Adjust bootloader argument rules to work in bootable containers #12653
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
jan-cerny
commented
Dec 3, 2024
jan-cerny
changed the title
shared/templates/grub2_bootloader_argument_absent/bash.template
Outdated
Show resolved
Hide resolved
shared/templates/grub2_bootloader_argument_absent/bash.template
Outdated
Show resolved
Hide resolved
Extend the template `grub2_bootloader_argument` and `grub2_bootloader_argument_absent` to make it work also for bootable containers. In bootable containers, the kernel build arguments are specified in TOML files in special directory `/usr/lib/bootc/kargs.d/`. For more details, please read: https://containers.github.io/bootc/building/kernel-arguments.html This commit changes CPE platform to `system_with_kernel` in all rules that use these templates. These rules configure kernel arguments, therefore it makes sense to have them applicable on systems that contain kernel, including bootable containers.
Promote the variable `bootable_containers_supported` to a product property. By default, bootable containers won't be supported. The RHEL 9 and 10 products will support bootable containers. This variable can be used at build time in many types of the code.
The bootloader-grub2 group contains multiple different platform expressions. However, all of them are related to grub2 and all of them should be applicable for bootable container, therefore, the platform can be set on the group level in group.yml to `grub2 and system_with_kernel`. Setting the platform on the group level allows us to simplify platform expressions in individual rules. Most of them that only set platform to `machine` or to `system_with_kernel` can be removed completely.
This change will ensure that the first `sed` command that removes the `kargs` key completely will also remove the following `match-architectures` key if the key exists. Also, the second `sed` command that just removes an item from the list if the list contains multiple items has been adjusted to correctly remove commans between the items. Credit to Matus Marhefka 👍
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_disable_recovery' differs.
--- xccdf_org.ssgproject.content_rule_grub2_disable_recovery
+++ xccdf_org.ssgproject.content_rule_grub2_disable_recovery
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then
sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_disable_recovery' differs.
--- xccdf_org.ssgproject.content_rule_grub2_disable_recovery
+++ xccdf_org.ssgproject.content_rule_grub2_disable_recovery
@@ -16,7 +16,8 @@
regexp: ^GRUB_DISABLE_RECOVERY=.*
line: GRUB_DISABLE_RECOVERY=true
state: present
- when: '"grub2-common" in ansible_facts.packages'
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86006-4
- grub2_disable_recovery
@@ -28,7 +29,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL
- when: '"grub2-common" in ansible_facts.packages'
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86006-4
- grub2_disable_recovery
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_disable_recovery'
--- xccdf_org.ssgproject.content_rule_grub2_disable_recovery
+++ xccdf_org.ssgproject.content_rule_grub2_disable_recovery
@@ -1 +1 @@
-oval:ssg-installed_env_has_grub2_package:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs.
--- oval:ssg-grub2_enable_iommu_force:def:1
+++ oval:ssg-grub2_enable_iommu_force:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_iommu_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs.
--- xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
+++ xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-grubby --update-kernel=ALL --args=iommu=force --env=/boot/grub2/grubenv
+expected_value="force"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "iommu" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"iommu=[^\"]*\"(.*]\s*)/\1\"iommu=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"iommu=$expected_value\"]" >> "$KARGS_DIR/10-iommu.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=iommu=force --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs.
--- xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
+++ xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
@@ -12,9 +12,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="iommu=force"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-83920-9
- grub2_enable_iommu_force
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force'
--- xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
+++ xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng' differs.
--- xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
+++ xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-grubby --update-kernel=ALL --args=random.trust_cpu=on --env=/boot/grub2/grubenv
+expected_value="on"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "random.trust_cpu" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"random.trust_cpu=[^\"]*\"(.*]\s*)/\1\"random.trust_cpu=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"random.trust_cpu=$expected_value\"]" >> "$KARGS_DIR/10-random_trust_cpu.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=random.trust_cpu=on --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng' differs.
--- xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
+++ xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
@@ -12,9 +12,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="random.trust_cpu=on"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-83314-5
- grub2_kernel_trust_cpu_rng
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng'
--- xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
+++ xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument' differs.
--- oval:ssg-grub2_l1tf_argument:def:1
+++ oval:ssg-grub2_l1tf_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_l1tf_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
+++ xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
@@ -1,11 +1,23 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
var_l1tf_options=''
+expected_value="$var_l1tf_options"
-grubby --update-kernel=ALL --args=l1tf=$var_l1tf_options --env=/boot/grub2/grubenv
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "l1tf" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"l1tf=[^\"]*\"(.*]\s*)/\1\"l1tf=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"l1tf=$expected_value\"]" >> "$KARGS_DIR/10-l1tf.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=l1tf=$var_l1tf_options --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
+++ xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
@@ -17,9 +17,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="l1tf={{ var_l1tf_options }}"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-88123-5
- grub2_l1tf_argument
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument'
--- xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
+++ xccdf_org.ssgproject.content_rule_grub2_l1tf_argument
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument' differs.
--- oval:ssg-grub2_mce_argument:def:1
+++ oval:ssg-grub2_mce_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_mce_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_mce_argument
+++ xccdf_org.ssgproject.content_rule_grub2_mce_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-grubby --update-kernel=ALL --args=mce=0 --env=/boot/grub2/grubenv
+expected_value="0"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "mce" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"mce=[^\"]*\"(.*]\s*)/\1\"mce=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"mce=$expected_value\"]" >> "$KARGS_DIR/10-mce.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=mce=0 --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_mce_argument
+++ xccdf_org.ssgproject.content_rule_grub2_mce_argument
@@ -12,9 +12,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="mce=0"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-87098-0
- grub2_mce_argument
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument'
--- xccdf_org.ssgproject.content_rule_grub2_mce_argument
+++ xccdf_org.ssgproject.content_rule_grub2_mce_argument
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent' differs.
--- oval:ssg-grub2_nosmap_argument_absent:def:1
+++ oval:ssg-grub2_nosmap_argument_absent:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criteria OR
criterion oval:ssg-test_grub2_nosmap_argument_absent_grub_env:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ sed -i -E "/kargs\s*=\s*\[\s*\"nosmap=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
+ sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"nosmap=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
+else
grubby --update-kernel=ALL --remove-args=nosmap --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
@@ -12,9 +12,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --remove-args="nosmap"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-87345-5
- grub2_nosmap_argument_absent
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent'
--- xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent' differs.
--- oval:ssg-grub2_nosmep_argument_absent:def:1
+++ oval:ssg-grub2_nosmep_argument_absent:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criteria OR
criterion oval:ssg-test_grub2_nosmep_argument_absent_grub_env:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ sed -i -E "/kargs\s*=\s*\[\s*\"nosmep=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
+ sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"nosmep=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
+else
grubby --update-kernel=ALL --remove-args=nosmep --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
@@ -12,9 +12,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --remove-args="nosmep"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-85989-2
- grub2_nosmep_argument_absent
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent'
--- xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs.
--- oval:ssg-grub2_pti_argument:def:1
+++ oval:ssg-grub2_pti_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_pti_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_pti_argument
+++ xccdf_org.ssgproject.content_rule_grub2_pti_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv
+expected_value="on"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "pti" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"pti=[^\"]*\"(.*]\s*)/\1\"pti=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"pti=$expected_value\"]" >> "$KARGS_DIR/10-pti.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=pti=on --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_pti_argument
+++ xccdf_org.ssgproject.content_rule_grub2_pti_argument
@@ -14,9 +14,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="pti=on"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-82194-2
- DISA-STIG-RHEL-08-040004
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument'
--- xccdf_org.ssgproject.content_rule_grub2_pti_argument
+++ xccdf_org.ssgproject.content_rule_grub2_pti_argument
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument' differs.
--- oval:ssg-grub2_rng_core_default_quality_argument:def:1
+++ oval:ssg-grub2_rng_core_default_quality_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_rng_core_default_quality_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
+++ xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
@@ -1,11 +1,23 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
var_rng_core_default_quality=''
+expected_value="$var_rng_core_default_quality"
-grubby --update-kernel=ALL --args=rng_core.default_quality=$var_rng_core_default_quality --env=/boot/grub2/grubenv
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "rng_core.default_quality" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"rng_core.default_quality=[^\"]*\"(.*]\s*)/\1\"rng_core.default_quality=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"rng_core.default_quality=$expected_value\"]" >> "$KARGS_DIR/10-rng_core_default_quality.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=rng_core.default_quality=$var_rng_core_default_quality --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
+++ xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
@@ -18,9 +18,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="rng_core.default_quality={{ var_rng_core_default_quality
}}"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-89567-2
- grub2_rng_core_default_quality_argument
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument'
--- xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
+++ xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument' differs.
--- oval:ssg-grub2_slab_nomerge_argument:def:1
+++ oval:ssg-grub2_slab_nomerge_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_slab_nomerge_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
+++ xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-grubby --update-kernel=ALL --args=slab_nomerge=yes --env=/boot/grub2/grubenv
+expected_value="yes"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "slab_nomerge" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"slab_nomerge=[^\"]*\"(.*]\s*)/\1\"slab_nomerge=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"slab_nomerge=$expected_value\"]" >> "$KARGS_DIR/10-slab_nomerge.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=slab_nomerge=yes --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
+++ xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
@@ -12,9 +12,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="slab_nomerge=yes"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86777-0
- grub2_slab_nomerge_argument
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument'
--- xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
+++ xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument' differs.
--- oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
+++ oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_spec_store_bypass_disable_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
@@ -1,11 +1,23 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
var_spec_store_bypass_disable_options=''
+expected_value="$var_spec_store_bypass_disable_options"
-grubby --update-kernel=ALL --args=spec_store_bypass_disable=$var_spec_store_bypass_disable_options --env=/boot/grub2/grubenv
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "spec_store_bypass_disable" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"spec_store_bypass_disable=[^\"]*\"(.*]\s*)/\1\"spec_store_bypass_disable=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"spec_store_bypass_disable=$expected_value\"]" >> "$KARGS_DIR/10-spec_store_bypass_disable.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=spec_store_bypass_disable=$var_spec_store_bypass_disable_options --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
@@ -18,9 +18,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="spec_store_bypass_disable={{ var_spec_store_bypass_disable_options
}}"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-89234-9
- grub2_spec_store_bypass_disable_argument
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument'
--- xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument' differs.
--- oval:ssg-grub2_spectre_v2_argument:def:1
+++ oval:ssg-grub2_spectre_v2_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_spectre_v2_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
-grubby --update-kernel=ALL --args=spectre_v2=on --env=/boot/grub2/grubenv
+expected_value="on"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "spectre_v2" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"spectre_v2=[^\"]*\"(.*]\s*)/\1\"spectre_v2=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"spectre_v2=$expected_value\"]" >> "$KARGS_DIR/10-spectre_v2.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=spectre_v2=on --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
@@ -12,9 +12,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="spectre_v2=on"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-89345-3
- grub2_spectre_v2_argument
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument'
--- xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
+++ xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent'.
--- xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
@@ -14,10 +14,10 @@
By default, the debug-shell systemd service is already disabled.
Ensure the debug-shell is not enabled by the systemd.debug-shel=1
-boot paramenter option.
+boot parameter option.
Check that the line GRUB_CMDLINE_LINUX="..." within /etc/default/grub
-doesn't contain the argument systemd.debug-shell=1.
+doesn't contain the argument systemd.debug-shell.
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent' differs.
--- oval:ssg-grub2_systemd_debug-shell_argument_absent:def:1
+++ oval:ssg-grub2_systemd_debug-shell_argument_absent:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criteria OR
criterion oval:ssg-test_grub2_systemd_debug_shell_argument_absent_grub_env:tst:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
@@ -1,7 +1,14 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ); then
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ sed -i -E "/kargs\s*=\s*\[\s*\"systemd.debug-shell=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
+ sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"systemd.debug-shell=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
+else
grubby --update-kernel=ALL --remove-args=systemd.debug-shell --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent' differs.
--- xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
@@ -11,9 +11,8 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
- when:
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- grub2_systemd_debug-shell_argument_absent
- low_disruption
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent'
--- xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
+++ xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- oval:ssg-grub2_vsyscall_argument:def:1
+++ oval:ssg-grub2_vsyscall_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_vsyscall_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
+++ xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
-if rpm --quiet -q grub2-common && { ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && grep -q x86_64 /proc/sys/kernel/osrelease ); }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && { grep -q x86_64 /proc/sys/kernel/osrelease; }; then
-grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv
+expected_value="none"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "vsyscall" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"vsyscall=[^\"]*\"(.*]\s*)/\1\"vsyscall=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"vsyscall=$expected_value\"]" >> "$KARGS_DIR/10-vsyscall.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=vsyscall=none --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
+++ xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
@@ -15,9 +15,9 @@
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL --args="vsyscall=none"
when:
- - '"grub2-common" in ansible_facts.packages'
- - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- and ansible_architecture == "x86_64" )
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
+ - ansible_architecture == "x86_64"
tags:
- CCE-80946-7
- DISA-STIG-RHEL-08-010422
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument'
--- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
+++ xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
@@ -1,2 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
oval:ssg-proc_sys_kernel_osrelease_arch_x86_64:def:1
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { rpm --quiet -q kernel; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ]; then
chgrp 0 /boot/grub2/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -23,8 +23,8 @@
register: file_exists
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - '"kernel" in ansible_facts.packages'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-80800-6
- CJIS-5.5.2.2
@@ -47,8 +47,8 @@
group: '0'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - '"kernel" in ansible_facts.packages'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80800-6
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -1 +1 @@
-oval:ssg-system_with_kernel:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ]; then
chgrp 0 /boot/grub2/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -23,8 +23,8 @@
register: file_exists
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86009-8
- CJIS-5.5.2.2
@@ -47,8 +47,8 @@
group: '0'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86009-8
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg'
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { rpm --quiet -q kernel; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ]; then
chown 0 /boot/grub2/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -23,8 +23,8 @@
register: file_exists
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - '"kernel" in ansible_facts.packages'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-80805-5
- CJIS-5.5.2.2
@@ -47,8 +47,8 @@
owner: '0'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - '"kernel" in ansible_facts.packages'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80805-5
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -1 +1 @@
-oval:ssg-system_with_kernel:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ]; then
chown 0 /boot/grub2/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -23,8 +23,8 @@
register: file_exists
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86015-5
- CJIS-5.5.2.2
@@ -47,8 +47,8 @@
owner: '0'
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86015-5
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg'
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { rpm --quiet -q kernel; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ]; then
chmod u-xs,g-xwrs,o-xwrt /boot/grub2/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -21,8 +21,8 @@
register: file_exists
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - '"kernel" in ansible_facts.packages'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-80814-7
- NIST-800-171-3.4.5
@@ -43,8 +43,8 @@
mode: u-xs,g-xwrs,o-xwrt
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - '"kernel" in ansible_facts.packages'
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-80814-7
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -1 +1 @@
-oval:ssg-system_with_kernel:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ ! -d /sys/firmware/efi ]; then
chmod u-xs,g-xwrs,o-xwrt /boot/grub2/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -21,8 +21,8 @@
register: file_exists
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86024-7
- NIST-800-171-3.4.5
@@ -43,8 +43,8 @@
mode: u-xs,g-xwrs,o-xwrt
when:
- '"/boot/efi" not in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86024-7
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg'
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_admin_username'
--- xccdf_org.ssgproject.content_rule_grub2_admin_username
+++ xccdf_org.ssgproject.content_rule_grub2_admin_username
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_no_removeable_media'
--- xccdf_org.ssgproject.content_rule_grub2_no_removeable_media
+++ xccdf_org.ssgproject.content_rule_grub2_no_removeable_media
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_password'
--- xccdf_org.ssgproject.content_rule_grub2_password
+++ xccdf_org.ssgproject.content_rule_grub2_password
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
chgrp 0 /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -21,8 +21,8 @@
register: file_exists
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-85915-7
- CJIS-5.5.2.2
@@ -43,8 +43,8 @@
group: '0'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85915-7
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
chgrp 0 /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -21,8 +21,8 @@
register: file_exists
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86012-2
- CJIS-5.5.2.2
@@ -43,8 +43,8 @@
group: '0'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86012-2
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg'
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
chown 0 /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -21,8 +21,8 @@
register: file_exists
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-85913-2
- CJIS-5.5.2.2
@@ -43,8 +43,8 @@
owner: '0'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85913-2
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
chown 0 /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -21,8 +21,8 @@
register: file_exists
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86021-3
- CJIS-5.5.2.2
@@ -43,8 +43,8 @@
owner: '0'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86021-3
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg'
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/grub.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -19,8 +19,8 @@
register: file_exists
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-85912-4
- NIST-800-171-3.4.5
@@ -39,8 +39,8 @@
mode: u-s,g-xwrs,o-xwrt
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-85912-4
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg'
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
bash remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
+if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel ) && [ -d /sys/firmware/efi ]; then
chmod u-s,g-xwrs,o-xwrt /boot/efi/EFI/redhat/user.cfg
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg' differs.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -19,8 +19,8 @@
register: file_exists
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
tags:
- CCE-86028-8
- NIST-800-171-3.4.5
@@ -39,8 +39,8 @@
mode: u-s,g-xwrs,o-xwrt
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- - '"grub2-common" in ansible_facts.packages'
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - ( "grub2-common" in ansible_facts.packages and "kernel" in ansible_facts.packages
+ )
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-86028-8
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg'
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username'
--- xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username
+++ xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_password'
--- xccdf_org.ssgproject.content_rule_grub2_uefi_password
+++ xccdf_org.ssgproject.content_rule_grub2_uefi_password
@@ -1 +1 @@
-oval:ssg-system_with_kernel:def:1
+
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_uefi_no_removeable_media'
--- xccdf_org.ssgproject.content_rule_uefi_no_removeable_media
+++ xccdf_org.ssgproject.content_rule_uefi_no_removeable_media
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument' differs.
--- oval:ssg-grub2_ipv6_disable_argument:def:1
+++ oval:ssg-grub2_ipv6_disable_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_ipv6_disable_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
+++ xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then
-grubby --update-kernel=ALL --args=ipv6.disable=1 --env=/boot/grub2/grubenv
+expected_value="1"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "ipv6.disable" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"ipv6.disable=[^\"]*\"(.*]\s*)/\1\"ipv6.disable=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"ipv6.disable=$expected_value\"]" >> "$KARGS_DIR/10-ipv6_disable.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=ipv6.disable=1 --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' differs.
--- oval:ssg-grub2_page_poison_argument:def:1
+++ oval:ssg-grub2_page_poison_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_page_poison_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_page_poison_argument
+++ xccdf_org.ssgproject.content_rule_grub2_page_poison_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q grub2-common; }; then
-grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv
+expected_value="1"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "page_poison" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"page_poison=[^\"]*\"(.*]\s*)/\1\"page_poison=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"page_poison=$expected_value\"]" >> "$KARGS_DIR/10-page_poison.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=page_poison=1 --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' differs.
--- oval:ssg-grub2_slub_debug_argument:def:1
+++ oval:ssg-grub2_slub_debug_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_slub_debug_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
+++ xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument
@@ -3,9 +3,21 @@
var_slub_debug_options=''
+expected_value="$var_slub_debug_options"
-grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "slub_debug" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"slub_debug=[^\"]*\"(.*]\s*)/\1\"slub_debug=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"slub_debug=$expected_value\"]" >> "$KARGS_DIR/10-slub_debug.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=slub_debug=$var_slub_debug_options --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' differs.
--- oval:ssg-grub2_audit_argument:def:1
+++ oval:ssg-grub2_audit_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_audit_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_audit_argument
+++ xccdf_org.ssgproject.content_rule_grub2_audit_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q grub2-common; }; then
-grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv
+expected_value="1"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "audit" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"audit=[^\"]*\"(.*]\s*)/\1\"audit=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"audit=$expected_value\"]" >> "$KARGS_DIR/10-audit.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=audit=1 --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' differs.
--- oval:ssg-grub2_audit_backlog_limit_argument:def:1
+++ oval:ssg-grub2_audit_backlog_limit_argument:def:1
@@ -1,3 +1,4 @@
+criteria OR
criteria AND
criterion oval:ssg-test_grub2_audit_backlog_limit_entries_expanded_or_referenced:tst:1
criteria OR
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
+++ xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
@@ -1,7 +1,21 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q grub2-common; }; then
-grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv
+expected_value="8192"
+
+
+if [[ "$OSCAP_BOOTC_BUILD" == "YES" ]] ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "audit_backlog_limit" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"audit_backlog_limit=[^\"]*\"(.*]\s*)/\1\"audit_backlog_limit=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"audit_backlog_limit=$expected_value\"]" >> "$KARGS_DIR/10-audit_backlog_limit.toml"
+ fi
+else
+
+ grubby --update-kernel=ALL --args=audit_backlog_limit=8192 --env=/boot/grub2/grubenv
+
+fi
else
>&2 echo 'Remediation is not applicable, nothing was done' |
Mention that the kernel args configuration is different if using a bootable container image. This commit also unifies the description of removing the argument by defining a new Jinja macro containing the description.
|
I have changed the Bash remediation according to your suggestion. Then, I had changed platform expressions in the whole group to simplify and unify the applicability. I have also added the explanation of bootc kernel arguments to the rule description. |
Improve regular expression so that it will match kernel arguments presents in lists that have more than 1 item.
|
I have improved regular expression so that it will match kernel arguments |
|
/packit build |
Xeicker
reviewed
Dec 18, 2024
| @@ -32,6 +32,7 @@ | |||
| <def-group> | |||
| <definition class="compliance" id="{{{ _RULE_ID }}}" version="2"> | |||
| {{{ oval_metadata("Ensure " + ARG_NAME + " is not set in the kernel line in /etc/default/grub.") }}} | |||
| <criteria operator="OR"> | |||
There was a problem hiding this comment.
shouldn't this be "AND"?
I'm thinking that if the system supports bootable containers and it doesn't contain the argument in /usr/lib/bootc/kargs.d/*.toml it will pass even if the argument is present somewhere else
There was a problem hiding this comment.
Good point! I will try to adjust this OVAL to prevent that situation.
With this change will will ensure that the rule will not pass if we are in RHEL Image mode and we have configuration for the classic RHEL mode set in place.
|
Code Climate has analyzed commit 4077a0e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.7% change). View more on Code Climate. |
matusmarhefka
approved these changes
Dec 19, 2024
|
I tested the changes on CS9 bootable container hardened to anssi_bp28_high profile. I confirm that grub2 argument rules work correctly at bootable container build time and also on a fully booted system. |
Xeicker
approved these changes
Dec 20, 2024
|
Thanks everyone for approving. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit extends templates
grub2_bootloader_argumentandgrub2_bootloader_argument_absentfor bootable containers.The rules that use these templates will be marked with the
system_with_kernelplatform to extend their applicability also to bootable containers.The bootable containers use a special mechanism for specifying the kernel arguments. In bootable containers, the kernel build arguments are specified in TOML files in special directory
/usr/lib/bootc/kargs.d/. For more details, see:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_image_mode_for_rhel_to_build_deploy_and_manage_operating_systems/managing-kernel-arguments-in-bootc-systems#how-to-add-support-to-inject-kernel-arguments-with-bootc_managing-kernel-arguments-in-bootc-systems
Based on that, the OVAL will check the
/usr/lib/bootc/kargs.d/and the remediation will remediate this directory if a bootable container image is built.To support this effort, this PR introduces new product property
bootable_containers_supported. By default, this variable is set to"false"and RHEL 9 and 10 products set this variable to"true".