Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add template for zIPL boot entry option #5908

Merged
merged 18 commits into from
Jul 13, 2020
Merged

Add template for zIPL boot entry option #5908

merged 18 commits into from
Jul 13, 2020

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Jul 3, 2020
edited
Loading

Description:

  • Add zipl_bls_entries_option template to check and configure BLS options for zIPL
    • With support for Ansible, Bash and OVAL
  • Enables the new template in relevant rules

Rationale:

  • Templates for the win!

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 3, 2020
@openshift-ci-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@pep8speaks
Copy link

pep8speaks commented Jul 3, 2020
edited
Loading

Hello @yuumasato! Thanks for updating this PR. We checked the lines you've touched for PEP 8 issues, and found:

There are currently no PEP 8 issues detected in this Pull Request. Cheers! 🍻

Comment last updated at 2020-07-10 15:16:05 UTC

@yuumasato
Kickstart zipl_bls_entries_option template
f37e40e 
Create initial version of zIPL specific BLS entries
template by copying bls_entries_option template.
@yuumasato
zipl_bls_entries_option: check opts after install
f54c3c9 
Extend zipl_bls_entries_option template to check that the kernel option
is also configure in /etc/kernel/cmdline.
The presence of the argument in /etc/kernel/cmdline ensures that newly
installed kernels will be configure if the option.
@yuumasato
zipl_bls_entries_option: Add Ansible and Bash
5b66eff
@yuumasato
Enable zIPL in argument rules
fd2d807
@yuumasato
zipl_audit_backlog_limit_argument: Fix OCIL typo
08db1a1 
Fix typo
@yuumasato
zipl_slub_debug_argument: Fix description
7795063 
Description about how to ensure that new boot entries continue compliant
was incorrect due to copy-pasta mistake.
@yuumasato
Add CCEs to zIPL argument rules
6a3f2f6
@yuumasato
Select zipl BLS option rules in OSPP Profile
a7c3313 
These rules check and ensure configuration of BLS boot options used by
zIPL.
@yuumasato
Extend Profile resolution to undo rule refinements
be070d5 
Just like rule selection, allows rule refinements to be unselected, or "undone".
@yuumasato
Undo rule refinements done to zIPL rules
2ea270b 
Remove the zIPl rule refinementes from STIG profile
@yuumasato yuumasato marked this pull request as ready for review July 9, 2020 20:35
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 9, 2020
@yuumasato
Update stable test for OSPP Profile
90d62ba 
I just copied the resolved profile to profile_stability directory.
@vojtapolasek vojtapolasek self-assigned this Jul 10, 2020
@matejak matejak self-assigned this Jul 10, 2020
vojtapolasek
vojtapolasek requested changes Jul 10, 2020
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for thi new template and rules. I will try to run tests. See comments.

shared/templates/template_ANSIBLE_zipl_bls_entries_option Outdated Show resolved Hide resolved
shared/templates/template_BASH_zipl_bls_entries_option Outdated Show resolved Hide resolved
shared/templates/template_BASH_zipl_bls_entries_option Outdated Show resolved Hide resolved
shared/templates/template_OVAL_zipl_bls_entries_option Outdated Show resolved Hide resolved
@yuumasato
zipl_bls_entries_option: Remove hardcoded values
3b52ab4 
The template shouldn't have any hardcoded values.
matejak
matejak reviewed Jul 10, 2020
View reviewed changes
linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh Outdated
@@ -0,0 +1,16 @@
#!/bin/bash
# platform = Red Hat Enterprise Linux 8
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't be so strict with the platform - it is a textfilecontent test, so actually any platform will do. The remediation requires grubby, but that can be installed into Fedora as well.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I enabled it for Fedora as well, and removed # remediation = none.

@vojtapolasek
Copy link
Collaborator

Thank you for tests. However, please count on the case that /etc/kernel/cmdline does not exist before test is run.

@yuumasato
Improve conditional check for the grubby command
68bff71 
Let's not trust that /boot/loader/entries/ only contains *.conf files.
Count the number of conf files and how many set the propper options.
yuumasato and others added 3 commits July 10, 2020 16:17
@yuumasato
zipl_bls_entries_option: Fix sed in test scenario
79c60bb 
Append "audit=1" space from last option.
@yuumasato
Extend scenarios platform and allow remediation
d513177 
These test scenarios can be run on any OS that supports BLS and provides
grubby.
But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
has s390utils-base installed).
@yuumasato @vojtapolasek
Update comment in OVAL zipl_bls_entries_option
2e84172 
Co-authored-by: vojtapolasek <krecoun@gmail.com>
@yuumasato
Copy link
Member Author

@vojtapolasek @matejak Thank you for the review, gentleman. Hopefully all the issues have been addressed.

@vojtapolasek
Copy link
Collaborator

One last thing. Currently, when running tests, if /etc/kernel/cmdline does not exist, the grep gives an error because it can't grep... I don't know if it needs some fixing. Maybe I discovered it cause I was running tests manually.

@yuumasato
Copy link
Member Author

One last thing. Currently, when running tests, if /etc/kernel/cmdline does not exist, the grep gives an error because it can't grep... I don't know if it needs some fixing. Maybe I discovered it cause I was running tests manually.

grep can suppress error messages with -s.. I could add that.

@yuumasato
zipl_bls_entries_option: Supress grep error messages
9bd0afb 
/etc/kernel/cmdline is not always present. Lest suppress any error
message about absent file in the test scenarios.
@mildas
Copy link
Contributor

mildas commented Jul 10, 2020

Changes identified:
Profile ospp on rhel8:
 Rule zipl_audit_argument, zipl_audit_backlog_limit_argument, zipl_page_poison_argument, zipl_vsyscall_argument, zipl_pti_argument, zipl_slub_debug_argument added to ospp profile.
Profile cui on rhel8:
 CUI profile extends changed OSPP profile.
Profile stig on rhel8:
 STIG profile extends changed OSPP profile.
 Rule !zipl_vsyscall_argument, !zipl_slub_debug_argument, !zipl_page_poison_argument, !zipl_audit_backlog_limit_argument, !zipl_audit_argument, !zipl_pti_argument added to stig profile.
Profile rhelh-stig on rhel8:
 RHELH-STIG profile extends changed STIG profile.
Profile rhelh-vpp on rhel8:
 RHELH-VPP profile extends changed OSPP profile.
Profile ospp-mls on rhel8:
 OSPP-MLS profile extends changed OSPP profile.
Profile ospp on tests:
 Rule zipl_audit_argument, zipl_audit_backlog_limit_argument, zipl_page_poison_argument, zipl_vsyscall_argument, zipl_pti_argument, zipl_slub_debug_argument added to ospp profile.
Others:
 Python abstract syntax tree change found in build-scripts/compile_profiles.py.
 Python abstract syntax tree change found in ssg/templates.py.

Recommended tests to execute:
 build_product tests
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-tests-ds.xml ospp
 build_product rhel8
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml stig
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml cui
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml ospp-mls
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml rhelh-stig
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml rhelh-vpp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml ospp
 (cd build && cmake ../ && ctest -j4)

@vojtapolasek
Copy link
Collaborator

Thank you very much for this template. Merging.

@vojtapolasek vojtapolasek merged commit 22cddf4 into ComplianceAsCode:master Jul 13, 2020
@yuumasato yuumasato deleted the zipl_bootloader_template branch July 13, 2020 13:38
@yuumasato yuumasato added this to the 0.1.52 milestone Jul 13, 2020
@yuumasato yuumasato mentioned this pull request Sep 30, 2020
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matejak matejak matejak left review comments

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

@matejak matejak

Labels
None yet
Projects
None yet
Milestone
0.1.52
Development

Successfully merging this pull request may close these issues.
6 participants
@yuumasato @openshift-ci-robot @pep8speaks @vojtapolasek @mildas @matejak