885 lines
43 KiB
Diff
885 lines
43 KiB
Diff
From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 25 Jun 2020 18:29:31 +0200
|
|
Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS
|
|
|
|
Instead of having each zIPL argument rule check for BLS compliance,
|
|
let's split into its own rule.
|
|
---
|
|
.../zipl_audit_argument/rule.yml | 6 -----
|
|
.../rule.yml | 6 -----
|
|
.../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++
|
|
.../zipl_enable_selinux/rule.yml | 6 -----
|
|
.../zipl_page_poison_argument/rule.yml | 6 -----
|
|
.../zipl_pti_argument/rule.yml | 6 -----
|
|
.../zipl_slub_debug_argument/rule.yml | 6 -----
|
|
.../zipl_vsyscall_argument/rule.yml | 6 -----
|
|
8 files changed, 24 insertions(+), 42 deletions(-)
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
index 2d31ef8ee7..1211a53295 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To ensure all processes can be audited, even those which start prior to the audit daemon,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
|
included in its options.<br />
|
|
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
|
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
To ensure that new kernels and boot entries continue to enable audit,
|
|
@@ -30,10 +28,6 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
|
|
|
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
-
|
|
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
and <tt>/etc/zipl.conf</tt>:
|
|
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
index 40db232257..7d88e38686 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
|
included in its options.<br />
|
|
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
|
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
@@ -31,10 +29,6 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
|
|
|
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
-
|
|
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
and <tt>/etc/zipl.conf</tt>:
|
|
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
new file mode 100644
|
|
index 0000000000..b6ccbb5343
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
@@ -0,0 +1,24 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: rhel8
|
|
+
|
|
+title: 'Ensure all zIPL boot entries are BLS compliant'
|
|
+
|
|
+description: |-
|
|
+ Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
|
|
+ by checking that <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt>.
|
|
+
|
|
+rationale: |-
|
|
+ {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
|
|
+ configuration.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+ocil_clause: 'a non BLS boot entry is configured'
|
|
+
|
|
+ocil: |-
|
|
+ Check that no boot image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
+ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
|
|
+
|
|
+platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
index 8d28d5495f..1c3bfeb246 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To ensure SELinux is not disabled at boot time,
|
|
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
|
included in its options.<br />
|
|
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
|
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
rationale: |-
|
|
@@ -27,10 +25,6 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that disables SELinux.
|
|
|
|
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
-
|
|
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
and <tt>/etc/zipl.conf</tt>:
|
|
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
index 0a8e9a41e2..6dbfd501b7 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To enable poisoning of free pages,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
|
included in its options.<br />
|
|
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
|
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
|
|
|
|
To ensure that new kernels and boot entries continue to enable page poisoning,
|
|
@@ -31,10 +29,6 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
|
|
|
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
-
|
|
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
and <tt>/etc/zipl.conf</tt>:
|
|
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
index 20c1448cc8..555fdf2b66 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To enable Kernel page-table isolation,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
|
included in its options.<br />
|
|
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
|
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
To ensure that new kernels and boot entries continue to enable page-table isolation,
|
|
@@ -30,10 +28,6 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
|
|
|
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
-
|
|
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
and <tt>/etc/zipl.conf</tt>:
|
|
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
index 54ac688ea0..dd7865bf81 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To enable poisoning of SLUB/SLAB objects,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
|
included in its options.<br />
|
|
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
|
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
@@ -31,10 +29,6 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
|
|
|
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
-
|
|
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
and <tt>/etc/zipl.conf</tt>:
|
|
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
index c5979a2016..18b7ade460 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To disable use of virtual syscalls,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
|
included in its options.<br />
|
|
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
|
|
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
|
|
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
|
@@ -28,10 +26,6 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
|
|
|
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
|
|
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
|
|
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
|
|
-
|
|
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
and <tt>/etc/zipl.conf</tt>:
|
|
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
|
|
From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 2 Jul 2020 09:52:39 +0200
|
|
Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests
|
|
|
|
---
|
|
.../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++
|
|
.../tests/image_configured.fail.sh | 6 +++++
|
|
.../tests/no_image.pass.sh | 7 +++++
|
|
3 files changed, 40 insertions(+)
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
new file mode 100644
|
|
index 0000000000..41e9773814
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
@@ -0,0 +1,27 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="zipl_bls_entries_only" version="1">
|
|
+ <metadata>
|
|
+ <title>Ensure zIPL entries are BLS compliant</title>
|
|
+ {{{- oval_affected(products) }}}
|
|
+ <description>Check if /etc/zipl.conf configures any boot entry</description>
|
|
+ </metadata>
|
|
+ <criteria operator="AND">
|
|
+ <criterion test_ref="test_zipl_bls_entries_only"
|
|
+ comment="Test presence of image configuration in /etc/zipl.conf" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <ind:textfilecontent54_test id="test_zipl_bls_entries_only"
|
|
+ comment="Test presence of image configuration in /etc/zipl.conf"
|
|
+ check="all" check_existence="none_exist" version="1">
|
|
+ <ind:object object_ref="object_zipl_bls_entries_only" />
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
|
|
+ version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
|
|
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+
|
|
+</def-group>
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..e3adb99638
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
|
|
@@ -0,0 +1,6 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+# Make sure no image configured in zipl config file
|
|
+echo 'image = /boot/image' >> /etc/zipl.conf
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
|
|
new file mode 100644
|
|
index 0000000000..47626442f6
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
|
|
@@ -0,0 +1,7 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+# Make sure no image configured in zipl config file
|
|
+sed -Ei '/^image\s*=/d' /etc/zipl.conf
|
|
+true
|
|
|
|
From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 2 Jul 2020 11:09:08 +0200
|
|
Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning
|
|
|
|
Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
|
|
is tricky and can lead to broken entries or removal of all of them.
|
|
---
|
|
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
index b6ccbb5343..f792c5257f 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
@@ -22,3 +22,8 @@ ocil: |-
|
|
No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
|
|
|
|
platform: machine
|
|
+
|
|
+warnings:
|
|
+ - general: |-
|
|
+ To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
|
|
+ automated remediation for this rule is not available.
|
|
|
|
From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 25 Jun 2020 18:51:04 +0200
|
|
Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap
|
|
|
|
Instead of having each zIPL argument rule check if zIPL bootmap is up to
|
|
date, let's split it into its own rule.
|
|
---
|
|
.../zipl_audit_argument/rule.yml | 6 -----
|
|
.../rule.yml | 7 -----
|
|
.../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++
|
|
.../zipl_enable_selinux/rule.yml | 6 -----
|
|
.../zipl_page_poison_argument/rule.yml | 7 -----
|
|
.../zipl_pti_argument/rule.yml | 7 -----
|
|
.../zipl_slub_debug_argument/rule.yml | 7 -----
|
|
.../zipl_vsyscall_argument/rule.yml | 7 -----
|
|
8 files changed, 27 insertions(+), 47 deletions(-)
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
index 1211a53295..624b4e7041 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
|
|
@@ -8,7 +8,6 @@ description: |-
|
|
To ensure all processes can be audited, even those which start prior to the audit daemon,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
|
|
included in its options.<br />
|
|
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
To ensure that new kernels and boot entries continue to enable audit,
|
|
add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
@@ -28,9 +27,4 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't enable audit.
|
|
|
|
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
- and <tt>/etc/zipl.conf</tt>:
|
|
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
-
|
|
platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
index 7d88e38686..faf114591a 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
|
|
included in its options.<br />
|
|
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
-
|
|
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
|
@@ -29,9 +27,4 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
|
|
|
|
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
- and <tt>/etc/zipl.conf</tt>:
|
|
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
-
|
|
platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
|
new file mode 100644
|
|
index 0000000000..082562d11e
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
|
@@ -0,0 +1,27 @@
|
|
+documentation_complete: true
|
|
+
|
|
+prodtype: rhel8
|
|
+
|
|
+title: 'Ensure zIPL bootmap is up to date'
|
|
+
|
|
+description: |-
|
|
+ Make sure that <tt>/boot/bootmap</tt> is up to date.<br />
|
|
+ Every time a boot entry or zIPL configuration is changed <tt>/boot/bootmap</tt> needs to
|
|
+ be updated to reflect the changes.<br />
|
|
+ Run <tt>zipl</tt> command to generate an updated <tt>/boot/bootmap</tt>.
|
|
+
|
|
+rationale: |-
|
|
+ The file <tt>/boot/bootmap</tt> contains all boot data, keeping it up to date is crucial to
|
|
+ boot correct kernel and options.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+ocil_clause: 'the bootmap is outdated'
|
|
+
|
|
+ocil: |-
|
|
+ Make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
+ and <tt>/etc/zipl.conf</tt>:
|
|
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> is outdated and needs to be regenerated.
|
|
+
|
|
+platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
index 1c3bfeb246..b0bc0fc374 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
|
|
@@ -8,7 +8,6 @@ description: |-
|
|
To ensure SELinux is not disabled at boot time,
|
|
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
|
|
included in its options.<br />
|
|
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
|
|
rationale: |-
|
|
Disabling a major host protection feature, such as SELinux, at boot time prevents
|
|
@@ -25,9 +24,4 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that disables SELinux.
|
|
|
|
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
- and <tt>/etc/zipl.conf</tt>:
|
|
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
-
|
|
platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
index 6dbfd501b7..866664c01b 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To enable poisoning of free pages,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
|
|
included in its options.<br />
|
|
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
|
|
-
|
|
To ensure that new kernels and boot entries continue to enable page poisoning,
|
|
add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
|
@@ -29,9 +27,4 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
|
|
|
|
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
- and <tt>/etc/zipl.conf</tt>:
|
|
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
-
|
|
platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
index 555fdf2b66..2f02d9668c 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To enable Kernel page-table isolation,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
|
|
included in its options.<br />
|
|
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
-
|
|
To ensure that new kernels and boot entries continue to enable page-table isolation,
|
|
add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
|
@@ -28,9 +26,4 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
|
|
|
|
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
- and <tt>/etc/zipl.conf</tt>:
|
|
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
-
|
|
platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
index dd7865bf81..0cb10d3cd8 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To enable poisoning of SLUB/SLAB objects,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
|
|
included in its options.<br />
|
|
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
-
|
|
To ensure that new kernels and boot entries continue to extend the audit log events queue,
|
|
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
|
@@ -29,9 +27,4 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that does not enable poisoning.
|
|
|
|
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
- and <tt>/etc/zipl.conf</tt>:
|
|
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
-
|
|
platform: machine
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
index 18b7ade460..f79adeb083 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
|
|
@@ -8,8 +8,6 @@ description: |-
|
|
To disable use of virtual syscalls,
|
|
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
|
|
included in its options.<br />
|
|
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
|
|
-
|
|
To ensure that new kernels and boot entries continue to disable virtual syscalls,
|
|
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
|
|
|
|
@@ -26,9 +24,4 @@ ocil: |-
|
|
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
|
|
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
|
|
|
|
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
|
|
- and <tt>/etc/zipl.conf</tt>:
|
|
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
|
|
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
|
|
-
|
|
platform: machine
|
|
|
|
From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 2 Jul 2020 15:59:31 +0200
|
|
Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check
|
|
|
|
---
|
|
.../oval/shared.xml | 46 +++++++++++++++++++
|
|
1 file changed, 46 insertions(+)
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
|
|
new file mode 100644
|
|
index 0000000000..6c446cbe59
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
|
|
@@ -0,0 +1,46 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
|
|
+ <metadata>
|
|
+ <title>Ensure zIPL bootmap is up to date</title>
|
|
+ {{{- oval_affected(products) }}}
|
|
+ <description>Check if /boot/bootmap is up to date</description>
|
|
+ </metadata>
|
|
+ <criteria operator="AND">
|
|
+ <criterion test_ref="test_zipl_bootmap_is_up_to_date"
|
|
+ comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <unix:file_test check="all" check_existence="all_exist" id="test_zipl_bootmap_is_up_to_date" version="1" comment="Check /boot/bootmap timestamps">
|
|
+ <unix:object object_ref="object_zipl_boot_bootmap_file" />
|
|
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_zipl_conf" />
|
|
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_boot_entries" />
|
|
+ </unix:file_test>
|
|
+
|
|
+ <unix:file_object id="object_zipl_boot_bootmap_file" comment="current bootmap state" version="1">
|
|
+ <unix:filepath>/boot/bootmap</unix:filepath>
|
|
+ </unix:file_object>
|
|
+
|
|
+ <!-- Newer means modified more recently, which means more seconds since epoch -->
|
|
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_zipl_conf" version="1">
|
|
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
|
|
+ var_ref="variable_zipl_conf_file_age" />
|
|
+ </unix:file_state>
|
|
+ <local_variable id="variable_zipl_conf_file_age" version="1" comment="Age of /etc/zipl.conf" datatype="int">
|
|
+ <object_component object_ref="zipl_conf_file" item_field="m_time"/>
|
|
+ </local_variable>
|
|
+ <unix:file_object id="zipl_conf_file" comment="/etc/zipl.conf state" version="1">
|
|
+ <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
|
|
+ </unix:file_object>
|
|
+
|
|
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_boot_entries" version="1">
|
|
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
|
|
+ var_ref="variable_boot_entry_files_age" />
|
|
+ </unix:file_state>
|
|
+ <local_variable id="variable_boot_entry_files_age" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
|
|
+ <object_component object_ref="boot_entry_files" item_field="m_time"/>
|
|
+ </local_variable>
|
|
+ <unix:file_object id="boot_entry_files" comment="/boot/loader/entries/*.conf states" version="1">
|
|
+ <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
|
|
+ </unix:file_object>
|
|
+</def-group>
|
|
|
|
From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Thu, 2 Jul 2020 16:15:35 +0200
|
|
Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests
|
|
|
|
These tests mock existence of zIPL files.
|
|
---
|
|
.../tests/newer_boot_entry.fail.sh | 10 ++++++++++
|
|
.../tests/newer_zipl_conf.fail.sh | 10 ++++++++++
|
|
.../tests/up_to_date.pass.sh | 9 +++++++++
|
|
3 files changed, 29 insertions(+)
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..728c6b7bdb
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
|
|
@@ -0,0 +1,10 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+touch /etc/zipl.conf
|
|
+touch /boot/loader/entries/*.conf # Update current existing entries
|
|
+touch /boot/loader/entries/zipl-entry-1.conf
|
|
+touch /boot/bootmap
|
|
+sleep 2
|
|
+touch /boot/loader/entries/zipl-entry-2.conf
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..1ae4d631ee
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
|
|
@@ -0,0 +1,10 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+touch /boot/loader/entries/*.conf # Update current existing entries
|
|
+touch /boot/loader/entries/zipl-entry-1.conf
|
|
+touch /boot/loader/entries/zipl-entry-2.conf
|
|
+touch /boot/bootmap
|
|
+sleep 2
|
|
+touch /etc/zipl.conf
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
|
|
new file mode 100644
|
|
index 0000000000..7981ba8c5c
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
|
|
@@ -0,0 +1,9 @@
|
|
+#!/bin/bash
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# remediation = none
|
|
+
|
|
+touch /etc/zipl.conf
|
|
+touch /boot/loader/entries/*.conf # Update current existing entries
|
|
+touch /boot/loader/entries/zipl-entry-1.conf
|
|
+touch /boot/loader/entries/zipl-entry-2.conf
|
|
+touch /boot/bootmap
|
|
|
|
From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Fri, 3 Jul 2020 18:35:06 +0200
|
|
Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations
|
|
|
|
---
|
|
.../ansible/shared.yml | 24 +++++++++++++++++++
|
|
.../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++
|
|
2 files changed, 27 insertions(+)
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
|
|
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
|
|
new file mode 100644
|
|
index 0000000000..e545eacc13
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
|
|
@@ -0,0 +1,24 @@
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+# reboot = false
|
|
+# strategy = configure
|
|
+# complexity = low
|
|
+# disruption = low
|
|
+
|
|
+- name: "Ensure zIPL bootmap is up to date"
|
|
+ block:
|
|
+ - name: "Obtain stats of /boot/bootmap"
|
|
+ stat:
|
|
+ path: /boot/bootmap
|
|
+ register: boot_bootmap
|
|
+
|
|
+ - name: "Obtain stats of /etc/zipl.conf"
|
|
+ stat:
|
|
+ path: /etc/zipl.conf
|
|
+ register: zipl_conf
|
|
+
|
|
+ # TODO: handle /boot/loader/entries/*.conf
|
|
+
|
|
+ - name: "Update zIPL bootmap"
|
|
+ command: /usr/sbin/zipl
|
|
+ changed_when: True
|
|
+ when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
|
new file mode 100644
|
|
index 0000000000..2cf7e388f0
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
|
@@ -0,0 +1,3 @@
|
|
+# platform = Red Hat Enterprise Linux 8
|
|
+
|
|
+/usr/bin/zipl
|
|
|
|
From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 1 Jul 2020 17:16:41 +0200
|
|
Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile
|
|
|
|
---
|
|
rhel8/profiles/ospp.profile | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
index 07d32b814d..80e4b71fff 100644
|
|
--- a/rhel8/profiles/ospp.profile
|
|
+++ b/rhel8/profiles/ospp.profile
|
|
@@ -415,3 +415,7 @@ selections:
|
|
- ssh_client_rekey_limit
|
|
- var_ssh_client_rekey_limit_size=1G
|
|
- var_ssh_client_rekey_limit_time=1hour
|
|
+
|
|
+ # zIPl specific rules
|
|
+ - zipl_bls_entries_only
|
|
+ - zipl_bootmap_is_up_to_date
|
|
|
|
From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 8 Jul 2020 14:03:21 +0200
|
|
Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation
|
|
|
|
---
|
|
.../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
|
index 2cf7e388f0..2310ca060d 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
|
|
@@ -1,3 +1,3 @@
|
|
# platform = Red Hat Enterprise Linux 8
|
|
|
|
-/usr/bin/zipl
|
|
+/usr/sbin/zipl
|
|
|
|
From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 8 Jul 2020 14:06:22 +0200
|
|
Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces
|
|
|
|
There can be leading spaces before 'image'.
|
|
---
|
|
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
index 41e9773814..f68d91c128 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
@@ -20,7 +20,7 @@
|
|
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
|
|
version="1">
|
|
<ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
|
|
- <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
|
|
+ <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
|
|
From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 8 Jul 2020 14:10:22 +0200
|
|
Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf
|
|
|
|
There is no need to perform pattern match, the check just needs to
|
|
examine /etc/zipl.conf file.
|
|
---
|
|
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
index f68d91c128..1ebf03ee37 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
|
|
@@ -19,7 +19,7 @@
|
|
|
|
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
|
|
version="1">
|
|
- <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
|
|
+ <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
|
|
<ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 8 Jul 2020 14:13:26 +0200
|
|
Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules
|
|
|
|
Add RHEL-8 CCE identifiers for:
|
|
- zipl_bls_entries_only
|
|
- zipl_bootmap_is_up_to_date
|
|
---
|
|
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++
|
|
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
|
|
3 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
index f792c5257f..67cc061ce3 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
|
|
@@ -14,6 +14,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83485-3
|
|
+
|
|
ocil_clause: 'a non BLS boot entry is configured'
|
|
|
|
ocil: |-
|
|
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
|
index 082562d11e..da9411d00b 100644
|
|
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
|
|
@@ -16,6 +16,9 @@ rationale: |-
|
|
|
|
severity: medium
|
|
|
|
+identifiers:
|
|
+ cce@rhel8: 83486-1
|
|
+
|
|
ocil_clause: 'the bootmap is outdated'
|
|
|
|
ocil: |-
|
|
|
|
From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 8 Jul 2020 14:16:58 +0200
|
|
Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test
|
|
|
|
Update the profile reference file.
|
|
---
|
|
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
index b0d7672c36..08dcccf24c 100644
|
|
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
@@ -213,6 +213,8 @@ selections:
|
|
- sysctl_user_max_user_namespaces
|
|
- timer_dnf-automatic_enabled
|
|
- usbguard_allow_hid_and_hub
|
|
+- zipl_bls_entries_only
|
|
+- zipl_bootmap_is_up_to_date
|
|
- var_sshd_set_keepalive=0
|
|
- var_rekey_limit_size=1G
|
|
- var_rekey_limit_time=1hour
|
|
|
|
From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Wed, 8 Jul 2020 15:28:09 +0200
|
|
Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile
|
|
|
|
The zIPL rules are inherited from OSPP profile
|
|
---
|
|
rhel8/profiles/stig.profile | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
|
|
index 8f12852e26..cfc2160be1 100644
|
|
--- a/rhel8/profiles/stig.profile
|
|
+++ b/rhel8/profiles/stig.profile
|
|
@@ -45,3 +45,7 @@ selections:
|
|
- rsyslog_remote_tls
|
|
- rsyslog_remote_tls_cacert
|
|
- "!ssh_client_rekey_limit"
|
|
+
|
|
+ # Unselect zIPL rules from OSPP
|
|
+ - "!zipl_bls_entries_only"
|
|
+ - "!zipl_bootmap_is_up_to_date"
|