955 lines
41 KiB
Diff
955 lines
41 KiB
Diff
From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 1 Jul 2020 16:12:35 +0200
|
|
Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template
|
|
|
|
Create initial version of zIPL specific BLS entries
|
|
template by copying bls_entries_option template.
|
|
---
|
|
.../template_OVAL_zipl_bls_entries_option | 32 +++++++++++++++++++
|
|
ssg/templates.py | 5 +++
|
|
2 files changed, 37 insertions(+)
|
|
create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option
|
|
|
|
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
new file mode 100644
|
|
index 0000000000..a19bd5a89c
|
|
--- /dev/null
|
|
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
@@ -0,0 +1,32 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
|
|
+ <metadata>
|
|
+ <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
|
|
+ {{{- oval_affected(products) }}}
|
|
+ <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
|
|
+ </metadata>
|
|
+ <criteria operator="AND">
|
|
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
|
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
|
+ comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"
|
|
+ check="all" check_existence="all_exist" version="1">
|
|
+ <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />
|
|
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
|
+ version="1">
|
|
+ <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+ <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
|
|
+ version="1">
|
|
+ <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
|
|
+ </ind:textfilecontent54_state>
|
|
+</def-group>
|
|
diff --git a/ssg/templates.py b/ssg/templates.py
|
|
index 2795267abd..fc09416abe 100644
|
|
--- a/ssg/templates.py
|
|
+++ b/ssg/templates.py
|
|
@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):
|
|
return data
|
|
|
|
|
|
+@template(["oval"])
|
|
+def bls_entries_option(data, lang):
|
|
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
|
|
+ if lang == "oval":
|
|
+ # escape dot, this is used in oval regex
|
|
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
|
|
+ # replace . with _, this is used in test / object / state ids
|
|
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
|
|
+ return data
|
|
+
|
|
+
|
|
+@template(["oval"])
|
|
+def zipl_bls_entries_option(data, lang):
|
|
+ return bls_entries_option(data, lang)
|
|
+
|
|
+
|
|
class Builder(object):
|
|
"""
|
|
Class for building all templated content for a given product.
|
|
|
|
From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 9 Jul 2020 14:11:04 +0200
|
|
Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install
|
|
|
|
Extend zipl_bls_entries_option template to check that the kernel option
|
|
is also configure in /etc/kernel/cmdline.
|
|
The presence of the argument in /etc/kernel/cmdline ensures that newly
|
|
installed kernels will be configure if the option.
|
|
---
|
|
.../template_OVAL_zipl_bls_entries_option | 19 +++++++++++++++++--
|
|
1 file changed, 17 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
index a19bd5a89c..9af1bcfbee 100644
|
|
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
@@ -6,8 +6,10 @@
|
|
<description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
|
|
</metadata>
|
|
<criteria operator="AND">
|
|
- <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
|
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
|
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
|
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
|
+ <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
|
+ comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
|
|
</criteria>
|
|
</definition>
|
|
|
|
@@ -25,6 +27,19 @@
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
+ <ind:textfilecontent54_test id="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
|
+ comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"
|
|
+ check="all" check_existence="all_exist" version="1">
|
|
+ <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />
|
|
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
|
|
+ </ind:textfilecontent54_test>
|
|
+ <ind:textfilecontent54_object id="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
|
+ version="1">
|
|
+ <ind:filepath>/etc/kernel/cmdline</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
<ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
|
|
version="1">
|
|
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
|
|
|
|
From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 9 Jul 2020 14:12:32 +0200
|
|
Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash
|
|
|
|
---
|
|
.../template_ANSIBLE_zipl_bls_entries_option | 48 +++++++++++++++++++
|
|
.../template_BASH_zipl_bls_entries_option | 12 +++++
|
|
ssg/templates.py | 2 +-
|
|
3 files changed, 61 insertions(+), 1 deletion(-)
|
|
create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
|
create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option
|
|
|
|
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
|
new file mode 100644
|
|
index 0000000000..c0cb131b82
|
|
--- /dev/null
|
|
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
|
@@ -0,0 +1,48 @@
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# reboot = true
|
|
+# strategy = configure
|
|
+# complexity = medium
|
|
+# disruption = low
|
|
+
|
|
+- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
|
|
+ block:
|
|
+ - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
|
|
+ find:
|
|
+ paths: "/boot/loader/entries/"
|
|
+ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
|
|
+ patterns: "*.conf"
|
|
+ register: entries_options
|
|
+
|
|
+ - name: "Update boot entries options"
|
|
+ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
|
+ when: entries_options is defined and entries_options.examined != entries_options.matched
|
|
+ # The conditional above assumes that only *.conf files are present in /boot/loader/entries
|
|
+ # Then, the number of conf files is the same as examined files
|
|
+
|
|
+ - name: "Check if /etc/kernel/cmdline exists"
|
|
+ stat:
|
|
+ path: /etc/kernel/cmdline
|
|
+ register: cmdline_stat
|
|
+
|
|
+ - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
|
|
+ find:
|
|
+ paths: "/etc/kernel/"
|
|
+ patterns: "cmdline"
|
|
+ contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
|
|
+ register: cmdline_find
|
|
+
|
|
+ - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
|
|
+ lineinfile:
|
|
+ create: yes
|
|
+ path: "/etc/kernel/cmdline"
|
|
+ line: '{{{ ARG_NAME_VALUE }}}'
|
|
+ when: cmdline_stat is defined and not cmdline_stat.stat.exists
|
|
+
|
|
+ - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
|
|
+ lineinfile:
|
|
+ path: "/etc/kernel/cmdline"
|
|
+ backrefs: yes
|
|
+ regexp: "^(.*)$"
|
|
+ line: '\1 {{{ ARG_NAME_VALUE }}}'
|
|
+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
|
|
+
|
|
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
|
|
new file mode 100644
|
|
index 0000000000..9fc8865486
|
|
--- /dev/null
|
|
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
|
|
@@ -0,0 +1,12 @@
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+
|
|
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
|
|
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
|
+
|
|
+# Ensure new kernels and boot entries retain the boot option
|
|
+if [ ! -f /etc/kernel/cmdline ]; then
|
|
+ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
|
|
+elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
|
|
+ echo " audit=1" >> /etc/kernel/cmdline
|
|
+ sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
|
|
+fi
|
|
diff --git a/ssg/templates.py b/ssg/templates.py
|
|
index fc09416abe..a27fbb6cb6 100644
|
|
--- a/ssg/templates.py
|
|
+++ b/ssg/templates.py
|
|
@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):
|
|
return data
|
|
|
|
|
|
-@template(["oval"])
|
|
+@template(["ansible", "bash", "oval"])
|
|
def zipl_bls_entries_option(data, lang):
|
|
return bls_entries_option(data, lang)
|
|
|
|
|
|
From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 3 Jul 2020 15:50:56 +0200
|
|
Subject: [PATCH 04/18] Enable zIPL in argument rules
|
|
|
|
---
|
|
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 6 ++++++
|
|
.../zipl_audit_backlog_limit_argument/rule.yml | 6 ++++++
|
|
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 6 ++++++
|
|
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++
|
|
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 6 ++++++
|
|
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 6 ++++++
|
|
6 files changed, 36 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
index 624b4e7041..894bf7995f 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
@@ -28,3 +28,9 @@ ocil: |-
|
|
No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
|
|
|
platform: machine
|
|
+
|
|
+template:
|
|
+ name: zipl_bls_entries_option
|
|
+ vars:
|
|
+ arg_name: audit
|
|
+ arg_value: '1'
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
index faf114591a..12334c9905 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
@@ -28,3 +28,9 @@ ocil: |-
|
|
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
|
|
|
platform: machine
|
|
+
|
|
+template:
|
|
+ name: zipl_bls_entries_option
|
|
+ vars:
|
|
+ arg_name: audit_backlog_limit
|
|
+ arg_value: '8192'
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
index 866664c01b..f5a36ee1b3 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
@@ -28,3 +28,9 @@ ocil: |-
|
|
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
|
|
|
platform: machine
|
|
+
|
|
+template:
|
|
+ name: zipl_bls_entries_option
|
|
+ vars:
|
|
+ arg_name: page_poison
|
|
+ arg_value: '1'
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
index 2f02d9668c..168dae46a1 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
@@ -27,3 +27,9 @@ ocil: |-
|
|
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
|
|
|
platform: machine
|
|
+
|
|
+template:
|
|
+ name: zipl_bls_entries_option
|
|
+ vars:
|
|
+ arg_name: pti
|
|
+ arg_value: 'on'
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
index 0cb10d3cd8..84a374e36f 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
@@ -28,3 +28,9 @@ ocil: |-
|
|
No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
|
|
|
platform: machine
|
|
+
|
|
+template:
|
|
+ name: zipl_bls_entries_option
|
|
+ vars:
|
|
+ arg_name: slub_debug
|
|
+ arg_value: 'P'
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
index f79adeb083..c37e8bbefd 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
@@ -25,3 +25,9 @@ ocil: |-
|
|
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
|
|
|
platform: machine
|
|
+
|
|
+template:
|
|
+ name: zipl_bls_entries_option
|
|
+ vars:
|
|
+ arg_name: vsyscall
|
|
+ arg_value: 'none'
|
|
|
|
From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Sat, 4 Jul 2020 01:15:49 +0200
|
|
Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo
|
|
|
|
Fix typo
|
|
---
|
|
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
index 12334c9905..15729dc6b6 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'
|
|
ocil: |-
|
|
To check that all boot entries extend the backlog limit;
|
|
Check that all boot entries extend the log events queue:
|
|
- <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
|
|
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
|
|
|
platform: machine
|
|
|
|
From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 9 Jul 2020 12:00:10 +0200
|
|
Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description
|
|
|
|
Description about how to ensure that new boot entries continue compliant
|
|
was incorrect due to copy-pasta mistake.
|
|
---
|
|
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
index 84a374e36f..83e043179d 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
@@ -8,7 +8,7 @@ description: |-
|
|
To enable poisoning of SLUB/SLAB objects,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
|
included in its options.<br />
|
|
- To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
+ To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
|
|
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
|
rationale: |-
|
|
|
|
From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 9 Jul 2020 12:06:56 +0200
|
|
Subject: [PATCH 07/18] Add CCEs to zIPL argument rules
|
|
|
|
---
|
|
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 3 +++
|
|
.../zipl_audit_backlog_limit_argument/rule.yml | 3 +++
|
|
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 3 +++
|
|
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++
|
|
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 3 +++
|
|
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++
|
|
7 files changed, 18 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
index 894bf7995f..b1307ef3f2 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
@@ -20,6 +20,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83321-0
|
|
+
|
|
ocil_clause: 'auditing is not enabled at boot time'
|
|
|
|
ocil: |-
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
index 15729dc6b6..18391bee6c 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
@@ -19,6 +19,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83341-8
|
|
+
|
|
ocil_clause: 'audit backlog limit is not configured'
|
|
|
|
ocil: |-
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
index f5a36ee1b3..7ffea8ce6a 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
@@ -20,6 +20,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83351-7
|
|
+
|
|
ocil_clause: 'page allocator poisoning is not enabled'
|
|
|
|
ocil: |-
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
index 168dae46a1..6fd1082292 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
@@ -19,6 +19,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83361-6
|
|
+
|
|
ocil_clause: 'Kernel page-table isolation is not enabled'
|
|
|
|
ocil: |-
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
index 83e043179d..c499140c35 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
@@ -20,6 +20,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83371-5
|
|
+
|
|
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
|
|
|
ocil: |-
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
index c37e8bbefd..7edd43074f 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
@@ -17,6 +17,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83381-4
|
|
+
|
|
ocil_clause: 'vsyscalls are enabled'
|
|
|
|
ocil: |-
|
|
|
|
From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 9 Jul 2020 14:36:28 +0200
|
|
Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile
|
|
|
|
These rules check and ensure configuration of BLS boot options used by
|
|
zIPL.
|
|
---
|
|
rhel8/profiles/ospp.profile | 8 ++++++++
|
|
rhel8/profiles/stig.profile | 6 ++++++
|
|
2 files changed, 14 insertions(+)
|
|
|
|
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
index 80e4b71fff..d3732fa805 100644
|
|
--- a/rhel8/profiles/ospp.profile
|
|
+++ b/rhel8/profiles/ospp.profile
|
|
@@ -419,3 +419,11 @@ selections:
|
|
# zIPl specific rules
|
|
- zipl_bls_entries_only
|
|
- zipl_bootmap_is_up_to_date
|
|
+ - zipl_audit_argument
|
|
+ - zipl_audit_backlog_limit_argument
|
|
+ - zipl_slub_debug_argument
|
|
+ - zipl_page_poison_argument
|
|
+ - zipl_vsyscall_argument
|
|
+ - zipl_vsyscall_argument.role=unscored
|
|
+ - zipl_vsyscall_argument.severity=info
|
|
+ - zipl_pti_argument
|
|
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
index cfc2160be1..69d5222a32 100644
|
|
--- a/rhel8/profiles/stig.profile
|
|
+++ b/rhel8/profiles/stig.profile
|
|
@@ -49,3 +49,9 @@ selections:
|
|
# Unselect zIPL rules from OSPP
|
|
- "!zipl_bls_entries_only"
|
|
- "!zipl_bootmap_is_up_to_date"
|
|
+ - "!zipl_audit_argument"
|
|
+ - "!zipl_audit_backlog_limit_argument"
|
|
+ - "!zipl_page_poison_argument"
|
|
+ - "!zipl_pti_argument"
|
|
+ - "!zipl_slub_debug_argument"
|
|
+ - "!zipl_vsyscall_argument"
|
|
|
|
From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 9 Jul 2020 22:30:25 +0200
|
|
Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements
|
|
|
|
Just like rule selection, allows rule refinements to be unselected, or "undone".
|
|
---
|
|
build-scripts/compile_profiles.py | 16 +++++++++++++++-
|
|
1 file changed, 15 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py
|
|
index 0967252348..d1ce8984b2 100644
|
|
--- a/build-scripts/compile_profiles.py
|
|
+++ b/build-scripts/compile_profiles.py
|
|
@@ -3,6 +3,7 @@
|
|
import argparse
|
|
import sys
|
|
import os.path
|
|
+from copy import deepcopy
|
|
from glob import glob
|
|
|
|
import ssg.build_yaml
|
|
@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
|
|
updated_variables.update(self.variables)
|
|
self.variables = updated_variables
|
|
|
|
- updated_refinements = dict(extended_profile.refine_rules)
|
|
+ extended_refinements = deepcopy(extended_profile.refine_rules)
|
|
+ updated_refinements = self._subtract_refinements(extended_refinements)
|
|
updated_refinements.update(self.refine_rules)
|
|
self.refine_rules = updated_refinements
|
|
|
|
@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
|
|
|
|
self.resolved = True
|
|
|
|
+ def _subtract_refinements(self, extended_refinements):
|
|
+ """
|
|
+ Given a dict of rule refinements from the extended profile,
|
|
+ "undo" every refinement prefixed with '!' in this profile.
|
|
+ """
|
|
+ for rule, refinements in list(self.refine_rules.items()):
|
|
+ if rule.startswith("!"):
|
|
+ for prop, val in refinements:
|
|
+ extended_refinements[rule[1:]].remove((prop, val))
|
|
+ del self.refine_rules[rule]
|
|
+ return extended_refinements
|
|
+
|
|
|
|
def create_parser():
|
|
parser = argparse.ArgumentParser()
|
|
|
|
From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 9 Jul 2020 22:32:32 +0200
|
|
Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules
|
|
|
|
Remove the zIPl rule refinementes from STIG profile
|
|
---
|
|
rhel8/profiles/stig.profile | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
index 69d5222a32..53647475aa 100644
|
|
--- a/rhel8/profiles/stig.profile
|
|
+++ b/rhel8/profiles/stig.profile
|
|
@@ -55,3 +55,5 @@ selections:
|
|
- "!zipl_pti_argument"
|
|
- "!zipl_slub_debug_argument"
|
|
- "!zipl_vsyscall_argument"
|
|
+ - "!zipl_vsyscall_argument.role=unscored"
|
|
+ - "!zipl_vsyscall_argument.severity=info"
|
|
|
|
From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 09:38:57 +0200
|
|
Subject: [PATCH 11/18] Update stable test for OSPP Profile
|
|
|
|
I just copied the resolved profile to profile_stability directory.
|
|
---
|
|
tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---
|
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
index 08dcccf24c..5aa3592496 100644
|
|
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
@@ -168,6 +168,7 @@ selections:
|
|
- service_rngd_enabled
|
|
- service_systemd-coredump_disabled
|
|
- service_usbguard_enabled
|
|
+- ssh_client_rekey_limit
|
|
- sshd_disable_empty_passwords
|
|
- sshd_disable_gssapi_auth
|
|
- sshd_disable_kerb_auth
|
|
@@ -213,8 +214,14 @@ selections:
|
|
- sysctl_user_max_user_namespaces
|
|
- timer_dnf-automatic_enabled
|
|
- usbguard_allow_hid_and_hub
|
|
+- zipl_audit_argument
|
|
+- zipl_audit_backlog_limit_argument
|
|
- zipl_bls_entries_only
|
|
- zipl_bootmap_is_up_to_date
|
|
+- zipl_page_poison_argument
|
|
+- zipl_pti_argument
|
|
+- zipl_slub_debug_argument
|
|
+- zipl_vsyscall_argument
|
|
- var_sshd_set_keepalive=0
|
|
- var_rekey_limit_size=1G
|
|
- var_rekey_limit_time=1hour
|
|
@@ -238,11 +245,12 @@ selections:
|
|
- var_accounts_passwords_pam_faillock_deny=3
|
|
- var_accounts_passwords_pam_faillock_fail_interval=900
|
|
- var_accounts_passwords_pam_faillock_unlock_time=never
|
|
+- var_ssh_client_rekey_limit_size=1G
|
|
+- var_ssh_client_rekey_limit_time=1hour
|
|
- grub2_vsyscall_argument.role=unscored
|
|
- grub2_vsyscall_argument.severity=info
|
|
- sysctl_user_max_user_namespaces.role=unscored
|
|
- sysctl_user_max_user_namespaces.severity=info
|
|
-- ssh_client_rekey_limit
|
|
-- var_ssh_client_rekey_limit_size=1G
|
|
-- var_ssh_client_rekey_limit_time=1hour
|
|
+- zipl_vsyscall_argument.role=unscored
|
|
+- zipl_vsyscall_argument.severity=info
|
|
title: Protection Profile for General Purpose Operating Systems
|
|
|
|
From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 15:15:25 +0200
|
|
Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios
|
|
|
|
---
|
|
.../tests/correct_option.pass.sh | 16 ++++++++++++++++
|
|
.../tests/missing_in_cmdline.fail.sh | 14 ++++++++++++++
|
|
.../tests/missing_in_entry.fail.sh | 14 ++++++++++++++
|
|
3 files changed, 44 insertions(+)
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
new file mode 100644
|
|
index 0000000000..a9bd49dd0b
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
@@ -0,0 +1,16 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+# Make sure boot loader entries contain audit=1
|
|
+for file in /boot/loader/entries/*.conf
|
|
+do
|
|
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
|
+ sed -i '/^options / s/$/audit=1/' "$file"
|
|
+ fi
|
|
+done
|
|
+
|
|
+# Make sure /etc/kernel/cmdline contains audit=1
|
|
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
|
+ echo "audit=1" >> /etc/kernel/cmdline
|
|
+fi
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..d4d1d978c8
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
@@ -0,0 +1,14 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+# Make sure boot loader entries contain audit=1
|
|
+for file in /boot/loader/entries/*.conf
|
|
+do
|
|
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
|
+ sed -i '/^options / s/$/audit=1/' "$file"
|
|
+ fi
|
|
+done
|
|
+
|
|
+# Make sure /etc/kernel/cmdline doesn't contain audit=1
|
|
+sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..3e412c0542
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
@@ -0,0 +1,14 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+# Remove audit=1 from all boot entries
|
|
+sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
|
|
+# But make sure one boot loader entry contains audit=1
|
|
+sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
|
|
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
|
|
+
|
|
+# Make sure /etc/kernel/cmdline contains audit=1
|
|
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
|
+ echo "audit=1" >> /etc/kernel/cmdline
|
|
+fi
|
|
|
|
From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 15:34:52 +0200
|
|
Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values
|
|
|
|
The template shouldn't have any hardcoded values.
|
|
---
|
|
shared/templates/template_BASH_zipl_bls_entries_option | 3 +--
|
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
|
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
|
|
index 9fc8865486..dde8c948f7 100644
|
|
--- a/shared/templates/template_BASH_zipl_bls_entries_option
|
|
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
|
|
@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
|
if [ ! -f /etc/kernel/cmdline ]; then
|
|
echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
|
|
elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
|
|
- echo " audit=1" >> /etc/kernel/cmdline
|
|
- sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
|
|
+ sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
|
|
fi
|
|
|
|
From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 16:08:26 +0200
|
|
Subject: [PATCH 14/18] Improve conditional check for the grubby command
|
|
|
|
Let's not trust that /boot/loader/entries/ only contains *.conf files.
|
|
Count the number of conf files and how many set the propper options.
|
|
---
|
|
.../template_ANSIBLE_zipl_bls_entries_option | 14 +++++++++-----
|
|
1 file changed, 9 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
|
index c0cb131b82..bccad2267c 100644
|
|
--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
|
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
|
|
@@ -6,18 +6,22 @@
|
|
|
|
- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
|
|
block:
|
|
- - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
|
|
+ - name: "Check how many boot entries exist "
|
|
+ find:
|
|
+ paths: "/boot/loader/entries/"
|
|
+ patterns: "*.conf"
|
|
+ register: n_entries
|
|
+
|
|
+ - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
|
|
find:
|
|
paths: "/boot/loader/entries/"
|
|
contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
|
|
patterns: "*.conf"
|
|
- register: entries_options
|
|
+ register: n_entries_options
|
|
|
|
- name: "Update boot entries options"
|
|
command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
|
- when: entries_options is defined and entries_options.examined != entries_options.matched
|
|
- # The conditional above assumes that only *.conf files are present in /boot/loader/entries
|
|
- # Then, the number of conf files is the same as examined files
|
|
+ when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
|
|
|
|
- name: "Check if /etc/kernel/cmdline exists"
|
|
stat:
|
|
|
|
From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 16:17:27 +0200
|
|
Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario
|
|
|
|
Append "audit=1" space from last option.
|
|
---
|
|
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
|
|
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 2 +-
|
|
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
|
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
index a9bd49dd0b..5fcbcc5667 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
@@ -6,7 +6,7 @@
|
|
for file in /boot/loader/entries/*.conf
|
|
do
|
|
if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
|
- sed -i '/^options / s/$/audit=1/' "$file"
|
|
+ sed -i '/^options / s/$/ audit=1/' "$file"
|
|
fi
|
|
done
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
index d4d1d978c8..b75165f904 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
@@ -6,7 +6,7 @@
|
|
for file in /boot/loader/entries/*.conf
|
|
do
|
|
if ! grep -q '^options.*audit=1.*$' "$file" ; then
|
|
- sed -i '/^options / s/$/audit=1/' "$file"
|
|
+ sed -i '/^options / s/$/ audit=1/' "$file"
|
|
fi
|
|
done
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
index 3e412c0542..e3d342d533 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
@@ -5,7 +5,7 @@
|
|
# Remove audit=1 from all boot entries
|
|
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
|
|
# But make sure one boot loader entry contains audit=1
|
|
-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
|
|
+sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
|
|
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
|
|
|
|
# Make sure /etc/kernel/cmdline contains audit=1
|
|
|
|
From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 16:29:06 +0200
|
|
Subject: [PATCH 16/18] Extend scenarios platform and allow remediation
|
|
|
|
These test scenarios can be run on any OS that supports BLS and provides
|
|
grubby.
|
|
But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
|
|
has s390utils-base installed).
|
|
---
|
|
.../zipl_audit_argument/tests/correct_option.pass.sh | 3 +--
|
|
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 3 +--
|
|
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 3 +--
|
|
3 files changed, 3 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
index 5fcbcc5667..73ed0eae0f 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
@@ -1,6 +1,5 @@
|
|
#!/bin/bash
|
|
-# platform = Red Hat Enterprise Linux 8
|
|
-# remediation = none
|
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
|
# Make sure boot loader entries contain audit=1
|
|
for file in /boot/loader/entries/*.conf
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
index b75165f904..3af83d30d8 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
|
|
@@ -1,6 +1,5 @@
|
|
#!/bin/bash
|
|
-# platform = Red Hat Enterprise Linux 8
|
|
-# remediation = none
|
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
|
# Make sure boot loader entries contain audit=1
|
|
for file in /boot/loader/entries/*.conf
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
index e3d342d533..142f75ba60 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
@@ -1,6 +1,5 @@
|
|
#!/bin/bash
|
|
-# platform = Red Hat Enterprise Linux 8
|
|
-# remediation = none
|
|
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
|
|
|
|
# Remove audit=1 from all boot entries
|
|
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
|
|
|
|
From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001
|
|
From: Watson Yuuma Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 16:35:55 +0200
|
|
Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option
|
|
|
|
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
|
---
|
|
shared/templates/template_OVAL_zipl_bls_entries_option | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
index 9af1bcfbee..502d5e7d9a 100644
|
|
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
|
|
@@ -7,7 +7,7 @@
|
|
</metadata>
|
|
<criteria operator="AND">
|
|
<criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
|
|
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
|
|
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
|
|
<criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
|
|
comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
|
|
</criteria>
|
|
|
|
From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 10 Jul 2020 17:15:46 +0200
|
|
Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages
|
|
|
|
/etc/kernel/cmdline is not always present. Lest suppress any error
|
|
message about absent file in the test scenarios.
|
|
---
|
|
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
|
|
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
index 73ed0eae0f..7a828837fe 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
|
|
@@ -10,6 +10,6 @@ do
|
|
done
|
|
|
|
# Make sure /etc/kernel/cmdline contains audit=1
|
|
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
|
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
|
echo "audit=1" >> /etc/kernel/cmdline
|
|
fi
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
index 142f75ba60..5650cc0a74 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
|
|
@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
|
|
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
|
|
|
|
# Make sure /etc/kernel/cmdline contains audit=1
|
|
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
|
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
|
|
echo "audit=1" >> /etc/kernel/cmdline
|
|
fi
|