yml | 6 -----
.../zipl_pti_argument/rule.yml | 6 -----
.../zipl_slub_debug_argument/rule.yml | 6 -----
.../zipl_vsyscall_argument/rule.yml | 6 -----
8 files changed, 24 insertions(+), 42 deletions(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 2d31ef8ee7..1211a53295 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
@@ -30,10 +28,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable audit.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 40db232257..7d88e38686 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
new file mode 100644
index 0000000000..b6ccbb5343
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure all zIPL boot entries are BLS compliant'
+
+description: |-
+ Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
+ by checking that <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt>.
+
+rationale: |-
+ {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
+ configuration.
+
+severity: medium
+
+ocil_clause: 'a non BLS boot entry is configured'
+
+ocil: |-
+ Check that no boot image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 8d28d5495f..1c3bfeb246 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,8 +8,6 @@ description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
@@ -27,10 +25,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that disables SELinux.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 0a8e9a41e2..6dbfd501b7 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
To ensure that new kernels and boot entries continue to enable page poisoning,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 20c1448cc8..555fdf2b66 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable page-table isolation,
@@ -30,10 +28,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 54ac688ea0..dd7865bf81 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not enable poisoning.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index c5979a2016..18b7ade460 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to disable virtual syscalls,
@@ -28,10 +26,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 09:52:39 +0200
Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests
---
.../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++
.../tests/image_configured.fail.sh | 6 +++++
.../tests/no_image.pass.sh | 7 +++++
3 files changed, 40 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
new file mode 100644
index 0000000000..41e9773814
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -0,0 +1,27 @@
+<def-group>
+ <definition class="compliance" id="zipl_bls_entries_only" version="1">
+ <metadata>
+ <title>Ensure zIPL entries are BLS compliant</title>
+ {{{- oval_affected(products) }}}
+ <description>Check if /etc/zipl.conf configures any boot entry</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_zipl_bls_entries_only"
+ comment="Test presence of image configuration in /etc/zipl.conf" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test id="test_zipl_bls_entries_only"
+ comment="Test presence of image configuration in /etc/zipl.conf"
+ check="all" check_existence="none_exist" version="1">
+ <ind:object object_ref="object_zipl_bls_entries_only" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
+ version="1">
+ <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
new file mode 100644
index 0000000000..e3adb99638
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+echo 'image = /boot/image' >> /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
new file mode 100644
index 0000000000..47626442f6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+sed -Ei '/^image\s*=/d' /etc/zipl.conf
+true
From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 11:09:08 +0200
Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning
Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
is tricky and can lead to broken entries or removal of all of them.
---
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index b6ccbb5343..f792c5257f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -22,3 +22,8 @@ ocil: |-
No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
platform: machine
+
+warnings:
+ - general: |-
+ To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
+ automated remediation for this rule is not available.
From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:51:04 +0200
Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap
Instead of having each zIPL argument rule check if zIPL bootmap is up to
date, let's split it into its own rule.
---
.../zipl_audit_argument/rule.yml | 6 -----
.../rule.yml | 7 -----
.../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 6 -----
.../zipl_page_poison_argument/rule.yml | 7 -----
.../zipl_pti_argument/rule.yml | 7 -----
.../zipl_slub_debug_argument/rule.yml | 7 -----
.../zipl_vsyscall_argument/rule.yml | 7 -----
8 files changed, 27 insertions(+), 47 deletions(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 1211a53295..624b4e7041 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,7 +8,6 @@ description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -28,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable audit.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 7d88e38686..faf114591a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
new file mode 100644
index 0000000000..082562d11e
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure zIPL bootmap is up to date'
+
+description: |-
+ Make sure that <tt>/boot/bootmap</tt> is up to date.<br />
+ Every time a boot entry or zIPL configuration is changed <tt>/boot/bootmap</tt> needs to
+ be updated to reflect the changes.<br />
+ Run <tt>zipl</tt> command to generate an updated <tt>/boot/bootmap</tt>.
+
+rationale: |-
+ The file <tt>/boot/bootmap</tt> contains all boot data, keeping it up to date is crucial to
+ boot correct kernel and options.
+
+severity: medium
+
+ocil_clause: 'the bootmap is outdated'
+
+ocil: |-
+ Make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> is outdated and needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 1c3bfeb246..b0bc0fc374 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,7 +8,6 @@ description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
Disabling a major host protection feature, such as SELinux, at boot time prevents
@@ -25,9 +24,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that disables SELinux.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 6dbfd501b7..866664c01b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
-
To ensure that new kernels and boot entries continue to enable page poisoning,
add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 555fdf2b66..2f02d9668c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to enable page-table isolation,
add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -28,9 +26,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index dd7865bf81..0cb10d3cd8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not enable poisoning.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 18b7ade460..f79adeb083 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to disable virtual syscalls,
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -26,9 +24,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 15:59:31 +0200
Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check
---
.../oval/shared.xml | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
new file mode 100644
index 0000000000..6c446cbe59
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+ <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
+ <metadata>
+ <title>Ensure zIPL bootmap is up to date</title>
+ {{{- oval_affected(products) }}}
+ <description>Check if /boot/bootmap is up to date</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_zipl_bootmap_is_up_to_date"
+ comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="all_exist" id="test_zipl_bootmap_is_up_to_date" version="1" comment="Check /boot/bootmap timestamps">
+ <unix:object object_ref="object_zipl_boot_bootmap_file" />
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_zipl_conf" />
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_boot_entries" />
+ </unix:file_test>
+
+ <unix:file_object id="object_zipl_boot_bootmap_file" comment="current bootmap state" version="1">
+ <unix:filepath>/boot/bootmap</unix:filepath>
+ </unix:file_object>
+
+ <!-- Newer means modified more recently, which means more seconds since epoch -->
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_zipl_conf" version="1">
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+ var_ref="variable_zipl_conf_file_age" />
+ </unix:file_state>
+ <local_variable id="variable_zipl_conf_file_age" version="1" comment="Age of /etc/zipl.conf" datatype="int">
+ <object_component object_ref="zipl_conf_file" item_field="m_time"/>
+ </local_variable>
+ <unix:file_object id="zipl_conf_file" comment="/etc/zipl.conf state" version="1">
+ <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
+ </unix:file_object>
+
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_boot_entries" version="1">
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+ var_ref="variable_boot_entry_files_age" />
+ </unix:file_state>
+ <local_variable id="variable_boot_entry_files_age" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
+ <object_component object_ref="boot_entry_files" item_field="m_time"/>
+ </local_variable>
+ <unix:file_object id="boot_entry_files" comment="/boot/loader/entries/*.conf states" version="1">
+ <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
+ </unix:file_object>
+</def-group>
From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 16:15:35 +0200
Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests
These tests mock existence of zIPL files.
---
.../tests/newer_boot_entry.fail.sh | 10 ++++++++++
.../tests/newer_zipl_conf.fail.sh | 10 ++++++++++
.../tests/up_to_date.pass.sh | 9 +++++++++
3 files changed, 29 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
new file mode 100644
index 0000000000..728c6b7bdb
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/bootmap
+sleep 2
+touch /boot/loader/entries/zipl-entry-2.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
new file mode 100644
index 0000000000..1ae4d631ee
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap
+sleep 2
+touch /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
new file mode 100644
index 0000000000..7981ba8c5c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap
From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 3 Jul 2020 18:35:06 +0200
Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations
---
.../ansible/shared.yml | 24 +++++++++++++++++++
.../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++
2 files changed, 27 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
new file mode 100644
index 0000000000..e545eacc13
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
@@ -0,0 +1,24 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "Ensure zIPL bootmap is up to date"
+ block:
+ - name: "Obtain stats of /boot/bootmap"
+ stat:
+ path: /boot/bootmap
+ register: boot_bootmap
+
+ - name: "Obtain stats of /etc/zipl.conf"
+ stat:
+ path: /etc/zipl.conf
+ register: zipl_conf
+
+ # TODO: handle /boot/loader/entries/*.conf
+
+ - name: "Update zIPL bootmap"
+ command: /usr/sbin/zipl
+ changed_when: True
+ when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
new file mode 100644
index 0000000000..2cf7e388f0
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = Red Hat Enterprise Linux 8
+
+/usr/bin/zipl
From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Jul 2020 17:16:41 +0200
Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile
---
rhel8/profiles/ospp.profile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 07d32b814d..80e4b71fff 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -415,3 +415,7 @@ selections:
- ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
+
+ # zIPl specific rules
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:03:21 +0200
Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation
---
.../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
index 2cf7e388f0..2310ca060d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -1,3 +1,3 @@
# platform = Red Hat Enterprise Linux 8
-/usr/bin/zipl
+/usr/sbin/zipl
From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:06:22 +0200
Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces
There can be leading spaces before 'image'.
---
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index 41e9773814..f68d91c128 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
version="1">
<ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
- <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:10:22 +0200
Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf
There is no need to perform pattern match, the check just needs to
examine /etc/zipl.conf file.
---
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index f68d91c128..1ebf03ee37 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -19,7 +19,7 @@
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
version="1">
- <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+ <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:13:26 +0200
Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules
Add RHEL-8 CCE identifiers for:
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
---
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index f792c5257f..67cc061ce3 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -14,6 +14,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83485-3
+
ocil_clause: 'a non BLS boot entry is configured'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
index 082562d11e..da9411d00b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -16,6 +16,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83486-1
+
ocil_clause: 'the bootmap is outdated'
ocil: |-
From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:16:58 +0200
Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test
Update the profile reference file.
---
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index b0d7672c36..08dcccf24c 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -213,6 +213,8 @@ selections:
- sysctl_user_max_user_namespaces
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
+- zipl_bls_entries_only
+- zipl_bootmap_is_up_to_date
- var_sshd_set_keepalive=0
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 15:28:09 +0200
Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile
The zIPL rules are inherited from OSPP profile
---
rhel8/profiles/stig.profile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 8f12852e26..cfc2160be1 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,3 +45,7 @@ selections:
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
- "!ssh_client_rekey_limit"
+
+ # Unselect zIPL rules from OSPP
+ - "!zipl_bls_entries_only"
+ - "!zipl_bootmap_is_up_to_date"

View File

@ -0,0 +1,280 @@
From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 27 Aug 2020 13:19:01 +0200
Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform
Adds a when clause to Ansible snippets of rules with Package CPE platform.
If the when clause is added, a fact_packages Task needs to added as
well.
---
ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++---
1 file changed, 49 insertions(+), 3 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index a9ef3014ac..597aed5889 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -6,8 +6,7 @@
import os.path
import re
import codecs
-from collections import defaultdict, namedtuple
-
+from collections import defaultdict, namedtuple, OrderedDict
import ssg.yaml
from . import build_yaml
@@ -343,11 +342,46 @@ def _get_rule_reference(self, ref_class):
else:
return []
+ def inject_package_facts_task(self, parsed_snippet):
+ """ Injects a package_facts task only if
+ the snippet has a task with a when clause with ansible_facts.packages,
+ and the snippet doesn't already have an package_facts task
+ """
+ has_package_facts_task = False
+ has_ansible_facts_packages_clause = False
+
+ for p_task in parsed_snippet:
+ # We are only interested in the OrderedDicts, which represent Ansible tasks
+ if not isinstance(p_task, dict):
+ continue
+
+ if "package_facts" in p_task:
+ has_package_facts_task = True
+
+ if "ansible_facts.packages" in p_task.get("when", ""):
+ has_ansible_facts_packages_clause = True
+
+ if has_ansible_facts_packages_clause and not has_package_facts_task:
+ facts_task = OrderedDict({'name': 'Gather the package facts',
+ 'package_facts': {'manager': 'auto'}})
+ parsed_snippet.insert(0, facts_task)
+
def update_when_from_rule(self, to_update):
additional_when = ""
- if self.associated_rule.platform == "machine":
- additional_when = ('ansible_virtualization_role != "guest" '
- 'or ansible_virtualization_type != "docker"')
+ rule_platform = self.associated_rule.platform
+ if rule_platform == "machine":
+ additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
+ elif rule_platform is not None:
+ # Assume any other platform is a Package CPE
+
+ # It doesn't make sense to add a conditional on the task that
+ # gathers data for the conditional
+ if "package_facts" in to_update:
+ return
+
+ additional_when = '"' + rule_platform + '" in ansible_facts.packages'
+ # After adding the conditional, we need to make sure package_facts are collected.
+ # This is done via inject_package_facts_task()
to_update.setdefault("when", "")
new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
if not new_when:
@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update):
to_update["when"] = new_when
def update(self, parsed, config):
+ # We split the remediation update in three steps
+
+ # 1. Update the when clause
for p in parsed:
if not isinstance(p, dict):
continue
self.update_when_from_rule(p)
+
+ # 2. Inject any extra task necessary
+ self.inject_package_facts_task(parsed)
+
+ # 3. Add tags to all tasks, including the ones we have injected
+ for p in parsed:
+ if not isinstance(p, dict):
+ continue
self.update_tags_from_config(p, config)
self.update_tags_from_rule(p)
From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 27 Aug 2020 17:09:06 +0200
Subject: [PATCH 2/5] Add inherited_platform to Rule
This field is exported to the rule when it is resolved.
---
ssg/build_yaml.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
index 4ba114eee4..fe290ffc05 100644
--- a/ssg/build_yaml.py
+++ b/ssg/build_yaml.py
@@ -832,6 +832,7 @@ class Rule(object):
"conflicts": lambda: list(),
"requires": lambda: list(),
"platform": lambda: None,
+ "inherited_platforms": lambda: list(),
"template": lambda: None,
}
@@ -851,6 +852,7 @@ def __init__(self, id_):
self.requires = []
self.conflicts = []
self.platform = None
+ self.inherited_platforms = [] # platforms inherited from the group
self.template = None
@classmethod
@@ -1293,6 +1295,9 @@ def _process_rules(self):
continue
self.all_rules.add(rule)
self.loaded_group.add_rule(rule)
+
+ rule.inherited_platforms.append(self.loaded_group.platform)
+
if self.resolved_rules_dir:
output_for_rule = os.path.join(
self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_))
From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 27 Aug 2020 17:21:35 +0200
Subject: [PATCH 3/5] Add when clauses for inherited platforms too
Consider the Rule's Group platform while including 'when' clauses to
Ansible snippets.
Some rules have two platforms, a machine platform and a package
platform. One of them is represented of the Rule, and the other is
represented in the Rule's Group.
The platforms are organized like this to due limiation in XCCDF,
multiple platforms in a Rule are ORed, not ANDed.
---
ssg/build_remediations.py | 44 ++++++++++++++++++++++++---------------
1 file changed, 27 insertions(+), 17 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 597aed5889..a2a996d0af 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet):
if "package_facts" in p_task:
has_package_facts_task = True
- if "ansible_facts.packages" in p_task.get("when", ""):
- has_ansible_facts_packages_clause = True
+ # When clause of the task can be string or a list, lets normalize to list
+ task_when = p_task.get("when", "")
+ if type(task_when) is str:
+ task_when = [ task_when ]
+ for when in task_when:
+ if "ansible_facts.packages" in when:
+ has_ansible_facts_packages_clause = True
if has_ansible_facts_packages_clause and not has_package_facts_task:
facts_task = OrderedDict({'name': 'Gather the package facts',
@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet):
parsed_snippet.insert(0, facts_task)
def update_when_from_rule(self, to_update):
- additional_when = ""
- rule_platform = self.associated_rule.platform
- if rule_platform == "machine":
- additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
- elif rule_platform is not None:
- # Assume any other platform is a Package CPE
-
- # It doesn't make sense to add a conditional on the task that
- # gathers data for the conditional
- if "package_facts" in to_update:
- return
-
- additional_when = '"' + rule_platform + '" in ansible_facts.packages'
- # After adding the conditional, we need to make sure package_facts are collected.
- # This is done via inject_package_facts_task()
+ additional_when = []
+
+ rule_platforms = set([self.associated_rule.platform] +
+ self.associated_rule.inherited_platforms)
+
+ for platform in rule_platforms:
+ if platform == "machine":
+ additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]')
+ elif platform is not None:
+ # Assume any other platform is a Package CPE
+
+ # It doesn't make sense to add a conditional on the task that
+ # gathers data for the conditional
+ if "package_facts" in to_update:
+ continue
+
+ additional_when.append('"' + platform + '" in ansible_facts.packages')
+ # After adding the conditional, we need to make sure package_facts are collected.
+ # This is done via inject_package_facts_task()
+
to_update.setdefault("when", "")
new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
if not new_when:
From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 31 Aug 2020 16:06:14 +0200
Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling
Add a quick comment too.
---
ssg/build_remediations.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index a2a996d0af..9e622ef740 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet):
def update_when_from_rule(self, to_update):
additional_when = []
- rule_platforms = set([self.associated_rule.platform] +
- self.associated_rule.inherited_platforms)
+ # There can be repeated inherited platforms and rule platforms
+ rule_platforms = set(self.associated_rule.inherited_platforms)
+ rule_platforms.add(self.associated_rule.platform)
for platform in rule_platforms:
if platform == "machine":
From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 31 Aug 2020 16:10:53 +0200
Subject: [PATCH 5/5] Code style and grammar changes
---
ssg/build_remediations.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 9e622ef740..866450dd8c 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class):
def inject_package_facts_task(self, parsed_snippet):
""" Injects a package_facts task only if
the snippet has a task with a when clause with ansible_facts.packages,
- and the snippet doesn't already have an package_facts task
+ and the snippet doesn't already have a package_facts task
"""
has_package_facts_task = False
has_ansible_facts_packages_clause = False
@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet):
# When clause of the task can be string or a list, lets normalize to list
task_when = p_task.get("when", "")
if type(task_when) is str:
- task_when = [ task_when ]
+ task_when = [task_when]
for when in task_when:
if "ansible_facts.packages" in when:
has_ansible_facts_packages_clause = True

View File

@ -0,0 +1,241 @@
From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 14:36:07 +0200
Subject: [PATCH 1/5] Align Bash applicability with CPE platform
Wraps the remediation of rules with Packager CPE Platform
with an if condition that checks for the respective
platforms's package.
---
ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index ccbdf9fc1f..2d4a805e78 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -27,6 +27,13 @@
'kubernetes': '.yml'
}
+PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
+ 'apt_get': 'dpkg-query -s {} &>/dev/null',
+ 'dnf': 'rpm --quiet -q {}',
+ 'yum': 'rpm --quiet -q {}',
+ 'zypper': 'rpm --quiet -q {}',
+}
+
FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot',
@@ -262,6 +269,44 @@ class BashRemediation(Remediation):
def __init__(self, file_path):
super(BashRemediation, self).__init__(file_path, "bash")
+ def parse_from_file_with_jinja(self, env_yaml):
+ self.local_env_yaml.update(env_yaml)
+ result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+
+ # There can be repeated inherited platforms and rule platforms
+ rule_platforms = set(self.associated_rule.inherited_platforms)
+ rule_platforms.add(self.associated_rule.platform)
+
+ platform_conditionals = []
+ for platform in rule_platforms:
+ if platform == "machine":
+ # Based on check installed_env_is_a_container
+ platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]')
+ elif platform is not None:
+ # Assume any other platform is a Package CPE
+
+ # Some package names are different from the platform names
+ if platform in self.local_env_yaml["platform_package_overrides"]:
+ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
+
+ # Adjust package check command according to the pkg_manager
+ pkg_manager = self.local_env_yaml["pkg_manager"]
+ pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager]
+ platform_conditionals.append(pkg_check_command.format(platform))
+
+ if platform_conditionals:
+ platform_fix_text = "# Remediation is applicable only in certain platforms\n"
+
+ cond = platform_conditionals.pop(0)
+ platform_fix_text += "if {}".format(cond)
+ for cond in platform_conditionals:
+ platform_fix_text += " && {}".format(cond)
+ platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
+
+ remediation = namedtuple('remediation', ['contents', 'config'])
+ result = remediation(contents=platform_fix_text, config=result.config)
+
+ return result
class AnsibleRemediation(Remediation):
def __init__(self, file_path):
From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 14:41:01 +0200
Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion
Adjust expansion of subs and variables not to remove the whole beginning
of the fix test. This was removing the package conditional wrapping.
---
ssg/build_remediations.py | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 2d4a805e78..49ec557000 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
patcomp = re.compile(pattern, re.DOTALL)
fixparts = re.split(patcomp, fix.text)
if fixparts[0] is not None:
- # Split the portion of fix.text from fix start to first call of
- # remediation function, keeping only the third part:
- # * tail to hold part of the fix.text after inclusion,
- # but before first call of remediation function
+ # Split the portion of fix.text at the string remediation_functions,
+ # and remove preceeding comment whenever it is there.
+ # * head holds part of the fix.text before
+ # remediation_functions string
+ # * tail holds part of the fix.text after the
+ # remediation_functions string
try:
- rfpattern = '(.*remediation_functions)(.*)'
- rfpatcomp = re.compile(rfpattern, re.DOTALL)
- _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2)
+ rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)'
+ rfpatcomp = re.compile(rfpattern)
+ head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1)
except ValueError:
sys.stderr.write("Processing fix.text for: %s rule\n"
% fix.get('rule'))
@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
"after inclusion of remediation functions."
" Aborting..\n")
sys.exit(1)
- # If the 'tail' is not empty, make it new fix.text.
+ # If the 'head' is not empty, make it new fix.text.
# Otherwise use ''
- fix.text = tail if tail is not None else ''
+ fix.text = head if head is not None else ''
+ fix.text += tail if tail is not None else ''
# Drop the first element of 'fixparts' since it has been processed
fixparts.pop(0)
# Perform sanity check on new 'fixparts' list content (to continue
From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 20:56:17 +0200
Subject: [PATCH 3/5] Check if remediation has associated rule before use
---
ssg/build_remediations.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 49ec557000..85f7139d8f 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml):
self.local_env_yaml.update(env_yaml)
result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
- # There can be repeated inherited platforms and rule platforms
- rule_platforms = set(self.associated_rule.inherited_platforms)
- rule_platforms.add(self.associated_rule.platform)
+ rule_platforms = set()
+ if self.associated_rule:
+ # There can be repeated inherited platforms and rule platforms
+ rule_platforms.update(self.associated_rule.inherited_platforms)
+ rule_platforms.add(self.associated_rule.platform)
platform_conditionals = []
for platform in rule_platforms:
From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Sep 2020 10:59:43 +0200
Subject: [PATCH 4/5] Fix python2 compat and improve code readability
---
ssg/build_remediations.py | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 85f7139d8f..673d6d0cc6 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -28,10 +28,10 @@
}
PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
- 'apt_get': 'dpkg-query -s {} &>/dev/null',
- 'dnf': 'rpm --quiet -q {}',
- 'yum': 'rpm --quiet -q {}',
- 'zypper': 'rpm --quiet -q {}',
+ 'apt_get': 'dpkg-query -s {0} &>/dev/null',
+ 'dnf': 'rpm --quiet -q {0}',
+ 'yum': 'rpm --quiet -q {0}',
+ 'zypper': 'rpm --quiet -q {0}',
}
FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml):
platform_conditionals.append(pkg_check_command.format(platform))
if platform_conditionals:
- platform_fix_text = "# Remediation is applicable only in certain platforms\n"
+ wrapped_fix_text = ["# Remediation is applicable only in certain platforms"]
- cond = platform_conditionals.pop(0)
- platform_fix_text += "if {}".format(cond)
- for cond in platform_conditionals:
- platform_fix_text += " && {}".format(cond)
- platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
+ all_conditions = " && ".join(platform_conditionals)
+ wrapped_fix_text.append("if {0}; then".format(all_conditions))
+
+ # Avoid adding extra blank line
+ if not result.contents.startswith("\n"):
+ wrapped_fix_text.append("")
+
+ wrapped_fix_text.append("{0}".format(result.contents))
+ wrapped_fix_text.append("")
+ wrapped_fix_text.append("else")
+ wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")
+ wrapped_fix_text.append("fi")
remediation = namedtuple('remediation', ['contents', 'config'])
- result = remediation(contents=platform_fix_text, config=result.config)
+ result = remediation(contents="\n".join(wrapped_fix_text), config=result.config)
return result
From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 10 Sep 2020 17:25:27 +0200
Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes
---
ssg/build_remediations.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 673d6d0cc6..f269d4d2d6 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml):
if not result.contents.startswith("\n"):
wrapped_fix_text.append("")
+ # It is possible to indent the original body of the remediation with textwrap.indent(),
+ # however, it is not supported by python2, and there is a risk of breaking remediations
+ # For example, remediations with a here-doc block could be affected.
wrapped_fix_text.append("{0}".format(result.contents))
wrapped_fix_text.append("")
wrapped_fix_text.append("else")

View File

@ -0,0 +1,203 @@
From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 09:50:54 +0200
Subject: [PATCH 1/3] Introduce platform_package_overrides
Introduce a mapping of CPE package platform name to a package name.
Each linux distro or version may have its specific name for a package,
this mapping allows a product to override the package name of a
platorm.
By default, it assumes that the package name will be the same as the
platform name.
---
rhel8/product.yml | 7 +++++++
ssg/build_remediations.py | 3 +++
2 files changed, 10 insertions(+)
diff --git a/rhel8/product.yml b/rhel8/product.yml
index 6cdc51919e..6b5b4e2748 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ grub2: "grub2-pc"
+ login_defs: "shadow-utils"
+ sssd: "sssd-common"
+ zipl: "s390x-utils"
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index 866450dd8c..ccbdf9fc1f 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update):
if "package_facts" in to_update:
continue
+ if platform in self.local_env_yaml["platform_package_overrides"]:
+ platform = self.local_env_yaml["platform_package_overrides"].get(platform)
+
additional_when.append('"' + platform + '" in ansible_facts.packages')
# After adding the conditional, we need to make sure package_facts are collected.
# This is done via inject_package_facts_task()
From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 14:42:57 +0200
Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants
---
rhel8/product.yml | 6 ------
ssg/constants.py | 8 ++++++++
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/rhel8/product.yml b/rhel8/product.yml
index 6b5b4e2748..d839b23231 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
-# Mapping of CPE platform to package
-platform_package_overrides:
- grub2: "grub2-pc"
- login_defs: "shadow-utils"
- sssd: "sssd-common"
- zipl: "s390x-utils"
diff --git a/ssg/constants.py b/ssg/constants.py
index 3f9d7d37ce..7e9678241c 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -501,6 +501,14 @@
"zipl": "cpe:/a:zipl",
}
+# Default platform to package mapping
+XCCDF_PLATFORM_TO_PACKAGE = {
+ "grub2": "grub2-pc",
+ "login_defs": "login",
+ "sssd": "sssd-common",
+ "zipl": "s390x-utils",
+}
+
# _version_name_map = {
MAKEFILE_ID_TO_PRODUCT_MAP = {
'chromium': 'Google Chromium Browser',
From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 4 Sep 2020 14:47:29 +0200
Subject: [PATCH 3/3] Allow override of default platform package mapping
With default platform to package mappings defined, we need to allow a
product to override it if needed.
---
rhel6/product.yml | 4 ++++
rhel7/product.yml | 4 ++++
rhel8/product.yml | 3 +++
rhosp10/product.yml | 3 +++
rhosp13/product.yml | 4 ++++
rhv4/product.yml | 4 ++++
ssg/yaml.py | 6 +++++-
8 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/rhel6/product.yml b/rhel6/product.yml
index cc8fa4f8ed..eab9b80c47 100644
--- a/rhel6/product.yml
+++ b/rhel6/product.yml
@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhel7/product.yml b/rhel7/product.yml
index f03c928b8f..3ff996b8cc 100644
--- a/rhel7/product.yml
+++ b/rhel7/product.yml
@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhel8/product.yml b/rhel8/product.yml
index d839b23231..f3aa59faec 100644
--- a/rhel8/product.yml
+++ b/rhel8/product.yml
@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhosp10/product.yml b/rhosp10/product.yml
index 51d0a932a5..af42ca998d 100644
--- a/rhosp10/product.yml
+++ b/rhosp10/product.yml
@@ -10,3 +10,6 @@ pkg_manager: "yum"
init_system: "systemd"
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhosp13/product.yml b/rhosp13/product.yml
index 5e849ff609..ba42a31cd7 100644
--- a/rhosp13/product.yml
+++ b/rhosp13/product.yml
@@ -9,3 +9,7 @@ profiles_root: "./profiles"
pkg_manager: "yum"
init_system: "systemd"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/rhv4/product.yml b/rhv4/product.yml
index 10a2eda079..a61bf1588d 100644
--- a/rhv4/product.yml
+++ b/rhv4/product.yml
@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792"
release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
+
+# Mapping of CPE platform to package
+platform_package_overrides:
+ login_defs: "shadow-utils"
diff --git a/ssg/yaml.py b/ssg/yaml.py
index cefbba374c..22cf5bad66 100644
--- a/ssg/yaml.py
+++ b/ssg/yaml.py
@@ -10,7 +10,8 @@
from .jinja import load_macros, process_file
from .constants import (PKG_MANAGER_TO_SYSTEM,
- PKG_MANAGER_TO_CONFIG_FILE)
+ PKG_MANAGER_TO_CONFIG_FILE,
+ XCCDF_PLATFORM_TO_PACKAGE)
from .constants import DEFAULT_UID_MIN
try:
@@ -138,6 +139,9 @@ def open_raw(yaml_file):
def open_environment(build_config_yaml, product_yaml):
contents = open_raw(build_config_yaml)
+ # Load common platform package mappings,
+ # any specific mapping in product_yaml will override the default
+ contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
contents.update(open_raw(product_yaml))
contents.update(_get_implied_properties(contents))
return contents

View File

@ -0,0 +1,92 @@
From fbcd3e42106b95efd8a63914a558c04c76487783 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 21 Sep 2020 10:26:53 +0200
Subject: [PATCH] Remove zIPL rule for PTI bootloader option
This setting is to mitigate a problem specific for intel archs.
Also returns the CCE to the pool.
---
.../zipl_pti_argument/rule.yml | 38 -------------------
rhel8/profiles/ospp.profile | 1 -
rhel8/profiles/stig.profile | 1 -
.../data/profile_stability/rhel8/ospp.profile | 1 -
4 files changed, 41 deletions(-)
delete mode 100644 linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
deleted file mode 100644
index 96170e6d85..0000000000
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-documentation_complete: true
-
-prodtype: rhel8
-
-title: 'Enable Kernel Page-Table Isolation (KPTI) in zIPL'
-
-description: |-
- To enable Kernel page-table isolation,
- check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
- included in its options.<br />
- To ensure that new kernels and boot entries continue to enable page-table isolation,
- add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
-
-rationale: |-
- Kernel page-table isolation is a kernel feature that mitigates
- the Meltdown security vulnerability and hardens the kernel
- against attempts to bypass kernel address space layout
- randomization (KASLR).
-
-severity: medium
-
-identifiers:
- cce@rhel8: 83361-6
-
-ocil_clause: 'Kernel page-table isolation is not enabled'
-
-ocil: |-
- To check that page-table isolation is enabled at boot time, check all boot entries with following command:
- <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
- No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
-
-platform: machine
-
-template:
- name: zipl_bls_entries_option
- vars:
- arg_name: pti
- arg_value: 'on'
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 5e81e4a92a..46f00c89f1 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -426,4 +426,3 @@ selections:
- zipl_vsyscall_argument
- zipl_vsyscall_argument.role=unscored
- zipl_vsyscall_argument.severity=info
- - zipl_pti_argument
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 53647475aa..817d5dbadd 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -52,7 +52,6 @@ selections:
- "!zipl_audit_argument"
- "!zipl_audit_backlog_limit_argument"
- "!zipl_page_poison_argument"
- - "!zipl_pti_argument"
- "!zipl_slub_debug_argument"
- "!zipl_vsyscall_argument"
- "!zipl_vsyscall_argument.role=unscored"
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 7b7307cba8..223b1423cd 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -219,7 +219,6 @@ selections:
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
- zipl_page_poison_argument
-- zipl_pti_argument
- zipl_slub_debug_argument
- zipl_vsyscall_argument
- var_sshd_set_keepalive=0

View File

@ -0,0 +1,49 @@
From 08d5fb8355020856282eecfcdd09e96d9850cd62 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 9 Oct 2020 09:30:35 +0200
Subject: [PATCH] Do not platform wrap empty Bash remediation
The fix text for a rule can end up empty if a Jinja macro or conditional
doesn't render any text.
In these cases, avoid wrapping empty lines in an if-else, as this causes
syntax error.
---
ssg/build_remediations.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
index f269d4d2d6..572db61701 100644
--- a/ssg/build_remediations.py
+++ b/ssg/build_remediations.py
@@ -273,6 +273,13 @@ def parse_from_file_with_jinja(self, env_yaml):
self.local_env_yaml.update(env_yaml)
result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
+ # Avoid platform wrapping empty fix text
+ # Remediations can be empty when a Jinja macro or conditional
+ # renders no fix text for a product
+ stripped_fix_text = result.contents.strip()
+ if stripped_fix_text == "":
+ return result
+
rule_platforms = set()
if self.associated_rule:
# There can be repeated inherited platforms and rule platforms
@@ -301,15 +308,11 @@ def parse_from_file_with_jinja(self, env_yaml):
all_conditions = " && ".join(platform_conditionals)
wrapped_fix_text.append("if {0}; then".format(all_conditions))
-
- # Avoid adding extra blank line
- if not result.contents.startswith("\n"):
- wrapped_fix_text.append("")
-
+ wrapped_fix_text.append("")
# It is possible to indent the original body of the remediation with textwrap.indent(),
# however, it is not supported by python2, and there is a risk of breaking remediations
# For example, remediations with a here-doc block could be affected.
- wrapped_fix_text.append("{0}".format(result.contents))
+ wrapped_fix_text.append("{0}".format(stripped_fix_text))
wrapped_fix_text.append("")
wrapped_fix_text.append("else")
wrapped_fix_text.append(" >&2 echo 'Remediation is not applicable, nothing was done'")

View File

@ -0,0 +1,116 @@
From cf1d85924b5945506e57f8701be066c83a894378 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 5 Oct 2020 16:40:39 +0200
Subject: [PATCH 1/2] Check for grub2-common instead of grub2-pc
Check for grub2 intallation based on grub2-common.
grub2-pc is a x86_64 package, but other arches use grub2 as well.
---
.../checks/oval/installed_env_has_grub2_package.xml | 12 ++++++------
ssg/constants.py | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
index e83f45bc3b..2a170d668e 100644
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -6,31 +6,31 @@
<affected family="unix">
<platform>multi_platform_all</platform>
</affected>
- <description>Checks if package grub2-pc is installed.</description>
+ <description>Checks if package grub2-common is installed.</description>
<reference ref_id="cpe:/a:grub2" source="CPE" />
</metadata>
<criteria>
- <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
+ <criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
</criteria>
</definition>
{{% if pkg_system == "rpm" %}}
<linux:rpminfo_test check="all" check_existence="at_least_one_exists"
id="test_env_has_grub2_installed" version="1"
- comment="system has package grub2-pc installed">
+ comment="system has package grub2-common installed">
<linux:object object_ref="obj_env_has_grub2_installed" />
</linux:rpminfo_test>
<linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
- <linux:name>grub2-pc</linux:name>
+ <linux:name>grub2-common</linux:name>
</linux:rpminfo_object>
{{% elif pkg_system == "dpkg" %}}
<linux:dpkginfo_test check="all" check_existence="all_exist"
id="test_env_has_grub2_installed" version="1"
- comment="system has package grub2-pc installed">
+ comment="system has package grub2-common installed">
<linux:object object_ref="obj_env_has_grub2_installed" />
</linux:dpkginfo_test>
<linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
- <linux:name>grub2-pc</linux:name>
+ <linux:name>grub2-common</linux:name>
</linux:dpkginfo_object>
{{% endif %}}
diff --git a/ssg/constants.py b/ssg/constants.py
index b07fe5f0fe..88316374b5 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -468,7 +468,7 @@
# Default platform to package mapping
XCCDF_PLATFORM_TO_PACKAGE = {
- "grub2": "grub2-pc",
+ "grub2": "grub2-common",
"login_defs": "login",
"sssd": "sssd-common",
"zipl": "s390utils-base",
From fba876cfc7f85f5b9a696d0f5fa1177299b7c6bb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 5 Oct 2020 16:49:15 +0200
Subject: [PATCH 2/2] Handle exception of grub2-coomon in ppc64le
ppc64le systems can use Grub2 or OPAL and the package set will be the
same in both cases.
Add a few more checks to make sure ppc64le arch is handled correctly.
---
.../oval/installed_env_has_grub2_package.xml | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
index 2a170d668e..fb2c9cc784 100644
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -9,8 +9,18 @@
<description>Checks if package grub2-common is installed.</description>
<reference ref_id="cpe:/a:grub2" source="CPE" />
</metadata>
- <criteria>
+ <criteria operator="AND">
<criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
+ <criteria operator="OR">
+ <!-- On ppc64le systems, OF (Grub2) or OPAL (petitboot) can be used,
+ and unfortunately the package set installed is the same in both cases.
+ But when OPAL is used, /sys/firmware/opal exists.
+ So the system uses grub when: -->
+ <!-- grub2-common is installed and arch is not a ppc64le -->
+ <criterion comment="Test for ppcle64 architecture" test_ref="test_system_info_architecture_ppcle_64" negate="true" />
+ <!-- or when grub2-common is installed, arch is a ppc64le but OPAL is not used -->
+ <criterion comment="Test if OPAL is not used" test_ref="test_system_using_opal" negate="true" />
+ </criteria>
</criteria>
</definition>
@@ -34,4 +44,11 @@
</linux:dpkginfo_object>
{{% endif %}}
+ <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firware/opal exists" id="test_system_using_opal" version="1">
+ <unix:object object_ref="object_system_using_opal" />
+ </unix:file_test>
+ <unix:file_object id="object_system_using_opal" version="1">
+ <unix:filepath>/sys/firmware/opal</unix:filepath>
+ </unix:file_object>
+
</def-group>

View File

@ -0,0 +1,38 @@
From 7dfeb5ec0513a58502eb83aa2900e7c5fb0d478e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 8 Sep 2020 11:29:57 +0200
Subject: [PATCH] Fix load of product platform mapping
The product specific mappings were overriding the common mappings,
instead of being merged with them.
---
ssg/yaml.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/ssg/yaml.py b/ssg/yaml.py
index 22cf5bad66..d8856e52c9 100644
--- a/ssg/yaml.py
+++ b/ssg/yaml.py
@@ -13,6 +13,7 @@
PKG_MANAGER_TO_CONFIG_FILE,
XCCDF_PLATFORM_TO_PACKAGE)
from .constants import DEFAULT_UID_MIN
+from .utils import merge_dicts
try:
from yaml import CSafeLoader as yaml_SafeLoader
@@ -139,10 +140,11 @@ def open_raw(yaml_file):
def open_environment(build_config_yaml, product_yaml):
contents = open_raw(build_config_yaml)
- # Load common platform package mappings,
- # any specific mapping in product_yaml will override the default
- contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
contents.update(open_raw(product_yaml))
+ platform_package_overrides = contents.get("platform_package_overrides", {})
+ # Merge common platform package mappings, while keeping product specific mappings
+ contents["platform_package_overrides"] = merge_dicts(XCCDF_PLATFORM_TO_PACKAGE,
+ platform_package_overrides)
contents.update(_get_implied_properties(contents))
return contents

View File

@ -0,0 +1,22 @@
From 570dc073739e9044b54e872c8368125bccadb704 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 29 Sep 2020 15:28:02 +0200
Subject: [PATCH] Fix zIPL package mapping
---
ssg/constants.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ssg/constants.py b/ssg/constants.py
index 0eca2f4f95..fa6c756ff6 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -470,7 +470,7 @@
"grub2": "grub2-pc",
"login_defs": "login",
"sssd": "sssd-common",
- "zipl": "s390x-utils",
+ "zipl": "s390utils-base",
}
# _version_name_map = {

View File

@ -0,0 +1,16 @@
From 7a069a2deb4d1ce69b02b7615523424f2ecf281f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 29 Sep 2020 15:04:39 +0200
Subject: [PATCH] Move grub2_vsyscall_argument to grub2 group
This will put the rule under grub2 platform, so the rule is only
applicable on a machine system with grub2.
---
.../grub2_vsyscall_argument/rule.yml | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename linux_os/guide/system/{permissions/restrictions => bootloader-grub2}/grub2_vsyscall_argument/rule.yml (100%)
diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
similarity index 100%
rename from linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument/rule.yml
rename to linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml

View File

@ -1,6 +1,6 @@
Name: scap-security-guide
Version: 0.1.50
Release: 14%{?dist}
Release: 16%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
@ -35,6 +35,23 @@ Patch23: scap-security-guide-0.1.51-no_shelllogin_for_systemaccounts_ubi8-PR_58
Patch24: scap-security-guide-0.1.51-grub2_doc_fix-PR_5890.patch
Patch25: scap-security-guide-0.1.51-remove_grub_doc_links-PR_5851.patch
Patch26: scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch
Patch27: scap-security-guide-0.1.51-add-zipl-rules_PR_5784.patch
Patch28: scap-security-guide-0.1.51-add-zipl-and-grub2-cpes_PR_5905.patch
Patch29: scap-security-guide-0.1.51-fix-zipl-cpe-dictionary_PR_5912.patch
Patch30: scap-security-guide-0.1.51-fix-rhel6-cpe-dictionary_PR_5928.patch
Patch31: scap-security-guide-0.1.52-reorganize-zipl-rules_PR_5888.patch
Patch32: scap-security-guide-0.1.52-add-zipl-boot-options-template_PR_5908.patch
Patch33: scap-security-guide-0.1.52-add-grub2-platform-to-more-rules_PR_5952.patch
# To ease backport, patch 33 also includes changes from #5995
Patch34: scap-security-guide-0.1.53-add-ansible-platform_PR_6025.patch
Patch35: scap-security-guide-0.1.53-add-platform-to-package-mapping_PR_6047.patch
Patch36: scap-security-guide-0.1.53-fix-platform-to-package-mapping_PR_6059.patch
Patch37: scap-security-guide-0.1.53-add-bash-platform_PR_6061.patch
Patch38: scap-security-guide-0.1.53-drop-zipl-pti-rule_PR_6065.patch
Patch39: scap-security-guide-0.1.53-move-grub2-vsyscall-rule_PR_6129.patch
Patch40: scap-security-guide-0.1.53-fix-zipl-package-mapping_PR_6130.patch
Patch41: scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
Patch42: scap-security-guide-0.1.53-fix-empty-bash-wrapping-PR_6173.patch
BuildArch: noarch
@ -96,6 +113,22 @@ present in %{name} package.
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
mkdir build
%build
@ -130,6 +163,13 @@ cd build
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Fri Oct 09 2020 Watson Sato <wsato@redhat.com> - 0.1.50-16
- Fix Bash platform in empty remediations (rhbz#1886318)
* Tue Oct 06 2020 Watson Sato <wsato@redhat.com> - 0.1.50-15
- Add and select zIPL bootloader rules in OSPP (rhbz#1886318)
- Add support for remediation platforms
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)