Add template for zIPL boot entry option

build-scripts/compile_profiles.py

@@ -3,6 +3,7 @@
 import argparse
 import sys
 import os.path
+from copy import deepcopy
 from glob import glob
 
 import ssg.build_yaml
@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
             updated_variables.update(self.variables)
             self.variables = updated_variables
 
-            updated_refinements = dict(extended_profile.refine_rules)
+            extended_refinements = deepcopy(extended_profile.refine_rules)
+            updated_refinements = self._subtract_refinements(extended_refinements)
             updated_refinements.update(self.refine_rules)
             self.refine_rules = updated_refinements
 
@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
 
         self.resolved = True
 
+    def _subtract_refinements(self, extended_refinements):
+        """
+        Given a dict of rule refinements from the extended profile,
+        "undo" every refinement prefixed with '!' in this profile.
+        """
+        for rule, refinements in list(self.refine_rules.items()):
+            if rule.startswith("!"):
+                for prop, val in refinements:
+                    extended_refinements[rule[1:]].remove((prop, val))
+                del self.refine_rules[rule]
+        return extended_refinements
+
 
 def create_parser():
     parser = argparse.ArgumentParser()

linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

@@ -20,6 +20,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83321-0
+
 ocil_clause: 'auditing is not enabled at boot time'
 
 ocil: |-
@@ -28,3 +31,9 @@ ocil: |-
   No line should be returned, each line returned is a boot entry that doesn't enable audit.
 
 platform: machine
+
+template:
+  name: zipl_bls_entries_option
+  vars:
+    arg_name: audit
+    arg_value: '1'

linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+    if ! grep -q '^options.*audit=1.*$' "$file" ; then
+        sed -i '/^options / s/$/ audit=1/' "$file"
+    fi
+done
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+    echo "audit=1" >> /etc/kernel/cmdline
+fi

linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+    if ! grep -q '^options.*audit=1.*$' "$file" ; then
+        sed -i '/^options / s/$/ audit=1/' "$file"
+    fi
+done
+
+# Make sure /etc/kernel/cmdline doesn't contain audit=1
+sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true

linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
+
+# Remove audit=1 from all boot entries
+sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains audit=1
+sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+    echo "audit=1" >> /etc/kernel/cmdline
+fi

linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

@@ -19,12 +19,21 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83341-8
+
 ocil_clause: 'audit backlog limit is not configured'
 
 ocil: |-
   To check that all boot entries extend the backlog limit;
   Check that all boot entries extend the log events queue:
-  <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+  <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that does not extend the log events queue.
 
 platform: machine
+
+template:
+  name: zipl_bls_entries_option
+  vars:
+    arg_name: audit_backlog_limit
+    arg_value: '8192'

linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml

@@ -20,6 +20,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83351-7
+
 ocil_clause: 'page allocator poisoning is not enabled'
 
 ocil: |-
@@ -28,3 +31,9 @@ ocil: |-
   No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
 
 platform: machine
+
+template:
+  name: zipl_bls_entries_option
+  vars:
+    arg_name: page_poison
+    arg_value: '1'

linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

@@ -19,6 +19,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83361-6
+
 ocil_clause: 'Kernel page-table isolation is not enabled'
 
 ocil: |-
@@ -27,3 +30,9 @@ ocil: |-
   No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
 
 platform: machine
+
+template:
+  name: zipl_bls_entries_option
+  vars:
+    arg_name: pti
+    arg_value: 'on'

linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

@@ -8,7 +8,7 @@ description: |-
     To enable poisoning of SLUB/SLAB objects,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
     included in its options.<br />
-    To ensure that new kernels and boot entries continue to extend the audit log events queue,
+    To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
     add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
 
 rationale: |-
@@ -20,6 +20,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83371-5
+
 ocil_clause: 'SLUB/SLAB poisoning is not enabled'
 
 ocil: |-
@@ -28,3 +31,9 @@ ocil: |-
   No line should be returned, each line returned is a boot entry that does not enable poisoning.
 
 platform: machine
+
+template:
+  name: zipl_bls_entries_option
+  vars:
+    arg_name: slub_debug
+    arg_value: 'P'

linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

@@ -17,6 +17,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83381-4
+
 ocil_clause: 'vsyscalls are enabled'
 
 ocil: |-
@@ -25,3 +28,9 @@ ocil: |-
   No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
 
 platform: machine
+
+template:
+  name: zipl_bls_entries_option
+  vars:
+    arg_name: vsyscall
+    arg_value: 'none'

rhel8/profiles/ospp.profile

@@ -419,3 +419,11 @@ selections:
     # zIPl specific rules
     - zipl_bls_entries_only
     - zipl_bootmap_is_up_to_date
+    - zipl_audit_argument
+    - zipl_audit_backlog_limit_argument
+    - zipl_slub_debug_argument
+    - zipl_page_poison_argument
+    - zipl_vsyscall_argument
+    - zipl_vsyscall_argument.role=unscored
+    - zipl_vsyscall_argument.severity=info
+    - zipl_pti_argument

rhel8/profiles/stig.profile

@@ -49,3 +49,11 @@ selections:
     # Unselect zIPL rules from OSPP
     - "!zipl_bls_entries_only"
     - "!zipl_bootmap_is_up_to_date"
+    - "!zipl_audit_argument"
+    - "!zipl_audit_backlog_limit_argument"
+    - "!zipl_page_poison_argument"
+    - "!zipl_pti_argument"
+    - "!zipl_slub_debug_argument"
+    - "!zipl_vsyscall_argument"
+    - "!zipl_vsyscall_argument.role=unscored"
+    - "!zipl_vsyscall_argument.severity=info"

shared/references/cce-redhat-avail.txt

@@ -22,7 +22,6 @@ CCE-83317-8
 CCE-83318-6
 CCE-83319-4
 CCE-83320-2
-CCE-83321-0
 CCE-83322-8
 CCE-83327-7
 CCE-83328-5
@@ -32,22 +31,19 @@ CCE-83333-5
 CCE-83336-8
 CCE-83339-2
 CCE-83340-0
-CCE-83341-8
 CCE-83342-6
 CCE-83343-4
 CCE-83344-2
 CCE-83345-9
 CCE-83346-7
 CCE-83349-1
 CCE-83350-9
-CCE-83351-7
 CCE-83352-5
 CCE-83353-3
 CCE-83354-1
 CCE-83355-8
 CCE-83356-6
 CCE-83358-2
-CCE-83361-6
 CCE-83362-4
 CCE-83363-2
 CCE-83364-0
@@ -57,7 +53,6 @@ CCE-83367-3
 CCE-83368-1
 CCE-83369-9
 CCE-83370-7
-CCE-83371-5
 CCE-83372-3
 CCE-83373-1
 CCE-83374-9
@@ -66,7 +61,6 @@ CCE-83376-4
 CCE-83377-2
 CCE-83378-0
 CCE-83379-8
-CCE-83381-4
 CCE-83382-2
 CCE-83383-0
 CCE-83384-8

shared/templates/template_ANSIBLE_zipl_bls_entries_option

@@ -0,0 +1,52 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
+  block:
+    - name: "Check how many boot entries exist "
+      find:
+        paths: "/boot/loader/entries/"
+        patterns: "*.conf"
+      register: n_entries
+
+    - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
+      find:
+        paths: "/boot/loader/entries/"
+        contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
+        patterns: "*.conf"
+      register: n_entries_options
+
+    - name: "Update boot entries options"
+      command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+      when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
+
+    - name: "Check if /etc/kernel/cmdline exists"
+      stat:
+        path: /etc/kernel/cmdline
+      register: cmdline_stat
+
+    - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+      find:
+        paths: "/etc/kernel/"
+        patterns: "cmdline"
+        contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
+      register: cmdline_find
+
+    - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+      lineinfile:
+        create: yes
+        path: "/etc/kernel/cmdline"
+        line: '{{{ ARG_NAME_VALUE }}}'
+      when: cmdline_stat is defined and not cmdline_stat.stat.exists
+
+    - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+      lineinfile:
+        path: "/etc/kernel/cmdline"
+        backrefs: yes
+        regexp: "^(.*)$"
+        line: '\1 {{{ ARG_NAME_VALUE }}}'
+      when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
+

shared/templates/template_BASH_zipl_bls_entries_option

@@ -0,0 +1,11 @@
+# platform = Red Hat Enterprise Linux 8
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+
+# Ensure new kernels and boot entries retain the boot option
+if [ ! -f /etc/kernel/cmdline ]; then
+    echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
+elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
+    sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
+fi

shared/templates/template_OVAL_zipl_bls_entries_option

@@ -0,0 +1,47 @@
+<def-group>
+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
+    <metadata>
+      <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
+      {{{- oval_affected(products) }}}
+      <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
+      <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+      comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+  comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />
+    <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+  version="1">
+    <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>
+    <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test id="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+  comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />
+    <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+  version="1">
+    <ind:filepath>/etc/kernel/cmdline</ind:filepath>
+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
+  version="1">
+    <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
+  </ind:textfilecontent54_state>
+</def-group>