From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 25 Jun 2020 18:29:31 +0200 Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS Instead of having each zIPL argument rule check for BLS compliance, let's split into its own rule. --- .../zipl_audit_argument/rule.yml | 6 ----- .../rule.yml | 6 ----- .../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++ .../zipl_enable_selinux/rule.yml | 6 ----- .../zipl_page_poison_argument/rule.yml | 6 ----- .../zipl_pti_argument/rule.yml | 6 ----- .../zipl_slub_debug_argument/rule.yml | 6 ----- .../zipl_vsyscall_argument/rule.yml | 6 ----- 8 files changed, 24 insertions(+), 42 deletions(-) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml index 2d31ef8ee7..1211a53295 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit=1 included in its options.
- Make sure /etc/zipl.conf doesn't contain image = setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to enable audit, @@ -30,10 +28,6 @@ ocil: |-
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't enable audit. - Check that no image file is specified in /etc/zipl.conf: -
grep -R "^image\s*=" /etc/zipl.conf
- No line should be returned, if a line is returned zipl may load a different kernel than intended. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf and /etc/zipl.conf:
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml index 40db232257..7d88e38686 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 included in its options.
- Make sure /etc/zipl.conf doesn't contain image = setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to extend the audit log events queue, @@ -31,10 +29,6 @@ ocil: |-
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that does not extend the log events queue. - Check that no image file is specified in /etc/zipl.conf: -
grep -R "^image\s*=" /etc/zipl.conf
- No line should be returned, if a line is returned zipl may load a different kernel than intended. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf and /etc/zipl.conf:
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml new file mode 100644 index 0000000000..b6ccbb5343 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Ensure all zIPL boot entries are BLS compliant' + +description: |- + Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS) + by checking that /etc/zipl.conf doesn't contain image = . + +rationale: |- + {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of + configuration. + +severity: medium + +ocil_clause: 'a non BLS boot entry is configured' + +ocil: |- + Check that no boot image file is specified in /etc/zipl.conf: +
grep -R "^image\s*=" /etc/zipl.conf
+ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. + +platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml index 8d28d5495f..1c3bfeb246 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml @@ -8,8 +8,6 @@ description: |- To ensure SELinux is not disabled at boot time, check that no boot entry in /boot/loader/entries/*.conf has selinux=0 included in its options.
- Make sure /etc/zipl.conf doesn't contain image = setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
And run zipl command so that /boot/bootmap is updated.

rationale: |- @@ -27,10 +25,6 @@ ocil: |-
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that disables SELinux. - Check that no image file is specified in /etc/zipl.conf: -
grep -R "^image\s*=" /etc/zipl.conf
- No line should be returned, if a line is returned zipl may load a different kernel than intended. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf and /etc/zipl.conf:
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml index 0a8e9a41e2..6dbfd501b7 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To enable poisoning of free pages, check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 included in its options.
- Make sure /etc/zipl.conf doesn't contain image = setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
And run zipl command so that /boot/bootmap is updated.
To ensure that new kernels and boot entries continue to enable page poisoning, @@ -31,10 +29,6 @@ ocil: |-
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. - Check that no image file is specified in /etc/zipl.conf: -
grep -R "^image\s*=" /etc/zipl.conf
- No line should be returned, if a line is returned zipl may load a different kernel than intended. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf and /etc/zipl.conf:
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml index 20c1448cc8..555fdf2b66 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To enable Kernel page-table isolation, check that all boot entries in /boot/loader/entries/*.conf have pti=on included in its options.
- Make sure /etc/zipl.conf doesn't contain image = setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to enable page-table isolation, @@ -30,10 +28,6 @@ ocil: |-
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . - Check that no image file is specified in /etc/zipl.conf: -
grep -R "^image\s*=" /etc/zipl.conf
- No line should be returned, if a line is returned zipl may load a different kernel than intended. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf and /etc/zipl.conf:
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml index 54ac688ea0..dd7865bf81 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To enable poisoning of SLUB/SLAB objects, check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P included in its options.
- Make sure /etc/zipl.conf doesn't contain image = setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to extend the audit log events queue, @@ -31,10 +29,6 @@ ocil: |-
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that does not enable poisoning. - Check that no image file is specified in /etc/zipl.conf: -
grep -R "^image\s*=" /etc/zipl.conf
- No line should be returned, if a line is returned zipl may load a different kernel than intended. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf and /etc/zipl.conf:
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml index c5979a2016..18b7ade460 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To disable use of virtual syscalls, check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none included in its options.
- Make sure /etc/zipl.conf doesn't contain image = setting, - as {{{ full_name }}} adheres to Boot Loader Specification (BLS).
And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to disable virtual syscalls, @@ -28,10 +26,6 @@ ocil: |-
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. - Check that no image file is specified in /etc/zipl.conf: -
grep -R "^image\s*=" /etc/zipl.conf
- No line should be returned, if a line is returned zipl may load a different kernel than intended. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf and /etc/zipl.conf:
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 2 Jul 2020 09:52:39 +0200 Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests --- .../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++ .../tests/image_configured.fail.sh | 6 +++++ .../tests/no_image.pass.sh | 7 +++++ 3 files changed, 40 insertions(+) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml new file mode 100644 index 0000000000..41e9773814 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml @@ -0,0 +1,27 @@ + + + + Ensure zIPL entries are BLS compliant + {{{- oval_affected(products) }}} + Check if /etc/zipl.conf configures any boot entry + + + + + + + + + + + + ^/etc/zipl.conf$ + ^image\s*=.*$ + 1 + + + diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh new file mode 100644 index 0000000000..e3adb99638 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# remediation = none + +# Make sure no image configured in zipl config file +echo 'image = /boot/image' >> /etc/zipl.conf diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh new file mode 100644 index 0000000000..47626442f6 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# remediation = none + +# Make sure no image configured in zipl config file +sed -Ei '/^image\s*=/d' /etc/zipl.conf +true From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 2 Jul 2020 11:09:08 +0200 Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning Automated remediation to remove non-BLS boot entries from /etc/zipl.conf is tricky and can lead to broken entries or removal of all of them. --- .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml index b6ccbb5343..f792c5257f 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml @@ -22,3 +22,8 @@ ocil: |- No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL. platform: machine + +warnings: + - general: |- + To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf + automated remediation for this rule is not available. From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 25 Jun 2020 18:51:04 +0200 Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap Instead of having each zIPL argument rule check if zIPL bootmap is up to date, let's split it into its own rule. --- .../zipl_audit_argument/rule.yml | 6 ----- .../rule.yml | 7 ----- .../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++ .../zipl_enable_selinux/rule.yml | 6 ----- .../zipl_page_poison_argument/rule.yml | 7 ----- .../zipl_pti_argument/rule.yml | 7 ----- .../zipl_slub_debug_argument/rule.yml | 7 ----- .../zipl_vsyscall_argument/rule.yml | 7 ----- 8 files changed, 27 insertions(+), 47 deletions(-) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml index 1211a53295..624b4e7041 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml @@ -8,7 +8,6 @@ description: |- To ensure all processes can be audited, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit=1 included in its options.
- And run zipl command so that /boot/bootmap is updated.

To ensure that new kernels and boot entries continue to enable audit, add audit=1 to /etc/kernel/cmdline. @@ -28,9 +27,4 @@ ocil: |-
sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't enable audit. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf - and /etc/zipl.conf: -
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. - platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml index 7d88e38686..faf114591a 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon, check that all boot entries in /boot/loader/entries/*.conf have audit_backlog_limit=8192 included in its options.
- And run zipl command so that /boot/bootmap is updated.

- To ensure that new kernels and boot entries continue to extend the audit log events queue, add audit_backlog_limit=8192 to /etc/kernel/cmdline. @@ -29,9 +27,4 @@ ocil: |-
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that does not extend the log events queue. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf - and /etc/zipl.conf: -
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. - platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml new file mode 100644 index 0000000000..082562d11e --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml @@ -0,0 +1,27 @@ +documentation_complete: true + +prodtype: rhel8 + +title: 'Ensure zIPL bootmap is up to date' + +description: |- + Make sure that /boot/bootmap is up to date.
+ Every time a boot entry or zIPL configuration is changed /boot/bootmap needs to + be updated to reflect the changes.
+ Run zipl command to generate an updated /boot/bootmap. + +rationale: |- + The file /boot/bootmap contains all boot data, keeping it up to date is crucial to + boot correct kernel and options. + +severity: medium + +ocil_clause: 'the bootmap is outdated' + +ocil: |- + Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf + and /etc/zipl.conf: +
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
+ No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated. + +platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml index 1c3bfeb246..b0bc0fc374 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml @@ -8,7 +8,6 @@ description: |- To ensure SELinux is not disabled at boot time, check that no boot entry in /boot/loader/entries/*.conf has selinux=0 included in its options.
- And run zipl command so that /boot/bootmap is updated.

rationale: |- Disabling a major host protection feature, such as SELinux, at boot time prevents @@ -25,9 +24,4 @@ ocil: |-
sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that disables SELinux. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf - and /etc/zipl.conf: -
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. - platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml index 6dbfd501b7..866664c01b 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To enable poisoning of free pages, check that all boot entries in /boot/loader/entries/*.conf have page_poison=1 included in its options.
- And run zipl command so that /boot/bootmap is updated.
- To ensure that new kernels and boot entries continue to enable page poisoning, add page_poison=1 to /etc/kernel/cmdline. @@ -29,9 +27,4 @@ ocil: |-
sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf - and /etc/zipl.conf: -
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. - platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml index 555fdf2b66..2f02d9668c 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To enable Kernel page-table isolation, check that all boot entries in /boot/loader/entries/*.conf have pti=on included in its options.
- And run zipl command so that /boot/bootmap is updated.

- To ensure that new kernels and boot entries continue to enable page-table isolation, add pti=on to /etc/kernel/cmdline. @@ -28,9 +26,4 @@ ocil: |-
sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation . - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf - and /etc/zipl.conf: -
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. - platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml index dd7865bf81..0cb10d3cd8 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To enable poisoning of SLUB/SLAB objects, check that all boot entries in /boot/loader/entries/*.conf have slub_debug=P included in its options.
- And run zipl command so that /boot/bootmap is updated.

- To ensure that new kernels and boot entries continue to extend the audit log events queue, add slub_debug=P to /etc/kernel/cmdline. @@ -29,9 +27,4 @@ ocil: |-
sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that does not enable poisoning. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf - and /etc/zipl.conf: -
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. - platform: machine diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml index 18b7ade460..f79adeb083 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml @@ -8,8 +8,6 @@ description: |- To disable use of virtual syscalls, check that all boot entries in /boot/loader/entries/*.conf have vsyscall=none included in its options.
- And run zipl command so that /boot/bootmap is updated.

- To ensure that new kernels and boot entries continue to disable virtual syscalls, add vsyscall=none to /etc/kernel/cmdline. @@ -26,9 +24,4 @@ ocil: |-
sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls. - And make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf - and /etc/zipl.conf: -
find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
- No line should be returned, if a line is returned /boot/bootmap needs to be regenerated. - platform: machine From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 2 Jul 2020 15:59:31 +0200 Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check --- .../oval/shared.xml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml new file mode 100644 index 0000000000..6c446cbe59 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml @@ -0,0 +1,46 @@ + + + + Ensure zIPL bootmap is up to date + {{{- oval_affected(products) }}} + Check if /boot/bootmap is up to date + + + + + + + + + + + + + + /boot/bootmap + + + + + + + + + + + /etc/zipl.conf + + + + + + + + + + ^/boot/loader/entries/.*\.conf$ + + From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 2 Jul 2020 16:15:35 +0200 Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests These tests mock existence of zIPL files. --- .../tests/newer_boot_entry.fail.sh | 10 ++++++++++ .../tests/newer_zipl_conf.fail.sh | 10 ++++++++++ .../tests/up_to_date.pass.sh | 9 +++++++++ 3 files changed, 29 insertions(+) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh new file mode 100644 index 0000000000..728c6b7bdb --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# remediation = none + +touch /etc/zipl.conf +touch /boot/loader/entries/*.conf # Update current existing entries +touch /boot/loader/entries/zipl-entry-1.conf +touch /boot/bootmap +sleep 2 +touch /boot/loader/entries/zipl-entry-2.conf diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh new file mode 100644 index 0000000000..1ae4d631ee --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# remediation = none + +touch /boot/loader/entries/*.conf # Update current existing entries +touch /boot/loader/entries/zipl-entry-1.conf +touch /boot/loader/entries/zipl-entry-2.conf +touch /boot/bootmap +sleep 2 +touch /etc/zipl.conf diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh new file mode 100644 index 0000000000..7981ba8c5c --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 +# remediation = none + +touch /etc/zipl.conf +touch /boot/loader/entries/*.conf # Update current existing entries +touch /boot/loader/entries/zipl-entry-1.conf +touch /boot/loader/entries/zipl-entry-2.conf +touch /boot/bootmap From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Fri, 3 Jul 2020 18:35:06 +0200 Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations --- .../ansible/shared.yml | 24 +++++++++++++++++++ .../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++ 2 files changed, 27 insertions(+) create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml new file mode 100644 index 0000000000..e545eacc13 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml @@ -0,0 +1,24 @@ +# platform = Red Hat Enterprise Linux 8 +# reboot = false +# strategy = configure +# complexity = low +# disruption = low + +- name: "Ensure zIPL bootmap is up to date" + block: + - name: "Obtain stats of /boot/bootmap" + stat: + path: /boot/bootmap + register: boot_bootmap + + - name: "Obtain stats of /etc/zipl.conf" + stat: + path: /etc/zipl.conf + register: zipl_conf + + # TODO: handle /boot/loader/entries/*.conf + + - name: "Update zIPL bootmap" + command: /usr/sbin/zipl + changed_when: True + when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh new file mode 100644 index 0000000000..2cf7e388f0 --- /dev/null +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh @@ -0,0 +1,3 @@ +# platform = Red Hat Enterprise Linux 8 + +/usr/bin/zipl From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 1 Jul 2020 17:16:41 +0200 Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile --- rhel8/profiles/ospp.profile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index 07d32b814d..80e4b71fff 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -415,3 +415,7 @@ selections: - ssh_client_rekey_limit - var_ssh_client_rekey_limit_size=1G - var_ssh_client_rekey_limit_time=1hour + + # zIPl specific rules + - zipl_bls_entries_only + - zipl_bootmap_is_up_to_date From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 8 Jul 2020 14:03:21 +0200 Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation --- .../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh index 2cf7e388f0..2310ca060d 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh @@ -1,3 +1,3 @@ # platform = Red Hat Enterprise Linux 8 -/usr/bin/zipl +/usr/sbin/zipl From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 8 Jul 2020 14:06:22 +0200 Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces There can be leading spaces before 'image'. --- .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml index 41e9773814..f68d91c128 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml @@ -20,7 +20,7 @@ ^/etc/zipl.conf$ - ^image\s*=.*$ + ^\s*image\s*=.*$ 1 From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 8 Jul 2020 14:10:22 +0200 Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf There is no need to perform pattern match, the check just needs to examine /etc/zipl.conf file. --- .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml index f68d91c128..1ebf03ee37 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml @@ -19,7 +19,7 @@ - ^/etc/zipl.conf$ + /etc/zipl.conf ^\s*image\s*=.*$ 1 From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 8 Jul 2020 14:13:26 +0200 Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules Add RHEL-8 CCE identifiers for: - zipl_bls_entries_only - zipl_bootmap_is_up_to_date --- .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++ .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml index f792c5257f..67cc061ce3 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml @@ -14,6 +14,9 @@ rationale: |- severity: medium +identifiers: + cce@rhel8: 83485-3 + ocil_clause: 'a non BLS boot entry is configured' ocil: |- diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml index 082562d11e..da9411d00b 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml @@ -16,6 +16,9 @@ rationale: |- severity: medium +identifiers: + cce@rhel8: 83486-1 + ocil_clause: 'the bootmap is outdated' ocil: |- From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 8 Jul 2020 14:16:58 +0200 Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test Update the profile reference file. --- tests/data/profile_stability/rhel8/ospp.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile index b0d7672c36..08dcccf24c 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -213,6 +213,8 @@ selections: - sysctl_user_max_user_namespaces - timer_dnf-automatic_enabled - usbguard_allow_hid_and_hub +- zipl_bls_entries_only +- zipl_bootmap_is_up_to_date - var_sshd_set_keepalive=0 - var_rekey_limit_size=1G - var_rekey_limit_time=1hour From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 8 Jul 2020 15:28:09 +0200 Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile The zIPL rules are inherited from OSPP profile --- rhel8/profiles/stig.profile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile index 8f12852e26..cfc2160be1 100644 --- a/rhel8/profiles/stig.profile +++ b/rhel8/profiles/stig.profile @@ -45,3 +45,7 @@ selections: - rsyslog_remote_tls - rsyslog_remote_tls_cacert - "!ssh_client_rekey_limit" + + # Unselect zIPL rules from OSPP + - "!zipl_bls_entries_only" + - "!zipl_bootmap_is_up_to_date"