Update grub2_mitigation_argument #11271
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a typo on mitigations argument, the 's' was missing in STIG standard, so the error was reflected here. Fixing that. Also update to better match requirement in the sense that mitigations is enforced to not be off, instead of enforcing a particular value Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
|
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: ol8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_mitigation_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_mitigation_argument
+++ xccdf_org.ssgproject.content_rule_grub2_mitigation_argument
@@ -3,15 +3,10 @@
System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors
[description]:
-Determine the default kernel:
-$ sudo grubby --default-kernel
+Verify that Meltdown mitigations are not disabled:
+$ sudo grubby --info=ALL | grep mitigations
-/boot/vmlinuz-5.4.17-2011.1.2.el8uek.x86_64
-
-Using the default kernel, verify that Meltdown mitigations are not disabled:
-$ sudo grubby --info=path-to-default-kernel | grep mitigation
-
-The mitigation must be set to "on".
+The mitigations must not be set to "off".
[reference]:
CCI-000366
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_mitigation_argument' differs.
--- oval:ssg-grub2_mitigation_argument:def:1
+++ oval:ssg-grub2_mitigation_argument:def:1
@@ -1,10 +1,6 @@
criteria AND
criteria OR
-criterion oval:ssg-test_grub2_mitigation_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_mitigation_argument_grub_env_uefi:tst:1
-extend_definition oval:ssg-grub2_entries_reference_kernelopts:def:1
-criteria OR
-criterion oval:ssg-test_grub2_mitigation_argument:tst:1
+criterion oval:ssg-test_grub2_mitigations_off_argument_absent:tst:1
criteria AND
-criterion oval:ssg-test_grub2_mitigation_argument_default:tst:1
+criterion oval:ssg-test_grub2_mitigations_off_argument_absent_default:tst:1
extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_grub2_mitigation_argument' differs.
--- ocil:ssg-grub2_mitigation_argument_ocil:questionnaire:1
+++ ocil:ssg-grub2_mitigation_argument_ocil:questionnaire:1
@@ -1,14 +1,5 @@
-Inspect the form of default GRUB 2 command line for the Linux operating system
-in /etc/default/grub. If it includes mitigation=on,
-then the parameter will be configured for newly installed kernels.
-First check if the GRUB recovery is enabled:
-$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
-If this option is set to true, then check that a line is output by the following command:
-$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*mitigation=on.*' /etc/default/grub
-If the recovery is disabled, check the line with
-$ sudo grep 'GRUB_CMDLINE_LINUX.*mitigation=on.*' /etc/default/grub.Moreover, command line parameters for currently installed kernels should be checked as well.
-Run the following command:
-$ sudo grubby --info=ALL | grep args | grep -v 'mitigation=on'
-The command should not return any output.
- Is it the case that mitigation is not set to on?
+Verify that Meltdown mitigations are not disabled in any kernel:
+
+$ sudo grubby --info=ALL | grep mitigations
+ Is it the case that mitigations is set to off?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mitigation_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_mitigation_argument
+++ xccdf_org.ssgproject.content_rule_grub2_mitigation_argument
@@ -1,7 +1,7 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then
-grubby --update-kernel=ALL --args=mitigation=on --env=/boot/grub2/grubenv
+grubby --update-kernel=ALL --remove-args=mitigations=off --env=/boot/grub2/grubenv
else
>&2 echo 'Remediation is not applicable, nothing was done'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mitigation_argument' differs.
--- xccdf_org.ssgproject.content_rule_grub2_mitigation_argument
+++ xccdf_org.ssgproject.content_rule_grub2_mitigation_argument
@@ -13,7 +13,7 @@
- restrict_strategy
- name: Update grub defaults and the bootloader menu
- command: /sbin/grubby --update-kernel=ALL --args="mitigation=on"
+ command: /sbin/grubby --update-kernel=ALL --remove-args="mitigations=off"
when: '"grub2-common" in ansible_facts.packages'
tags:
- DISA-STIG-OL08-00-010424
New data stream is missing blueprint remediation for rule 'xccdf_org.ssgproject.content_rule_grub2_mitigation_argument'. |
Mab879
reviewed
Nov 17, 2023
linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
Outdated
Show resolved
Hide resolved
linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml
Outdated
Show resolved
Hide resolved
This is to reflect actual behavior, and align with other similar rules in this project Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
I think you are completely right. Updated it |
|
Code Climate has analyzed commit f903954 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.5%. View more on Code Climate. |
Mab879
approved these changes
Nov 30, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
grub2_mitigation_argumentto usegrub2_bootloader_argument_absenttemplate instead ofgrub2_bootloader_argument. As STIG actually required 'not be off'Rationale:
mitigationthe option shoud bemitigations