diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml
index 4ffb40c0e8c..d1b4a3e3389 100644
--- a/linux_os/guide/system/bootloader-grub2/group.yml
+++ b/linux_os/guide/system/bootloader-grub2/group.yml
@@ -15,4 +15,4 @@ description: |-
with a password and ensure its configuration file's permissions
are set properly.
-platform: grub2
+platform: grub2 and system_with_kernel
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
index 6919ef54873..e8878c4cd45 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -41,5 +41,3 @@ fixtext: |-
Then, run the following command:
$ sudo {{{ grub_command("update") }}}
-
-platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
index 84d077c730a..41ee2618721 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml
@@ -20,7 +20,6 @@ identifiers:
cce@sle12: CCE-91532-2
cce@sle15: CCE-91217-0
-platform: machine
ocil_clause: 'I/OMMU is not activated'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
index 09418dce6ce..2e721d99c54 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
@@ -24,7 +24,6 @@ ocil_clause: 'the kernel is not configured to zero out memory before allocation'
ocil: |-
{{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
index 1abeb706b4f..3d6b750d92f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml
@@ -46,7 +46,6 @@ ocil: |-
the kernel, check that the option is configured through boot parameter.
{{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
index c2294d46d55..8776d5bf328 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml
@@ -36,7 +36,6 @@ ocil_clause: 'l1tf mitigations are not configured appropriately'
ocil: |-
{{{ ocil_grub2_argument("l1tf=" + xccdf_value("var_l1tf_options")) | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
index 1878c63fa04..b9d0db90b0f 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml
@@ -29,7 +29,6 @@ ocil_clause: 'MCE tolerance is not set to zero'
ocil: |-
{{{ ocil_grub2_argument("mce=0") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
index e9d37a1d3c1..6e24c5e5e07 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml
@@ -47,7 +47,6 @@ ocil_clause: 'MDS mitigations are not configured appropriately'
ocil: |-
{{{ ocil_grub2_argument("mds=" + xccdf_value(var_mds_options)) | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
index 08f237cce8c..78d2204659c 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
@@ -9,6 +9,8 @@ description: |-
The mitigations must not be set to "off".
+ {{{ describe_grub2_argument_absent("mitigations=off") | indent(4) }}}
+
rationale: |-
Hardware vulnerabilities allow programs to steal data that is currently processed on the
computer. While programs are typically not permitted to read data from other programs, a
@@ -24,7 +26,6 @@ references:
srg: SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-010424
-platform: grub2
ocil_clause: 'mitigations is set to off'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
index db1fdff2117..f54daaf2b3e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
the nosmap boot paramenter option.
- Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
- doesn't contain the argument nosmap.
- Run the following command to update command line for already installed kernels:
- # grubby --update-kernel=ALL --remove-args="nosmap"
+ {{{ describe_grub2_argument_absent("nosmap") | indent(4) }}}
rationale: |-
Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
@@ -34,7 +31,6 @@ ocil: |-
grep -q nosmap /boot/config-`uname -r`
If the command returns a line, it means that SMAP is being disabled.
-platform: machine
template:
name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
index 3bdd52aa725..fd643ee7192 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml
@@ -10,10 +10,7 @@ description: |-
Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
the nosmep boot paramenter option.
- Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
- doesn't contain the argument nosmep.
- Run the following command to update command line for already installed kernels:
- # grubby --update-kernel=ALL --remove-args="nosmep"
+ {{{ describe_grub2_argument_absent("nosmep") | indent(4) }}}
rationale: |-
Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
@@ -34,7 +31,6 @@ ocil: |-
grep -q nosmep /boot/config-`uname -r`
If the command returns a line, it means that SMEP is being disabled.
-platform: machine
template:
name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
index e483044c000..f94c8556847 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
@@ -31,7 +31,6 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
ocil: |-
{{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
index eeaf319fadb..43ac06be3c1 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml
@@ -34,7 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
ocil: |-
{{{ ocil_grub2_argument("pti=on") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
index 7d8006c8bfb..ed4f2ce3dfc 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml
@@ -37,7 +37,6 @@ ocil_clause: 'trust on hardware random number generator is not configured approp
ocil: |-
{{{ ocil_grub2_argument("rng_core.default_quality=" + xccdf_value("var_rng_core_default_quality")) | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
index fc87c9c677b..bc977ab55fa 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml
@@ -35,7 +35,6 @@ ocil_clause: 'merging of slabs with similar size is enabled'
ocil: |-
{{{ ocil_grub2_argument("slab_nomerge=yes") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
index c5a8bf55a47..31e883c710e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml
@@ -39,7 +39,6 @@ ocil_clause: 'SSB is not configured appropriately'
ocil: |-
{{{ ocil_grub2_argument("spec_store_bypass_disable=" + xccdf_value("var_spec_store_bypass_disable_options")) | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
index 30fac26201b..6d449bf5d21 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml
@@ -32,7 +32,6 @@ ocil_clause: 'spectre_v2 mitigation is not enforced'
ocil: |-
{{{ ocil_grub2_argument("spectre_v2=on") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
index 55d8e0e7f64..5649cb56a45 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml
@@ -13,12 +13,10 @@ description: |-
By default, the debug-shell systemd service is already disabled.
Ensure the debug-shell is not enabled by the systemd.debug-shel=1
- boot paramenter option.
+ boot parameter option.
+
+ {{{ describe_grub2_argument_absent("systemd.debug-shell") | indent(4) }}}
- Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
- doesn't contain the argument systemd.debug-shell=1.
- Run the following command to update command line for already installed kernels:
- # grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
rationale: |-
This prevents attackers with physical access from trivially bypassing security
@@ -44,7 +42,6 @@ ocil: |-
fixtext: |-
{{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
-platform: machine
template:
name: grub2_bootloader_argument_absent
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
index 3e1e837c8f2..28da623cf90 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml
@@ -33,7 +33,7 @@ ocil_clause: 'vsyscalls are enabled'
ocil: |-
{{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
-platform: machine and x86_64_arch
+platform: x86_64_arch
template:
name: grub2_bootloader_argument
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
index 5c9a0b07154..fea605a8699 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml
@@ -50,7 +50,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }}
srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }}}'
-platform: system_with_kernel
template:
name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml
index 9dac1e38944..038ae369e6e 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml
@@ -44,7 +44,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }}
srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }}}'
-platform: machine
template:
name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
index 0e797faaadd..2bbb3449f7e 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml
@@ -46,7 +46,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", own
ocil: |-
{{{ ocil_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}}
-platform: system_with_kernel
template:
name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml
index 85899b1ee9f..9d55b3ded1e 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml
@@ -39,7 +39,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/user.cfg", own
ocil: |-
{{{ ocil_file_owner(file=grub2_boot_path ~ "/user.cfg", owner="root") }}}
-platform: machine
template:
name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
index 08a379d1712..9bd39315826 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml
@@ -46,7 +46,6 @@ ocil: |-
If properly configured, the output should indicate the following
permissions: -rw-------
-platform: system_with_kernel
template:
name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml
index b8258f5e9f3..55653bd8c6d 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml
@@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_boot_path ~ "/user.cfg
ocil: |-
{{{ ocil_file_permissions(file=grub2_boot_path ~ "/user.cfg", perms="-rw-------") }}}
-platform: machine
template:
name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index c476ddec3f4..9f8cc264b95 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -68,7 +68,6 @@ warnings:
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
-platform: machine
fixtext: |-
Configure {{{ full_name }}} to have a unique username for the grub superuser account.
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml
index eabe7356e79..114cfd9340f 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml
@@ -38,4 +38,3 @@ ocil: |-
media which should not exist in the lines:
set root='hd0,msdos1'
-platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index bb7ceedc8f8..a2b97c4ee57 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -92,7 +92,6 @@ warnings:
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
-platform: machine
fixtext: |-
Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml
index e492a98fa3f..b4f144c18b4 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml
@@ -51,4 +51,3 @@ warnings:
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
-platform: system_with_kernel
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
index 1b18ddff95a..2cde2a0533e 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/gru
ocil: |-
{{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", group="root") }}}
-platform: machine
template:
name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
index 55e0ccb1334..bea3273644f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/use
ocil: |-
{{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/user.cfg", group="root") }}}
-platform: machine
template:
name: file_groupowner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
index 63e6683341b..acbf05579a4 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml
@@ -36,7 +36,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg"
ocil: |-
{{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", owner="root") }}}
-platform: machine
template:
name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
index 4c154afd3d2..ff55a8112e1 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg"
ocil: |-
{{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg", owner="root") }}}
-platform: machine
template:
name: file_owner
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
index e6c401a43c9..16acb38ae7a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
@@ -38,7 +38,6 @@ ocil: |-
If properly configured, the output should indicate the following
permissions: -rwx------
-platform: machine
template:
name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
index 1254dfbaade..6112e68f8b0 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml
@@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_uefi_boot_path ~ "/use
ocil: |-
{{{ ocil_file_permissions(file=grub2_uefi_boot_path ~ "/user.cfg", perms="-rw-------") }}}
-platform: machine
template:
name: file_permissions
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index bd64b621f10..83be376b8dc 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -69,7 +69,6 @@ warnings:
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
-platform: machine
fixtext: |-
Configure {{{ full_name }}} to have a unique username for the grub superuser account.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4cf5ee4725c..831aa6ec3dd 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -93,7 +93,6 @@ warnings:
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
-platform: system_with_kernel
fixtext: |-
Configure {{{ full_name }}} to use a secure UEFI boot loader password.
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml
index 8014fa95781..75218ef36d3 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml
@@ -50,4 +50,3 @@ warnings:
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file.
-platform: machine
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml
index 059e63db720..f03bda5d61f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml
@@ -38,4 +38,3 @@ ocil: |-
media which should not exist in the lines:
set root='hd0,msdos1'
-platform: machine
diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml
index 6f502eef3e1..1c8cfea0ccb 100644
--- a/products/rhel10/product.yml
+++ b/products/rhel10/product.yml
@@ -21,6 +21,7 @@ init_system: "systemd"
# EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
sshd_distributed_config: "true"
+bootable_containers_supported: "true"
dconf_gdm_dir: "distro.d"
diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml
index 30cbdeb0c22..eb0c0ac15ae 100644
--- a/products/rhel9/product.yml
+++ b/products/rhel9/product.yml
@@ -25,6 +25,7 @@ groups:
name: ssh_keys
sshd_distributed_config: "true"
+bootable_containers_supported: "true"
dconf_gdm_dir: "distro.d"
diff --git a/shared/checks/oval/bootc.xml b/shared/checks/oval/bootc.xml
new file mode 100644
index 00000000000..c42129ba964
--- /dev/null
+++ b/shared/checks/oval/bootc.xml
@@ -0,0 +1,13 @@
+
+
+ {{{ oval_metadata("Bootable container or bootc system", affected_platforms=["multi_platform_all"]) }}}
+
+
+
+
+
+
+{{{ oval_test_package_installed(package="kernel", test_id="bootc_platform_test_kernel_installed") }}}
+{{{ oval_test_package_installed(package="rpm-ostree", test_id="bootc_platform_test_rpm_ostree_installed") }}}
+{{{ oval_test_package_installed(package="bootc", test_id="bootc_platform_test_bootc_installed") }}}
+
diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
index 4089d4d8707..22787371dea 100644
--- a/shared/macros/01-general.jinja
+++ b/shared/macros/01-general.jinja
@@ -1069,8 +1069,34 @@ Run the following command to update command line for already installed kernels:
Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"
{{%- endif -%}}
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead.
+The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form:
+
+# /usr/lib/bootc/kargs.d/10-example.toml
+kargs = ["{{{ arg_name_value }}}"]
+
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
{{%- endmacro -%}}
+{{#
+ Describe how to remove a kernel argument from Grub2 default kernel command line.
+
+:param arg_name: The kernel parameter name
+:type arg_name: str
+#}}
+{{%- macro describe_grub2_argument_absent(arg_name) -%}}
+Check that the line GRUB_CMDLINE_LINUX="..."
within /etc/default/grub
+doesn't contain the argument {{{ arg_name }}}.
+Run the following command to update command line for already installed kernels:
+# grubby --update-kernel=ALL --remove-args="{{{ arg_name }}}"
+{{% if bootable_containers_supported == "true" %}}
+If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the kernel arguments should be configured using TOML files located in the /usr/lib/bootc/kargs.d directory.
+Remove all occurences of {{{ arg_name }}} from all files in /usr/lib/bootc/kargs.d.
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+{{%- endif -%}}
+{{%- endmacro -%}}
{{#
Describe how to check a kernel compile parameter
diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template
index 3a60d19bdcc..484a7165d62 100644
--- a/shared/templates/grub2_bootloader_argument/bash.template
+++ b/shared/templates/grub2_bootloader_argument/bash.template
@@ -3,9 +3,22 @@
See the OVAL template for more comments.
Product-specific categorization should be synced across all template content types
-#}}
+
{{%- if ARG_VARIABLE %}}
{{{- bash_instantiate_variables(ARG_VARIABLE) }}}
{{%- set ARG_NAME_VALUE= ARG_NAME ~ "=$" ~ ARG_VARIABLE %}}
-{{%- endif %}}
+expected_value="${{{ ARG_VARIABLE }}}"
+{{% else %}}
+expected_value="{{{ ARG_VALUE }}}"
+{{% endif %}}
-{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}}
+if {{{ bash_bootc_build() }}} ; then
+ KARGS_DIR="/usr/lib/bootc/kargs.d/"
+ if grep -q -E "{{{ ARG_NAME }}}" "$KARGS_DIR/*.toml" ; then
+ sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"(.*]\s*)/\1\"{{{ ARG_NAME }}}=$expected_value\"\2/" "$KARGS_DIR/*.toml"
+ else
+ echo "kargs = [\"{{{ ARG_NAME }}}=$expected_value\"]" >> "$KARGS_DIR/10-{{{ SANITIZED_ARG_NAME }}}.toml"
+ fi
+else
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) | indent(4) }}}
+fi
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
index 7da54a99f1b..eaf78a6bf62 100644
--- a/shared/templates/grub2_bootloader_argument/oval.template
+++ b/shared/templates/grub2_bootloader_argument/oval.template
@@ -33,11 +33,14 @@
{{% set system_with_bios_and_uefi_support = true %}}
{{%- endif -%}}
-
{{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
+
+ {{% if bootable_containers_supported == "true" %}}
+
+ {{% endif %}}
{{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
@@ -109,6 +112,13 @@
{{%- endif %}}
+ {{% if bootable_containers_supported == "true" %}}
+
+
+
+
+ {{% endif %}}
+
{{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}}
@@ -307,4 +317,46 @@
{{% endif %}}
+{{% if bootable_containers_supported == "true" %}}
+
+
+
+
+
+ /usr/lib/bootc/kargs.d/
+ ^.*\.toml$
+ ^kargs = \[([^\]]+)\]$
+ 1
+
+{{% if ARG_VALUE %}}
+
+ ^.*"{{{ ESCAPED_ARG_NAME_VALUE }}}".*$
+
+{{% else %}}
+
+
+
+
+
+
+ ^.*"{{{ ARG_NAME }}}=
+ {{% if IS_SUBSTRING == "true" %}}
+ \S*
+ {{% endif %}}
+
+ {{% if IS_SUBSTRING == "true" %}}
+ \S*
+ {{% endif %}}
+ ".*$
+
+
+
+
+{{% endif %}}
+{{% endif %}}
+
diff --git a/shared/templates/grub2_bootloader_argument/template.py b/shared/templates/grub2_bootloader_argument/template.py
index 9189d1dc543..af42a9007ec 100644
--- a/shared/templates/grub2_bootloader_argument/template.py
+++ b/shared/templates/grub2_bootloader_argument/template.py
@@ -21,5 +21,6 @@ def preprocess(data, lang):
data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.")
# replace . with _, this is used in test / object / state ids
- data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
+
+ data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"])
return data
diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
index 8d7d6e9ea83..bf3a443bf48 100644
--- a/shared/templates/grub2_bootloader_argument_absent/bash.template
+++ b/shared/templates/grub2_bootloader_argument_absent/bash.template
@@ -3,4 +3,9 @@
See the OVAL template for more comments.
Product-specific categorization should be synced across all template content types
-#}}
+if {{{ bash_bootc_build() }}} ; then
+ sed -i -E "/kargs\s*=\s*\[\s*\"{{{ ARG_NAME }}}=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml"
+ sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml"
+else
{{{ grub2_bootloader_argument_absent_remediation(ARG_NAME) }}}
+fi
diff --git a/shared/templates/grub2_bootloader_argument_absent/oval.template b/shared/templates/grub2_bootloader_argument_absent/oval.template
index e59b944cbd7..915bb86a717 100644
--- a/shared/templates/grub2_bootloader_argument_absent/oval.template
+++ b/shared/templates/grub2_bootloader_argument_absent/oval.template
@@ -32,7 +32,11 @@
{{{ oval_metadata("Ensure " + ARG_NAME + " is not set in the kernel line in /etc/default/grub.") }}}
+
+ {{% if bootable_containers_supported == "true" %}}
+
+ {{% endif %}}
{{% if system_with_kernel_options_in_grubenv -%}}
{{% if system_with_bios_and_uefi_support -%}}
@@ -77,6 +81,13 @@
{{%- endif %}}
+ {{% if bootable_containers_supported == "true" %}}
+
+
+
+
+ {{% endif %}}
+
{{%- if system_with_kernel_options_in_etc_default_grub %}}
@@ -174,4 +185,17 @@
{{%- endif %}}
{{%- endif %}}
+{{% if bootable_containers_supported == "true" %}}
+
+
+
+
+ /usr/lib/bootc/kargs.d/
+ ^.*\.toml$
+ ^kargs = \["{{{ ARG_NAME }}}.*"\]$
+ 1
+
+{{% endif %}}
diff --git a/ssg/constants.py b/ssg/constants.py
index f64c168495a..baa5484df23 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -457,6 +457,7 @@
DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/'
DEFAULT_AUDISP_CONF_PATH = '/etc/audit'
DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false'
+DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED = 'false'
# Constants for OVAL object model
diff --git a/ssg/products.py b/ssg/products.py
index 2c496689b9d..7f3c360b92b 100644
--- a/ssg/products.py
+++ b/ssg/products.py
@@ -20,6 +20,7 @@
DEFAULT_AUDISP_CONF_PATH,
DEFAULT_FAILLOCK_PATH,
DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE,
+ DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED,
PKG_MANAGER_TO_SYSTEM,
PKG_MANAGER_TO_CONFIG_FILE,
XCCDF_PLATFORM_TO_PACKAGE,
@@ -115,6 +116,9 @@ def _get_implied_properties(existing_properties):
if "sysctl_remediate_drop_in_file" not in existing_properties:
result["sysctl_remediate_drop_in_file"] = DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE
+ if "bootable_containers_supported" not in existing_properties:
+ result["bootable_containers_supported"] = DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED
+
return result
diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml
index 1d0d21086e4..5d78e56d1c0 100644
--- a/tests/data/product_stability/alinux2.yml
+++ b/tests/data/product_stability/alinux2.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: ALINUX-2
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml
index b9911b65b23..a35c8bc095a 100644
--- a/tests/data/product_stability/alinux3.yml
+++ b/tests/data/product_stability/alinux3.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: ALINUX-3
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml
index 5d075e1dbae..5cf40e76f80 100644
--- a/tests/data/product_stability/anolis23.yml
+++ b/tests/data/product_stability/anolis23.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: ANOLIS-23
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml
index 1234155c677..6897ec95e56 100644
--- a/tests/data/product_stability/anolis8.yml
+++ b/tests/data/product_stability/anolis8.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: ANOLIS-8
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/chromium.yml b/tests/data/product_stability/chromium.yml
index 988756f6b2a..cabfac582bb 100644
--- a/tests/data/product_stability/chromium.yml
+++ b/tests/data/product_stability/chromium.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: CHROMIUM
benchmark_root: ./guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml
index 781766106c0..fd61f5233c5 100644
--- a/tests/data/product_stability/debian11.yml
+++ b/tests/data/product_stability/debian11.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: DEBIAN-11
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml
index e255f44fdda..e97bfc39f9e 100644
--- a/tests/data/product_stability/debian12.yml
+++ b/tests/data/product_stability/debian12.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: DEBIAN-12
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony/chrony.conf
chrony_d_path: /etc/chrony/chrony.d/
cpes:
diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml
index 8d5d75abbaa..c509b65d65c 100644
--- a/tests/data/product_stability/eks.yml
+++ b/tests/data/product_stability/eks.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: EKS
benchmark_root: ../../applications
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml
index d57b09f6bc8..b0194b338be 100644
--- a/tests/data/product_stability/example.yml
+++ b/tests/data/product_stability/example.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: EXAMPLE
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
components_root: ../../components
diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml
index 6e90589886b..0b8886d55df 100644
--- a/tests/data/product_stability/fedora.yml
+++ b/tests/data/product_stability/fedora.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: FEDORA
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
components_root: ../../components
diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml
index d34ed55f33b..843bedc1b55 100644
--- a/tests/data/product_stability/firefox.yml
+++ b/tests/data/product_stability/firefox.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: FIREFOX
benchmark_root: ./guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/macos1015.yml b/tests/data/product_stability/macos1015.yml
index c5be4ce23ef..ec7e7c1b948 100644
--- a/tests/data/product_stability/macos1015.yml
+++ b/tests/data/product_stability/macos1015.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: macOS-1015
benchmark_root: ../../apple_os/
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml
index fabaf419733..8a791680945 100644
--- a/tests/data/product_stability/ocp4.yml
+++ b/tests/data/product_stability/ocp4.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: OCP-4
benchmark_root: ../../applications
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml
index 6540a69e646..a82c12ecf64 100644
--- a/tests/data/product_stability/ol7.yml
+++ b/tests/data/product_stability/ol7.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: OL-7
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml
index 3de5d9a3218..5ff104357a2 100644
--- a/tests/data/product_stability/ol8.yml
+++ b/tests/data/product_stability/ol8.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: OL-8
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml
index 54f95e16db5..9cd20637ca1 100644
--- a/tests/data/product_stability/ol9.yml
+++ b/tests/data/product_stability/ol9.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 982231759C7467065D0CE9B2A7DD07088B4EFBE6
basic_properties_derived: true
benchmark_id: OL-9
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml
index c94f79d4c41..dc88232705a 100644
--- a/tests/data/product_stability/openembedded.yml
+++ b/tests/data/product_stability/openembedded.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: OPENEMBEDDED
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml
index bd26608bfcd..ff9555f3abb 100644
--- a/tests/data/product_stability/opensuse.yml
+++ b/tests/data/product_stability/opensuse.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: OPENSUSE
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml
index aabfed5ee07..cafb6b18c3c 100644
--- a/tests/data/product_stability/rhcos4.yml
+++ b/tests/data/product_stability/rhcos4.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: RHCOS-4
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml
index be505770304..61ed42a1285 100644
--- a/tests/data/product_stability/rhel8.yml
+++ b/tests/data/product_stability/rhel8.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792
basic_properties_derived: true
benchmark_id: RHEL-8
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
centos_major_version: '8'
centos_pkg_release: 5ccc5b19
centos_pkg_version: 8483c65d
diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml
index 839bc42a030..1f4b5144bcd 100644
--- a/tests/data/product_stability/rhel9.yml
+++ b/tests/data/product_stability/rhel9.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 7E4624258C406535D56D6F135054E4A45A6340B3
basic_properties_derived: true
benchmark_id: RHEL-9
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'true'
centos_major_version: '9'
centos_pkg_release: 5ccc5b19
centos_pkg_version: 8483c65d
diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml
index 1d023d03201..0746eeaa7d3 100644
--- a/tests/data/product_stability/rhv4.yml
+++ b/tests/data/product_stability/rhv4.yml
@@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792
basic_properties_derived: true
benchmark_id: RHV-4
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml
index 870ac6482da..2b0962bde5f 100644
--- a/tests/data/product_stability/sle12.yml
+++ b/tests/data/product_stability/sle12.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: SLE-12
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml
index fb226b17f5c..fca0213d418 100644
--- a/tests/data/product_stability/sle15.yml
+++ b/tests/data/product_stability/sle15.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: SLE-15
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony.conf
chrony_d_path: /etc/chrony.d/
cpes:
diff --git a/tests/data/product_stability/ubuntu1604.yml b/tests/data/product_stability/ubuntu1604.yml
index 938835c6c64..b4288d197aa 100644
--- a/tests/data/product_stability/ubuntu1604.yml
+++ b/tests/data/product_stability/ubuntu1604.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: UBUNTU-XENIAL
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony/chrony.conf
chrony_d_path: /etc/chrony/conf.d/
cpes:
diff --git a/tests/data/product_stability/ubuntu1804.yml b/tests/data/product_stability/ubuntu1804.yml
index b2cff15e15f..176cd33d297 100644
--- a/tests/data/product_stability/ubuntu1804.yml
+++ b/tests/data/product_stability/ubuntu1804.yml
@@ -7,6 +7,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: UBUNTU-BIONIC
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony/chrony.conf
chrony_d_path: /etc/chrony/conf.d/
cpes:
diff --git a/tests/data/product_stability/ubuntu2004.yml b/tests/data/product_stability/ubuntu2004.yml
index 17a596d37cd..416270f9c8b 100644
--- a/tests/data/product_stability/ubuntu2004.yml
+++ b/tests/data/product_stability/ubuntu2004.yml
@@ -8,6 +8,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: UBUNTU_20-04
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony/chrony.conf
chrony_d_path: /etc/chrony/conf.d/
cpes:
diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml
index e4a53f9749d..4b0c515c1c6 100644
--- a/tests/data/product_stability/ubuntu2204.yml
+++ b/tests/data/product_stability/ubuntu2204.yml
@@ -8,6 +8,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: UBUNTU_22-04
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony/chrony.conf
chrony_d_path: /etc/chrony/conf.d/
cpes:
diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml
index 50d4e232f1a..62853e25cb5 100644
--- a/tests/data/product_stability/ubuntu2404.yml
+++ b/tests/data/product_stability/ubuntu2404.yml
@@ -8,6 +8,7 @@ auid: 1000
basic_properties_derived: true
benchmark_id: UBUNTU_24-04
benchmark_root: ../../linux_os/guide
+bootable_containers_supported: 'false'
chrony_conf_path: /etc/chrony/chrony.conf
chrony_d_path: /etc/chrony/conf.d/
components_root: ../../components