Extend grub2_bootloader_argument_absent

Extend the template grub2_bootloader_argument_absent to make it work also for bootable containers. In bootable containers, the kernel build arguments are specified in TOML files in special directory `/usr/lib/bootc/kargs.d/`. For more details, please read: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_image_mode_for_rhel_to_build_deploy_and_manage_operating_systems/managing-kernel-arguments-in-bootc-systems#how-to-add-support-to-inject-kernel-arguments-with-bootc_managing-kernel-arguments-in-bootc-systems
ComplianceAsCode · Dec 3, 2024 · 08609ba · 08609ba
1 parent 26a9cb7
commit 08609ba
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template
@@ -3,4 +3,8 @@
    See the OVAL template for more comments.
    Product-specific categorization should be synced across all template content types
 -#}}
+if {{{ bash_bootc_build() }}} ; then
+    sed -i -E '/kargs\s+=\s+\["{{{ ARG_NAME }}}.*"\]/d' /usr/lib/bootc/kargs.d/*.toml
+else
 {{{ grub2_bootloader_argument_absent_remediation(ARG_NAME) }}}
+fi
diff --git a/shared/templates/grub2_bootloader_argument_absent/oval.template b/shared/templates/grub2_bootloader_argument_absent/oval.template
@@ -32,6 +32,7 @@
 <def-group>
   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
     {{{ oval_metadata("Ensure " + ARG_NAME + " is not set in the kernel line in /etc/default/grub.") }}}
+    <criteria operator="OR">
     <criteria operator="AND">
       {{% if system_with_kernel_options_in_grubenv -%}}
       {{% if system_with_bios_and_uefi_support -%}}
@@ -77,6 +78,13 @@
         </criteria>
       {{%- endif %}}
     </criteria>
+    {{% if bootable_containers_supported == "true" %}}
+      <criteria operator="AND">
+        <extend_definition comment="The system is RHEL Image Mode" definition_ref="bootc" />
+        <criterion comment="The {{{ ARG_NAME }}} is not present in the /usr/lib/bootc/kargs.d/*.toml files"  test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent" />
+      </criteria>
+    {{% endif %}}
+    </criteria>
   </definition>
 
 {{%- if system_with_kernel_options_in_etc_default_grub %}}
@@ -174,4 +182,17 @@
 {{%- endif %}}
 {{%- endif %}}
 
+{{% if bootable_containers_supported == "true" %}}
+  <ind:textfilecontent54_test id="test_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent"
+                              comment="check kernel command line parameters for {{{ ARG_NAME }}}"
+                              check="at least one" check_existence="none_exist" version="1">
+    <ind:object object_ref="object_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_{{{ SANITIZED_ARG_NAME }}}_usr_lib_bootc_kargs_d_absent" version="1">
+    <ind:path>/usr/lib/bootc/kargs.d/</ind:path>
+    <ind:filename operation="pattern match">^.*\.toml$</ind:filename>
+    <ind:pattern operation="pattern match">^kargs = \["{{{ ARG_NAME }}}.*"\]$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
 </def-group>