-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add template for zIPL boot entry option #5908
Add template for zIPL boot entry option #5908
Conversation
Skipping CI for Draft Pull Request. |
Hello @yuumasato! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found: There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻 Comment last updated at 2020-07-10 15:16:05 UTC |
924ae7b
to
ad5771b
Compare
Create initial version of zIPL specific BLS entries template by copying bls_entries_option template.
Extend zipl_bls_entries_option template to check that the kernel option is also configure in /etc/kernel/cmdline. The presence of the argument in /etc/kernel/cmdline ensures that newly installed kernels will be configure if the option.
Description about how to ensure that new boot entries continue compliant was incorrect due to copy-pasta mistake.
ad5771b
to
6a3f2f6
Compare
These rules check and ensure configuration of BLS boot options used by zIPL.
Just like rule selection, allows rule refinements to be unselected, or "undone".
Remove the zIPl rule refinementes from STIG profile
c192ecb
to
2ea270b
Compare
I just copied the resolved profile to profile_stability directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for thi new template and rules. I will try to run tests. See comments.
The template shouldn't have any hardcoded values.
@@ -0,0 +1,16 @@ | |||
#!/bin/bash | |||
# platform = Red Hat Enterprise Linux 8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't be so strict with the platform - it is a textfilecontent test, so actually any platform will do. The remediation requires grubby
, but that can be installed into Fedora as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I enabled it for Fedora as well, and removed # remediation = none
.
Thank you for tests. However, please count on the case that /etc/kernel/cmdline does not exist before test is run. |
Let's not trust that /boot/loader/entries/ only contains *.conf files. Count the number of conf files and how many set the propper options.
linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
Outdated
Show resolved
Hide resolved
Append "audit=1" space from last option.
These test scenarios can be run on any OS that supports BLS and provides grubby. But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.: has s390utils-base installed).
Co-authored-by: vojtapolasek <krecoun@gmail.com>
@vojtapolasek @matejak Thank you for the review, gentleman. Hopefully all the issues have been addressed. |
One last thing. Currently, when running tests, if /etc/kernel/cmdline does not exist, the grep gives an error because it can't grep... I don't know if it needs some fixing. Maybe I discovered it cause I was running tests manually. |
|
/etc/kernel/cmdline is not always present. Lest suppress any error message about absent file in the test scenarios.
Changes identified: Recommended tests to execute: |
Thank you very much for this template. Merging. |
Description:
zipl_bls_entries_option
template to check and configure BLS options for zIPLRationale: