325 lines
16 KiB
Diff
325 lines
16 KiB
Diff
commit 2e1eeff365be8fde302620fae6691ccc523f6f9e
|
|
Author: Gabriel Becker <ggasparb@redhat.com>
|
|
Date: Thu Feb 24 18:19:45 2022 +0100
|
|
|
|
Manual edited patch scap-security-guide-0.1.60-rhel9_stig_grub-PR_7931.patch.
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
|
index c95f1d4..9035eee 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/oval/shared.xml
|
|
@@ -29,11 +29,34 @@
|
|
<ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
-<ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
|
|
- comment="check forkernel command line parameters random.trust_cpu=off in {{{ grub2_boot_path }}}/grubenv for all kernels"
|
|
- check="all" check_existence="all_exist" version="1">
|
|
- <ind:object object_ref="object_trust_cpu_rng_boot_param" />
|
|
- <ind:state state_ref="state_trust_cpu_rng_boot_param_off" />
|
|
+ {{% if product in ['rhel9'] %}}
|
|
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
|
|
+ comment="check kernel command line parameters for the argument for all boot entries."
|
|
+ check="all" check_existence="all_exist" version="1">
|
|
+ <ind:object object_ref="obj_grub2_kernel_trust_cpu_rng_entries"/>
|
|
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_off"/>
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_on"
|
|
+ comment="check kernel command line parameters for the argument for all boot entries."
|
|
+ check="all" check_existence="all_exist" version="1">
|
|
+ <ind:object object_ref="obj_grub2_kernel_trust_cpu_rng_entries"/>
|
|
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_on"/>
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_object id="obj_grub2_kernel_trust_cpu_rng_entries" version="1">
|
|
+ <ind:path>/boot/loader/entries/</ind:path>
|
|
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
|
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+ {{% else %}}
|
|
+
|
|
+ <ind:textfilecontent54_test id="test_trust_cpu_rng_boot_param_off"
|
|
+ comment="check for kernel command line parameters random.trust_cpu=off in {{{ grub2_boot_path }}}/grubenv for all kernels"
|
|
+ check="all" check_existence="all_exist" version="1">
|
|
+ <ind:object object_ref="object_trust_cpu_rng_boot_param"/>
|
|
+ <ind:state state_ref="state_trust_cpu_rng_boot_param_off"/>
|
|
</ind:textfilecontent54_test>
|
|
|
|
|
|
@@ -50,6 +73,7 @@
|
|
<ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
+ {{% endif %}}
|
|
|
|
<ind:textfilecontent54_state id="state_trust_cpu_rng_boot_param_on"
|
|
version="1">
|
|
@@ -61,5 +85,4 @@
|
|
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?random\.trust_cpu=off(?:\s.*)?$</ind:subexpression>
|
|
</ind:textfilecontent54_state>
|
|
|
|
-
|
|
</def-group>
|
|
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
|
index dae640f..b8ff66c 100644
|
|
--- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15
|
|
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhel9,rhv4,sle15
|
|
|
|
title: 'Ensure IPv6 is disabled through kernel boot parameter'
|
|
|
|
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
|
|
new file mode 100644
|
|
index 0000000..fc649d7
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel9.fail.sh
|
|
@@ -0,0 +1,10 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 9
|
|
+
|
|
+# Removes ipv6.disable argument from kernel command line in //boot/loader/entries/*.conf
|
|
+
|
|
+for file in /boot/loader/entries/*.conf ; do
|
|
+ if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
|
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file"
|
|
+ fi
|
|
+done
|
|
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
|
|
new file mode 100644
|
|
index 0000000..3c1cde1
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel9.fail.sh
|
|
@@ -0,0 +1,14 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 9
|
|
+
|
|
+# Break the ipv6.disable argument in kernel command line in /boot/loader/entries/*.conf
|
|
+
|
|
+for file in /boot/loader/entries/*.conf ; do
|
|
+ if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
|
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file"
|
|
+ else
|
|
+ # no ipv6.disable=arg is present, append it
|
|
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts|options\).*\)/\1 ipv6\.disable=0/' "$file"
|
|
+ fi
|
|
+done
|
|
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
|
|
index b5f55ae..3eebbd9 100644
|
|
--- a/shared/macros-bash.jinja
|
|
+++ b/shared/macros-bash.jinja
|
|
@@ -684,3 +684,43 @@ dpkg-query --show --showformat='${db:Status-Status}\n' "{{{ pkgname }}}" 2>/dev/
|
|
rpm --quiet -q "{{{ pkgname }}}"
|
|
{{%- endif -%}}
|
|
{{%- endmacro -%}}
|
|
+
|
|
+{{#
|
|
+
|
|
+ Remediation for grub2 bootloader arguments
|
|
+#}}
|
|
+{{% macro grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) %}}
|
|
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
|
+{{% if '/' in ARG_NAME %}}
|
|
+{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
|
|
+{{% elif '/' in ARG_NAME_VALUE %}}
|
|
+{{{ raise("ARG_NAME_VALUE (" + ARG_NAME_VALUE + ") uses sed path separator (/) in " + rule_id) }}}
|
|
+{{% endif %}}
|
|
+# Correct the form of default kernel command line in GRUB
|
|
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"' '/etc/default/grub' ; then
|
|
+ # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
|
|
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub'
|
|
+else
|
|
+ # no {{{ ARG_NAME }}}=arg is present, append it
|
|
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
|
|
+fi
|
|
+
|
|
+{{% if 'ubuntu' in product %}}
|
|
+update-grub
|
|
+{{% else %}}
|
|
+# Correct the form of kernel command line for each installed kernel in the bootloader
|
|
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
|
+{{% endif %}}
|
|
+{{% else %}}
|
|
+# Correct grub2 kernelopts value using grub2-editenv
|
|
+existing_kernelopts="$(grub2-editenv - list | grep kernelopts)"
|
|
+if ! printf '%s' "$existing_kernelopts" | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then
|
|
+ if test -n "$existing_kernelopts"; then
|
|
+ grub2-editenv - set "$existing_kernelopts {{{ ARG_NAME_VALUE }}}"
|
|
+ else
|
|
+ grub2-editenv - set "kernelopts={{{ ARG_NAME_VALUE }}}"
|
|
+ fi
|
|
+fi
|
|
+{{% endif %}}
|
|
+
|
|
+{{% endmacro %}}
|
|
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
|
|
index cecd1f9..fd75db4 100644
|
|
--- a/shared/templates/grub2_bootloader_argument/bash.template
|
|
+++ b/shared/templates/grub2_bootloader_argument/bash.template
|
|
@@ -1,6 +1,6 @@
|
|
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
|
|
|
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
|
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
|
{{% if '/' in ARG_NAME %}}
|
|
{{{ raise("ARG_NAME (" + ARG_NAME + ") uses sed path separator (/) in " + rule_id) }}}
|
|
{{% elif '/' in ARG_NAME_VALUE %}}
|
|
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
|
|
index e8da1fe..3ea8acb 100644
|
|
--- a/shared/templates/grub2_bootloader_argument/oval.template
|
|
+++ b/shared/templates/grub2_bootloader_argument/oval.template
|
|
@@ -2,9 +2,14 @@
|
|
<definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
|
|
{{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
|
|
<criteria operator="AND">
|
|
- {{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
|
- <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
|
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
|
|
+ {{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
|
+ {{% if product in ['rhel9'] %}}
|
|
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
|
|
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/loader/entries/*.conf" />
|
|
+ {{% else %}}
|
|
+ <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
|
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the {{{ grub2_boot_path }}}/grub.cfg for all kernels" />
|
|
+ {{% endif %}}
|
|
<criteria operator="OR">
|
|
<criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
|
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
|
|
@@ -22,7 +27,7 @@
|
|
</criteria>
|
|
</definition>
|
|
|
|
-{{% if product in ["rhel7", "ol7"] or 'ubuntu' in product %}}
|
|
+{{% if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product %}}
|
|
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument"
|
|
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
|
|
check="all" check_existence="all_exist" version="1">
|
|
@@ -50,6 +55,21 @@
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
+ {{% if product in ["rhel9"] %}}
|
|
+ <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_entries"
|
|
+ comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} for all boot entries."
|
|
+ check="all" check_existence="all_exist" version="1">
|
|
+ <ind:object object_ref="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries" />
|
|
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_object id="obj_grub2_{{{ SANITIZED_ARG_NAME }}}_entries" version="1">
|
|
+ <ind:path>/boot/loader/entries/</ind:path>
|
|
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
|
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+ {{% else %}}
|
|
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
|
|
comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in {{{ grub2_boot_path }}}/grub.cfg for all kernels"
|
|
check="all" check_existence="all_exist" version="1">
|
|
@@ -68,6 +88,8 @@
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
+ {{% endif %}}
|
|
+
|
|
{{% else %}}
|
|
|
|
<ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env"
|
|
diff --git a/shared/templates/grub2_bootloader_argument/template.py b/shared/templates/grub2_bootloader_argument/template.py
|
|
index 7c32daa..60951cf 100644
|
|
--- a/shared/templates/grub2_bootloader_argument/template.py
|
|
+++ b/shared/templates/grub2_bootloader_argument/template.py
|
|
@@ -6,6 +6,7 @@ def preprocess(data, lang):
|
|
if lang == "oval":
|
|
# escape dot, this is used in oval regex
|
|
data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
|
|
+ data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
|
|
# replace . with _, this is used in test / object / state ids
|
|
data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
|
|
return data
|
|
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
|
|
new file mode 100644
|
|
index 0000000..fdf2a5d
|
|
--- /dev/null
|
|
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there.fail.sh
|
|
@@ -0,0 +1,10 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+
|
|
+# Removes audit argument from kernel command line in /boot/grub2/grubenv
|
|
+file="/boot/grub2/grubenv"
|
|
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file" ; then
|
|
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 \2/' "$file"
|
|
+fi
|
|
+
|
|
diff --git a/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
|
new file mode 100644
|
|
index 0000000..a56e6d0
|
|
--- /dev/null
|
|
+++ b/shared/templates/grub2_bootloader_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
|
@@ -0,0 +1,9 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 9
|
|
+
|
|
+# Removes argument from kernel command line in /etc/default/grub
|
|
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ARG_NAME}}}=.*"' '/etc/default/grub' ; then
|
|
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ARG_NAME}}}=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
|
|
+fi
|
|
+
|
|
diff --git a/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh b/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh
|
|
new file mode 100644
|
|
index 0000000..b6454a9
|
|
--- /dev/null
|
|
+++ b/shared/templates/grub2_bootloader_argument/tests/correct_value.pass.sh
|
|
@@ -0,0 +1,3 @@
|
|
+# platform = multi_platform_all
|
|
+
|
|
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
|
|
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
|
|
new file mode 100644
|
|
index 0000000..5a97ec2
|
|
--- /dev/null
|
|
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value.fail.sh
|
|
@@ -0,0 +1,12 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+
|
|
+# Break the argument in kernel command line in /boot/grub2/grubenv
|
|
+file="/boot/grub2/grubenv"
|
|
+if grep -q '^.*{{{ARG_NAME}}}=.*' "$file" ; then
|
|
+ # modify the GRUB command-line if the arg already exists
|
|
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME}}}=wrong \2/' "$file"
|
|
+else
|
|
+ # no arg is present, append it
|
|
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/' "$file"
|
|
+fi
|
|
diff --git a/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
|
|
new file mode 100644
|
|
index 0000000..09861aa
|
|
--- /dev/null
|
|
+++ b/shared/templates/grub2_bootloader_argument/tests/wrong_value_entries.fail.sh
|
|
@@ -0,0 +1,14 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 9
|
|
+
|
|
+# Removes argument from kernel command line in /boot/loader/entries/*.conf
|
|
+
|
|
+for file in /boot/loader/entries/*.conf ; do
|
|
+ if grep -q '^.*{{{ ESCAPED_ARG_NAME }}}=.*' "$file" ; then
|
|
+ # modify the GRUB command-line if an audit= arg already exists
|
|
+ sed -i 's/\(^.*\){{{ARG_NAME}}}=[^[:space:]]*\(.*\)/\1 {{{ARG_NAME}}}=wrong \2/' "$file"
|
|
+ else
|
|
+ # no audit=arg is present, append it
|
|
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 {{{ARG_NAME}}}=wrong/' "$file"
|
|
+ fi
|
|
+done
|