From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Wed, 1 Jul 2020 16:12:35 +0200

Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template

Create initial version of zIPL specific BLS entries

template by copying bls_entries_option template.

---

 .../template_OVAL_zipl_bls_entries_option     | 32 +++++++++++++++++++

 ssg/templates.py                              |  5 +++

 2 files changed, 37 insertions(+)

 create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option

diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option

new file mode 100644

index 0000000000..a19bd5a89c

--- /dev/null

+++ b/shared/templates/template_OVAL_zipl_bls_entries_option

@@ -0,0 +1,32 @@

+<def-group>

+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">

+    <metadata>

+      <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>

+      {{{- oval_affected(products) }}}

+      <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>

+    </metadata>

+    <criteria operator="AND">

+        

+        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />

+    </criteria>

+  </definition>

+

+  

+  comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"

+  check="all" check_existence="all_exist" version="1">

+    <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />

+    <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />

+  </ind:textfilecontent54_test>

+

+  

+  version="1">

+    <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>

+    <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>

+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  

+  version="1">

+    <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>

+  </ind:textfilecontent54_state>

+</def-group>

diff --git a/ssg/templates.py b/ssg/templates.py

index 2795267abd..fc09416abe 100644

--- a/ssg/templates.py

+++ b/ssg/templates.py

@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):

     return data

+@template(["oval"])

+def bls_entries_option(data, lang):

+    data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]

+    if lang == "oval":

+        # escape dot, this is used in oval regex

+        data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")

+        # replace . with _, this is used in test / object / state ids

+        data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")

+    return data

+

+

+@template(["oval"])

+def zipl_bls_entries_option(data, lang):

+    return bls_entries_option(data, lang)

+

+

 class Builder(object):

     """

     Class for building all templated content for a given product.

From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 9 Jul 2020 14:11:04 +0200

Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install

Extend zipl_bls_entries_option template to check that the kernel option

is also configure in /etc/kernel/cmdline.

The presence of the argument in /etc/kernel/cmdline ensures that newly

installed kernels will be configure if the option.

---

 .../template_OVAL_zipl_bls_entries_option     | 19 +++++++++++++++++--

 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option

index a19bd5a89c..9af1bcfbee 100644

--- a/shared/templates/template_OVAL_zipl_bls_entries_option

+++ b/shared/templates/template_OVAL_zipl_bls_entries_option

@@ -6,8 +6,10 @@

       <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>

     </metadata>

     <criteria operator="AND">

-        

-        comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />

+      

+      comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />

+      

+      comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />

     </criteria>

   </definition>

@@ -25,6 +27,19 @@

     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

   </ind:textfilecontent54_object>

+  

+  comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"

+  check="all" check_existence="all_exist" version="1">

+    <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />

+    <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />

+  </ind:textfilecontent54_test>

+  

+  version="1">

+    <ind:filepath>/etc/kernel/cmdline</ind:filepath>

+    <ind:pattern operation="pattern match">^(.*)$</ind:pattern>

+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>

+  </ind:textfilecontent54_object>

+

   version="1">

     <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>

From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 9 Jul 2020 14:12:32 +0200

Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash

---

 .../template_ANSIBLE_zipl_bls_entries_option  | 48 +++++++++++++++++++

 .../template_BASH_zipl_bls_entries_option     | 12 +++++

 ssg/templates.py                              |  2 +-

 3 files changed, 61 insertions(+), 1 deletion(-)

 create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option

 create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option

diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option

new file mode 100644

index 0000000000..c0cb131b82

--- /dev/null

+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option

@@ -0,0 +1,48 @@

+# platform = Red Hat Enterprise Linux 8

+# reboot = true

+# strategy = configure

+# complexity = medium

+# disruption = low

+

+- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"

+  block:

+    - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"

+      find:

+        paths: "/boot/loader/entries/"

+        contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"

+        patterns: "*.conf"

+      register: entries_options

+

+    - name: "Update boot entries options"

+      command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"

+      when: entries_options is defined and entries_options.examined != entries_options.matched

+      # The conditional above assumes that only *.conf files are present in /boot/loader/entries

+      # Then, the number of conf files is the same as examined files

+

+    - name: "Check if /etc/kernel/cmdline exists"

+      stat:

+        path: /etc/kernel/cmdline

+      register: cmdline_stat

+

+    - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"

+      find:

+        paths: "/etc/kernel/"

+        patterns: "cmdline"

+        contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"

+      register: cmdline_find

+

+    - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"

+      lineinfile:

+        create: yes

+        path: "/etc/kernel/cmdline"

+        line: '{{{ ARG_NAME_VALUE }}}'

+      when: cmdline_stat is defined and not cmdline_stat.stat.exists

+

+    - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"

+      lineinfile:

+        path: "/etc/kernel/cmdline"

+        backrefs: yes

+        regexp: "^(.*)$"

+        line: '\1 {{{ ARG_NAME_VALUE }}}'

+      when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0

+

diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option

new file mode 100644

index 0000000000..9fc8865486

--- /dev/null

+++ b/shared/templates/template_BASH_zipl_bls_entries_option

@@ -0,0 +1,12 @@

+# platform = Red Hat Enterprise Linux 8

+

+# Correct BLS option using grubby, which is a thin wrapper around BLS operations

+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"

+

+# Ensure new kernels and boot entries retain the boot option

+if [ ! -f /etc/kernel/cmdline ]; then

+    echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline

+elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then

+    echo " audit=1" >> /etc/kernel/cmdline

+    sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline

+fi

diff --git a/ssg/templates.py b/ssg/templates.py

index fc09416abe..a27fbb6cb6 100644

--- a/ssg/templates.py

+++ b/ssg/templates.py

@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):

     return data

-@template(["oval"])

+@template(["ansible", "bash", "oval"])

 def zipl_bls_entries_option(data, lang):

     return bls_entries_option(data, lang)

From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 3 Jul 2020 15:50:56 +0200

Subject: [PATCH 04/18] Enable zIPL in argument rules

---

 .../system/bootloader-zipl/zipl_audit_argument/rule.yml     | 6 ++++++

 .../zipl_audit_backlog_limit_argument/rule.yml              | 6 ++++++

 .../bootloader-zipl/zipl_page_poison_argument/rule.yml      | 6 ++++++

 .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++

 .../bootloader-zipl/zipl_slub_debug_argument/rule.yml       | 6 ++++++

 .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml  | 6 ++++++

 6 files changed, 36 insertions(+)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

index 624b4e7041..894bf7995f 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

@@ -28,3 +28,9 @@ ocil: |-

   No line should be returned, each line returned is a boot entry that doesn't enable audit.

 platform: machine

+

+template:

+  name: zipl_bls_entries_option

+  vars:

+    arg_name: audit

+    arg_value: '1'

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

index faf114591a..12334c9905 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

@@ -28,3 +28,9 @@ ocil: |-

   No line should be returned, each line returned is a boot entry that does not extend the log events queue.

 platform: machine

+

+template:

+  name: zipl_bls_entries_option

+  vars:

+    arg_name: audit_backlog_limit

+    arg_value: '8192'

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml

index 866664c01b..f5a36ee1b3 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml

@@ -28,3 +28,9 @@ ocil: |-

   No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.

 platform: machine

+

+template:

+  name: zipl_bls_entries_option

+  vars:

+    arg_name: page_poison

+    arg_value: '1'

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

index 2f02d9668c..168dae46a1 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

@@ -27,3 +27,9 @@ ocil: |-

   No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .

 platform: machine

+

+template:

+  name: zipl_bls_entries_option

+  vars:

+    arg_name: pti

+    arg_value: 'on'

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

index 0cb10d3cd8..84a374e36f 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

@@ -28,3 +28,9 @@ ocil: |-

   No line should be returned, each line returned is a boot entry that does not enable poisoning.

 platform: machine

+

+template:

+  name: zipl_bls_entries_option

+  vars:

+    arg_name: slub_debug

+    arg_value: 'P'

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

index f79adeb083..c37e8bbefd 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

@@ -25,3 +25,9 @@ ocil: |-

   No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.

 platform: machine

+

+template:

+  name: zipl_bls_entries_option

+  vars:

+    arg_name: vsyscall

+    arg_value: 'none'

From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Sat, 4 Jul 2020 01:15:49 +0200

Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo

Fix typo

---

 .../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml  | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

index 12334c9905..15729dc6b6 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'

 ocil: |-

   To check that all boot entries extend the backlog limit;

   Check that all boot entries extend the log events queue:

-  
sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf

+  
sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf

   No line should be returned, each line returned is a boot entry that does not extend the log events queue.

 platform: machine

From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 9 Jul 2020 12:00:10 +0200

Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description

Description about how to ensure that new boot entries continue compliant

was incorrect due to copy-pasta mistake.

---

 .../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml    | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

index 84a374e36f..83e043179d 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

@@ -8,7 +8,7 @@ description: |-

     To enable poisoning of SLUB/SLAB objects,

     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>

     included in its options.

-    To ensure that new kernels and boot entries continue to extend the audit log events queue,

+    To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,

     add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.

 rationale: |-

From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 9 Jul 2020 12:06:56 +0200

Subject: [PATCH 07/18] Add CCEs to zIPL argument rules

---

 .../system/bootloader-zipl/zipl_audit_argument/rule.yml     | 3 +++

 .../zipl_audit_backlog_limit_argument/rule.yml              | 3 +++

 .../bootloader-zipl/zipl_page_poison_argument/rule.yml      | 3 +++

 .../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++

 .../bootloader-zipl/zipl_slub_debug_argument/rule.yml       | 3 +++

 .../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml  | 3 +++

 7 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

index 894bf7995f..b1307ef3f2 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml

@@ -20,6 +20,9 @@ rationale: |-

 severity: medium

+identifiers:

+    cce@rhel8: 83321-0

+

 ocil_clause: 'auditing is not enabled at boot time'

 ocil: |-

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

index 15729dc6b6..18391bee6c 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml

@@ -19,6 +19,9 @@ rationale: |-

 severity: medium

+identifiers:

+    cce@rhel8: 83341-8

+

 ocil_clause: 'audit backlog limit is not configured'

 ocil: |-

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml

index f5a36ee1b3..7ffea8ce6a 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml

@@ -20,6 +20,9 @@ rationale: |-

 severity: medium

+identifiers:

+    cce@rhel8: 83351-7

+

 ocil_clause: 'page allocator poisoning is not enabled'

 ocil: |-

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

index 168dae46a1..6fd1082292 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml

@@ -19,6 +19,9 @@ rationale: |-

 severity: medium

+identifiers:

+    cce@rhel8: 83361-6

+

 ocil_clause: 'Kernel page-table isolation is not enabled'

 ocil: |-

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

index 83e043179d..c499140c35 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml

@@ -20,6 +20,9 @@ rationale: |-

 severity: medium

+identifiers:

+    cce@rhel8: 83371-5

+

 ocil_clause: 'SLUB/SLAB poisoning is not enabled'

 ocil: |-

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

index c37e8bbefd..7edd43074f 100644

--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml

@@ -17,6 +17,9 @@ rationale: |-

 severity: medium

+identifiers:

+    cce@rhel8: 83381-4

+

 ocil_clause: 'vsyscalls are enabled'

 ocil: |-

From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 9 Jul 2020 14:36:28 +0200

Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile

These rules check and ensure configuration of BLS boot options used by

zIPL.

---

 rhel8/profiles/ospp.profile | 8 ++++++++

 rhel8/profiles/stig.profile | 6 ++++++

 2 files changed, 14 insertions(+)

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile

index 80e4b71fff..d3732fa805 100644

--- a/rhel8/profiles/ospp.profile

+++ b/rhel8/profiles/ospp.profile

@@ -419,3 +419,11 @@ selections:

     # zIPl specific rules

     - zipl_bls_entries_only

     - zipl_bootmap_is_up_to_date

+    - zipl_audit_argument

+    - zipl_audit_backlog_limit_argument

+    - zipl_slub_debug_argument

+    - zipl_page_poison_argument

+    - zipl_vsyscall_argument

+    - zipl_vsyscall_argument.role=unscored

+    - zipl_vsyscall_argument.severity=info

+    - zipl_pti_argument

diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile

index cfc2160be1..69d5222a32 100644

--- a/rhel8/profiles/stig.profile

+++ b/rhel8/profiles/stig.profile

@@ -49,3 +49,9 @@ selections:

     # Unselect zIPL rules from OSPP

     - "!zipl_bls_entries_only"

     - "!zipl_bootmap_is_up_to_date"

+    - "!zipl_audit_argument"

+    - "!zipl_audit_backlog_limit_argument"

+    - "!zipl_page_poison_argument"

+    - "!zipl_pti_argument"

+    - "!zipl_slub_debug_argument"

+    - "!zipl_vsyscall_argument"

From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 9 Jul 2020 22:30:25 +0200

Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements

Just like rule selection, allows rule refinements to be unselected, or "undone".

---

 build-scripts/compile_profiles.py | 16 +++++++++++++++-

 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py

index 0967252348..d1ce8984b2 100644

--- a/build-scripts/compile_profiles.py

+++ b/build-scripts/compile_profiles.py

@@ -3,6 +3,7 @@

 import argparse

 import sys

 import os.path

+from copy import deepcopy

 from glob import glob

 import ssg.build_yaml

@@ -36,7 +37,8 @@ def resolve(self, all_profiles):

             updated_variables.update(self.variables)

             self.variables = updated_variables

-            updated_refinements = dict(extended_profile.refine_rules)

+            extended_refinements = deepcopy(extended_profile.refine_rules)

+            updated_refinements = self._subtract_refinements(extended_refinements)

             updated_refinements.update(self.refine_rules)

             self.refine_rules = updated_refinements

@@ -50,6 +52,18 @@ def resolve(self, all_profiles):

         self.resolved = True

+    def _subtract_refinements(self, extended_refinements):

+        """

+        Given a dict of rule refinements from the extended profile,

+        "undo" every refinement prefixed with '!' in this profile.

+        """

+        for rule, refinements in list(self.refine_rules.items()):

+            if rule.startswith("!"):

+                for prop, val in refinements:

+                    extended_refinements[rule[1:]].remove((prop, val))

+                del self.refine_rules[rule]

+        return extended_refinements

+

 def create_parser():

     parser = argparse.ArgumentParser()

From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 9 Jul 2020 22:32:32 +0200

Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules

Remove the zIPl rule refinementes from STIG profile

---

 rhel8/profiles/stig.profile | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile

index 69d5222a32..53647475aa 100644

--- a/rhel8/profiles/stig.profile

+++ b/rhel8/profiles/stig.profile

@@ -55,3 +55,5 @@ selections:

     - "!zipl_pti_argument"

     - "!zipl_slub_debug_argument"

     - "!zipl_vsyscall_argument"

+    - "!zipl_vsyscall_argument.role=unscored"

+    - "!zipl_vsyscall_argument.severity=info"

From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 10 Jul 2020 09:38:57 +0200

Subject: [PATCH 11/18] Update stable test for OSPP Profile

I just copied the resolved profile to profile_stability directory.

---

 tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---

 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile

index 08dcccf24c..5aa3592496 100644

--- a/tests/data/profile_stability/rhel8/ospp.profile

+++ b/tests/data/profile_stability/rhel8/ospp.profile

@@ -168,6 +168,7 @@ selections:

 - service_rngd_enabled

 - service_systemd-coredump_disabled

 - service_usbguard_enabled

+- ssh_client_rekey_limit

 - sshd_disable_empty_passwords

 - sshd_disable_gssapi_auth

 - sshd_disable_kerb_auth

@@ -213,8 +214,14 @@ selections:

 - sysctl_user_max_user_namespaces

 - timer_dnf-automatic_enabled

 - usbguard_allow_hid_and_hub

+- zipl_audit_argument

+- zipl_audit_backlog_limit_argument

 - zipl_bls_entries_only

 - zipl_bootmap_is_up_to_date

+- zipl_page_poison_argument

+- zipl_pti_argument

+- zipl_slub_debug_argument

+- zipl_vsyscall_argument

 - var_sshd_set_keepalive=0

 - var_rekey_limit_size=1G

 - var_rekey_limit_time=1hour

@@ -238,11 +245,12 @@ selections:

 - var_accounts_passwords_pam_faillock_deny=3

 - var_accounts_passwords_pam_faillock_fail_interval=900

 - var_accounts_passwords_pam_faillock_unlock_time=never

+- var_ssh_client_rekey_limit_size=1G

+- var_ssh_client_rekey_limit_time=1hour

 - grub2_vsyscall_argument.role=unscored

 - grub2_vsyscall_argument.severity=info

 - sysctl_user_max_user_namespaces.role=unscored

 - sysctl_user_max_user_namespaces.severity=info

-- ssh_client_rekey_limit

-- var_ssh_client_rekey_limit_size=1G

-- var_ssh_client_rekey_limit_time=1hour

+- zipl_vsyscall_argument.role=unscored

+- zipl_vsyscall_argument.severity=info

 title: Protection Profile for General Purpose Operating Systems

From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 10 Jul 2020 15:15:25 +0200

Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios

---

 .../tests/correct_option.pass.sh                 | 16 ++++++++++++++++

 .../tests/missing_in_cmdline.fail.sh             | 14 ++++++++++++++

 .../tests/missing_in_entry.fail.sh               | 14 ++++++++++++++

 3 files changed, 44 insertions(+)

 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh

 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh

 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh

new file mode 100644

index 0000000000..a9bd49dd0b

--- /dev/null

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh

@@ -0,0 +1,16 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# remediation = none

+

+# Make sure boot loader entries contain audit=1

+for file in /boot/loader/entries/*.conf

+do

+    if ! grep -q '^options.*audit=1.*$' "$file" ; then

+        sed -i '/^options / s/$/audit=1/' "$file"

+    fi

+done

+

+# Make sure /etc/kernel/cmdline contains audit=1

+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then

+    echo "audit=1" >> /etc/kernel/cmdline

+fi

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh

new file mode 100644

index 0000000000..d4d1d978c8

--- /dev/null

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# remediation = none

+

+# Make sure boot loader entries contain audit=1

+for file in /boot/loader/entries/*.conf

+do

+    if ! grep -q '^options.*audit=1.*$' "$file" ; then

+        sed -i '/^options / s/$/audit=1/' "$file"

+    fi

+done

+

+# Make sure /etc/kernel/cmdline doesn't contain audit=1

+sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh

new file mode 100644

index 0000000000..3e412c0542

--- /dev/null

+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh

@@ -0,0 +1,14 @@

+#!/bin/bash

+# platform = Red Hat Enterprise Linux 8

+# remediation = none

+

+# Remove audit=1 from all boot entries

+sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*

+# But make sure one boot loader entry contains audit=1

+sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf

+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf

+

+# Make sure /etc/kernel/cmdline contains audit=1