|
 |
dac76a |
From c91d25e9398028bd9b0032a776456bf5ff6fdeed Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 31 Mar 2020 12:45:32 +0200
|
|
|
dac76a |
Subject: [PATCH 1/5] modify templates
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
shared/templates/template_OVAL_grub2_bootloader_argument | 2 +-
|
|
|
dac76a |
ssg/templates.py | 3 +++
|
|
|
dac76a |
2 files changed, 4 insertions(+), 1 deletion(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
dac76a |
index 77497d21bc..132e676cc5 100644
|
|
|
dac76a |
--- a/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
dac76a |
+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
dac76a |
@@ -1,5 +1,5 @@
|
|
|
dac76a |
<def-group>
|
|
|
dac76a |
- <definition class="compliance" id="grub2_{{{ ARG_NAME }}}_argument" version="2">
|
|
|
dac76a |
+ <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
|
|
|
dac76a |
<metadata>
|
|
|
dac76a |
<title>Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
|
|
|
dac76a |
{{{- oval_affected(products) }}}
|
|
|
dac76a |
diff --git a/ssg/templates.py b/ssg/templates.py
|
|
|
dac76a |
index e5ed4890b4..7e4264d0e2 100644
|
|
|
dac76a |
--- a/ssg/templates.py
|
|
|
dac76a |
+++ b/ssg/templates.py
|
|
|
dac76a |
@@ -200,6 +200,9 @@ def file_permissions(data, lang):
|
|
|
dac76a |
|
|
|
dac76a |
@template(["ansible", "bash", "oval"])
|
|
|
dac76a |
def grub2_bootloader_argument(data, lang):
|
|
|
dac76a |
+ if lang == "oval":
|
|
|
dac76a |
+ # solve the case where argument contains dot
|
|
|
dac76a |
+ data["arg_name"].replace(".", "\\.")
|
|
|
dac76a |
data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
|
|
|
dac76a |
return data
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
From bd6ebf4ae6e579ef56c6420307e4c39fc5637258 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 31 Mar 2020 12:46:56 +0200
|
|
|
dac76a |
Subject: [PATCH 2/5] rename rule, add tests
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../rule.yml | 0
|
|
|
dac76a |
.../arg_not_there_etcdefaultgrub.fail.sh | 7 ++++++
|
|
|
dac76a |
...e_etcdefaultgrub_recovery_disabled.fail.sh | 17 +++++++++++++
|
|
|
dac76a |
.../tests/arg_not_there_rhel7.fail.sh | 8 +++++++
|
|
|
dac76a |
.../tests/arg_not_there_rhel8.fail.sh | 8 +++++++
|
|
|
dac76a |
.../tests/correct_grubby.pass.sh | 13 ++++++++++
|
|
|
dac76a |
.../tests/correct_grubenv.pass.sh | 4 ++++
|
|
|
dac76a |
.../tests/correct_recovery_disabled.pass.sh | 24 +++++++++++++++++++
|
|
|
dac76a |
.../tests/correct_value.pass.sh | 12 ++++++++++
|
|
|
dac76a |
.../tests/wrong_value_etcdefaultgrub.fail.sh | 11 +++++++++
|
|
|
dac76a |
...e_etcdefaultgrub_recovery_disabled.fail.sh | 22 +++++++++++++++++
|
|
|
dac76a |
.../tests/wrong_value_rhel7.fail.sh | 13 ++++++++++
|
|
|
dac76a |
.../tests/wrong_value_rhel8.fail.sh | 12 ++++++++++
|
|
|
dac76a |
13 files changed, 151 insertions(+)
|
|
|
dac76a |
rename linux_os/guide/system/network/network-ipv6/disabling_ipv6/{grub2_disable_ipv6 => grub2_ipv6_disable_argument}/rule.yml (100%)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
|
|
dac76a |
similarity index 100%
|
|
|
dac76a |
rename from linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_disable_ipv6/rule.yml
|
|
|
dac76a |
rename to linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..33f6be147e
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+#!/bin/bas
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Removes ipv6.disable argument from kernel command line in /etc/default/grub
|
|
|
dac76a |
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..6163f9fbaa
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,17 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+# Removes ipv6.disable argument from kernel command line in /etc/default/grub
|
|
|
dac76a |
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+fi
|
|
|
dac76a |
+
|
|
|
dac76a |
+# removing the parameter from the no recovery kernel parameters as well
|
|
|
dac76a |
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+
|
|
|
dac76a |
+# disabling recovery
|
|
|
dac76a |
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
|
|
|
dac76a |
+
|
|
|
dac76a |
+#if the line is not present at all, add it
|
|
|
dac76a |
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
|
|
|
dac76a |
+ echo 'GRUB_CMDLINE_LINUX_DEFAULT=""' >> /etc/default/grub
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..5becb561a6
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel7.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,8 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Removes ipv6.disable argument from kernel command line in /boot/grub2/grub.cfg
|
|
|
dac76a |
+file="/boot/grub2/grub.cfg"
|
|
|
dac76a |
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
|
|
dac76a |
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file"
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..5d8daaa6bc
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/arg_not_there_rhel8.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,8 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Removes ipv6.disable argument from kernel command line in /boot/grub2/grubenv
|
|
|
dac76a |
+file="/boot/grub2/grubenv"
|
|
|
dac76a |
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
|
|
dac76a |
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 \2/' "$file"
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..59b18bd049
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubby.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,13 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
|
|
|
dac76a |
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
|
|
|
dac76a |
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ # no ipv6.disable=arg is present, append it
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub'
|
|
|
dac76a |
+fi
|
|
|
dac76a |
+
|
|
|
dac76a |
+grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..0e84a458ca
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_grubenv.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..e36f81903d
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_recovery_disabled.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,24 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
|
|
|
dac76a |
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
|
|
|
dac76a |
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ # no ipv6.disable=arg is present, append it
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub'
|
|
|
dac76a |
+fi
|
|
|
dac76a |
+
|
|
|
dac76a |
+# removing the parameter from the no recovery kernel parameters as well
|
|
|
dac76a |
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+
|
|
|
dac76a |
+# disabling recovery
|
|
|
dac76a |
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
|
|
|
dac76a |
+
|
|
|
dac76a |
+#if the line is not present at all, add it
|
|
|
dac76a |
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
|
|
|
dac76a |
+ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"' >> /etc/default/grub
|
|
|
dac76a |
+fi
|
|
|
dac76a |
+
|
|
|
dac76a |
+grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..eb7c07ce7f
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/correct_value.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,12 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby
|
|
|
dac76a |
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
|
|
|
dac76a |
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ # no ipv6.disable=arg is present, append it
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=1"/' '/etc/default/grub'
|
|
|
dac76a |
+fi
|
|
|
dac76a |
+
|
|
|
dac76a |
+grubby --update-kernel=ALL --args="ipv6.disable=1"
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..4e7492b588
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,11 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Break the ipv6.disable argument in kernel command line in /etc/default/grub
|
|
|
dac76a |
+if grep -q '^GRUB_CMDLINE_LINUX=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
|
|
|
dac76a |
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub'
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ # no ipv6.disable=arg is present, append it
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub'
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..85cc596ca8
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_etcdefaultgrub_recovery_disabled.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,22 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Break the ipv6.disable argument in kernel command line in /etc/default/grub
|
|
|
dac76a |
+if grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*ipv6\.disable=.*"' '/etc/default/grub' ; then
|
|
|
dac76a |
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 ipv6\.disable=0 \2/' '/etc/default/grub'
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ # no ipv6\.disable=arg is present, append it
|
|
|
dac76a |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 ipv6\.disable=0"/' '/etc/default/grub'
|
|
|
dac76a |
+fi
|
|
|
dac76a |
+
|
|
|
dac76a |
+# removing the parameter from the no recovery kernel parameters as well
|
|
|
dac76a |
+sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)ipv6\.disable=[^[:space:]]*\(.*"\)/\1 \2/' '/etc/default/grub'
|
|
|
dac76a |
+
|
|
|
dac76a |
+# disabling recovery
|
|
|
dac76a |
+sed -i 's/\(^.*GRUB_DISABLE_RECOVERY=\).*/\1true/' '/etc/default/grub'
|
|
|
dac76a |
+
|
|
|
dac76a |
+#if the line is not present at all, add it
|
|
|
dac76a |
+if ! grep -q '^GRUB_CMDLINE_LINUX_DEFAULT=.*$' '/etc/default/grub'; then
|
|
|
dac76a |
+ echo 'GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=0"' >> /etc/default/grub
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..a37b45c4ad
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel7.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,13 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 7
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Break the ipv6.disable argument in kernel command line in /boot/grub2/grub.cfg
|
|
|
dac76a |
+file="/boot/grub2/grub.cfg"
|
|
|
dac76a |
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
|
|
dac76a |
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
|
dac76a |
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file"
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ # no ipv6.disable=arg is present, append it
|
|
|
dac76a |
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file"
|
|
|
dac76a |
+fi
|
|
|
dac76a |
+
|
|
|
dac76a |
diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 0000000000..db339c3534
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/tests/wrong_value_rhel8.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,12 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+# platform = Red Hat Enterprise Linux 8
|
|
|
dac76a |
+
|
|
|
dac76a |
+# Break the ipv6.disable argument in kernel command line in /boot/grub2/grubenv
|
|
|
dac76a |
+file="/boot/grub2/grubenv"
|
|
|
dac76a |
+if grep -q '^.*ipv6\.disable=.*' "$file" ; then
|
|
|
dac76a |
+ # modify the GRUB command-line if an ipv6.disable= arg already exists
|
|
|
dac76a |
+ sed -i 's/\(^.*\)ipv6\.disable=[^[:space:]]*\(.*\)/\1 ipv6\.disable=0 \2/' "$file"
|
|
|
dac76a |
+else
|
|
|
dac76a |
+ # no ipv6.disable=arg is present, append it
|
|
|
dac76a |
+ sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 ipv6\.disable=0/' "$file"
|
|
|
dac76a |
+fi
|
|
|
dac76a |
|
|
|
dac76a |
From b55cda3227d9fdcc1eac91e3e4cd22aaf03e80c5 Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 31 Mar 2020 12:47:20 +0200
|
|
|
dac76a |
Subject: [PATCH 3/5] adjust cis profiles
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
rhel7/profiles/cis.profile | 2 +-
|
|
|
dac76a |
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index 76506c9369..739ed27200 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -351,7 +351,7 @@ selections:
|
|
|
dac76a |
- sysctl_net_ipv6_conf_default_accept_redirects
|
|
|
dac76a |
|
|
|
dac76a |
### 3.3.3 Ensure IPv6 is disabled (Not Scored)
|
|
|
dac76a |
- - grub2_disable_ipv6
|
|
|
dac76a |
+ - grub2_ipv6_disable_argument
|
|
|
dac76a |
|
|
|
dac76a |
## 3.4 TCP Wrappers
|
|
|
dac76a |
### 3.4.1 Ensure TCP Wrappers is installed (Scored)
|
|
|
dac76a |
|
|
|
dac76a |
From 7421ab585ec1e0314298a2dbb6b0b181daf53bce Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 31 Mar 2020 16:04:27 +0200
|
|
|
dac76a |
Subject: [PATCH 4/5] add escaped dot only in arg_name_value
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
ssg/templates.py | 4 ++--
|
|
|
dac76a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/ssg/templates.py b/ssg/templates.py
|
|
|
dac76a |
index 7e4264d0e2..ba6d8dc7fe 100644
|
|
|
dac76a |
--- a/ssg/templates.py
|
|
|
dac76a |
+++ b/ssg/templates.py
|
|
|
dac76a |
@@ -200,10 +200,10 @@ def file_permissions(data, lang):
|
|
|
dac76a |
|
|
|
dac76a |
@template(["ansible", "bash", "oval"])
|
|
|
dac76a |
def grub2_bootloader_argument(data, lang):
|
|
|
dac76a |
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
|
|
|
dac76a |
if lang == "oval":
|
|
|
dac76a |
# solve the case where argument contains dot
|
|
|
dac76a |
- data["arg_name"].replace(".", "\\.")
|
|
|
dac76a |
- data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
|
|
|
dac76a |
+ data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
|
|
|
dac76a |
return data
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
|
|
|
dac76a |
From 3e41fffc62e50e771a2f410d43bd600c8e5849ee Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Wed, 1 Apr 2020 11:58:11 +0200
|
|
|
dac76a |
Subject: [PATCH 5/5] make oval ids use _ instead of .
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../template_OVAL_grub2_bootloader_argument | 44 +++++++++----------
|
|
|
dac76a |
ssg/templates.py | 6 ++-
|
|
|
dac76a |
2 files changed, 26 insertions(+), 24 deletions(-)
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
dac76a |
index 132e676cc5..a18f85f5e8 100644
|
|
|
dac76a |
--- a/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
dac76a |
+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
dac76a |
@@ -7,61 +7,61 @@
|
|
|
dac76a |
</metadata>
|
|
|
dac76a |
<criteria operator="AND">
|
|
|
dac76a |
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the boot parameters in the /boot/grub2/grub.cfg for all kernels" />
|
|
|
dac76a |
<criteria operator="OR">
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
|
|
|
dac76a |
<criteria operator="AND">
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
|
|
|
dac76a |
|
|
|
dac76a |
comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="Check if {{{ ARG_NAME_VALUE }}} is present in the GRUB2 environment variable block in /boot/grub2/grubenv" />
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
</criteria>
|
|
|
dac76a |
</definition>
|
|
|
dac76a |
|
|
|
dac76a |
{{% if product in ["rhel7", "ol7", "rhv4"] %}}
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
|
|
|
dac76a |
check="all" check_existence="all_exist" version="1">
|
|
|
dac76a |
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
dac76a |
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
dac76a |
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
|
|
dac76a |
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
|
|
dac76a |
</ind:textfilecontent54_test>
|
|
|
dac76a |
|
|
|
dac76a |
- <ind:textfilecontent54_object id="object_grub2_{{{ ARG_NAME }}}_argument" version="1">
|
|
|
dac76a |
+ <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" version="1">
|
|
|
dac76a |
<ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
dac76a |
<ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
|
|
|
dac76a |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
dac76a |
</ind:textfilecontent54_object>
|
|
|
dac76a |
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
|
|
|
dac76a |
check="all" check_existence="all_exist" version="1">
|
|
|
dac76a |
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_default" />
|
|
|
dac76a |
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
dac76a |
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_default" />
|
|
|
dac76a |
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
|
|
dac76a |
</ind:textfilecontent54_test>
|
|
|
dac76a |
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
version="1">
|
|
|
dac76a |
<ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
dac76a |
<ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
|
|
|
dac76a |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
dac76a |
</ind:textfilecontent54_object>
|
|
|
dac76a |
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="check kernel command line parameters for {{{ ARG_NAME_VALUE }}} in /boot/grub2/grub.cfg for all kernels"
|
|
|
dac76a |
check="all" check_existence="all_exist" version="1">
|
|
|
dac76a |
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_grub_cfg" />
|
|
|
dac76a |
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
dac76a |
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg" />
|
|
|
dac76a |
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
|
|
dac76a |
</ind:textfilecontent54_test>
|
|
|
dac76a |
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
version="1">
|
|
|
dac76a |
<ind:filepath>/boot/grub2/grub.cfg</ind:filepath>
|
|
|
dac76a |
{{% if product == "rhel7" %}}
|
|
|
dac76a |
@@ -74,14 +74,14 @@
|
|
|
dac76a |
|
|
|
dac76a |
{{% else %}}
|
|
|
dac76a |
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
comment="check forkernel command line parameters {{{ ARG_NAME_VALUE }}} in /boot/grub2/grubenv for all kernels"
|
|
|
dac76a |
check="all" check_existence="all_exist" version="1">
|
|
|
dac76a |
- <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_grub_env" />
|
|
|
dac76a |
- <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
dac76a |
+ <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_env" />
|
|
|
dac76a |
+ <ind:state state_ref="state_grub2_{{{ SANITIZED_ARG_NAME }}}_argument" />
|
|
|
dac76a |
</ind:textfilecontent54_test>
|
|
|
dac76a |
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
version="1">
|
|
|
dac76a |
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
|
|
|
dac76a |
<ind:pattern operation="pattern match">^kernelopts=(.*)$</ind:pattern>
|
|
|
dac76a |
@@ -90,9 +90,9 @@
|
|
|
dac76a |
|
|
|
dac76a |
{{% endif %}}
|
|
|
dac76a |
|
|
|
dac76a |
-
|
|
|
dac76a |
+
|
|
|
dac76a |
version="1">
|
|
|
dac76a |
- <ind:subexpression datatype="string" operation="pattern match">^.*{{{ ARG_NAME_VALUE }}}.*$</ind:subexpression>
|
|
|
dac76a |
+ <ind:subexpression datatype="string" operation="pattern match">^.*{{{ ESCAPED_ARG_NAME_VALUE }}}.*$</ind:subexpression>
|
|
|
dac76a |
</ind:textfilecontent54_state>
|
|
|
dac76a |
|
|
|
dac76a |
</def-group>
|
|
|
dac76a |
diff --git a/ssg/templates.py b/ssg/templates.py
|
|
|
dac76a |
index ba6d8dc7fe..3f12968b66 100644
|
|
|
dac76a |
--- a/ssg/templates.py
|
|
|
dac76a |
+++ b/ssg/templates.py
|
|
|
dac76a |
@@ -202,8 +202,10 @@ def file_permissions(data, lang):
|
|
|
dac76a |
def grub2_bootloader_argument(data, lang):
|
|
|
dac76a |
data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
|
|
|
dac76a |
if lang == "oval":
|
|
|
dac76a |
- # solve the case where argument contains dot
|
|
|
dac76a |
- data["arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
|
|
|
dac76a |
+ # escape dot, this is used in oval regex
|
|
|
dac76a |
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
|
|
|
dac76a |
+ # replace . with _, this is used in test / object / state ids
|
|
|
dac76a |
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
|
|
|
dac76a |
return data
|
|
|
dac76a |
|
|
|
dac76a |
|