Merge pull request #12653 from jan-cerny/kargs

Adjust bootloader argument rules to work in bootable containers

linux_os/guide/system/bootloader-grub2/group.yml

@@ -15,4 +15,4 @@ description: |-
     with a password and ensure its configuration file's permissions
     are set properly.
 
-platform: grub2
+platform: grub2 and system_with_kernel

linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml

@@ -41,5 +41,3 @@ fixtext: |-
     Then, run the following command:
 
     $ sudo {{{ grub_command("update") }}}
-
-platform: grub2

linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml

@@ -20,7 +20,6 @@ identifiers:
     cce@sle12: CCE-91532-2
     cce@sle15: CCE-91217-0
 
-platform: machine
 
 ocil_clause: 'I/OMMU is not activated'
 

linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

@@ -24,7 +24,6 @@ ocil_clause: 'the kernel is not configured to zero out memory before allocation'
 ocil: |-
     {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml

@@ -46,7 +46,6 @@ ocil: |-
     the kernel, check that the option is configured through boot parameter.
     {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml

@@ -36,7 +36,6 @@ ocil_clause: 'l1tf mitigations are not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("l1tf=" + xccdf_value("var_l1tf_options")) | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml

@@ -29,7 +29,6 @@ ocil_clause: 'MCE tolerance is not set to zero'
 ocil: |-
     {{{ ocil_grub2_argument("mce=0") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml

@@ -47,7 +47,6 @@ ocil_clause: 'MDS mitigations are not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("mds=" + xccdf_value(var_mds_options)) | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml

@@ -9,6 +9,8 @@ description: |-
 
     The mitigations must not be set to "off".
 
+    {{{ describe_grub2_argument_absent("mitigations=off") | indent(4) }}}
+
 rationale: |-
     Hardware vulnerabilities allow programs to steal data that is currently processed on the
     computer. While programs are typically not permitted to read data from other programs, a
@@ -24,7 +26,6 @@ references:
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-010424
 
-platform: grub2
 
 ocil_clause: 'mitigations is set to off'
 

linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml

@@ -10,10 +10,7 @@ description: |-
     Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
     the <tt>nosmap</tt> boot paramenter option.
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>nosmap</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="nosmap"</pre>
+    {{{ describe_grub2_argument_absent("nosmap") | indent(4) }}}
 
 rationale: |-
     Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
@@ -34,7 +31,6 @@ ocil: |-
     <pre>grep -q nosmap /boot/config-`uname -r`</pre>
     If the command returns a line, it means that SMAP is being disabled.
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument_absent

linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml

@@ -10,10 +10,7 @@ description: |-
     Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
     the <tt>nosmep</tt> boot paramenter option.
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>nosmep</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+    {{{ describe_grub2_argument_absent("nosmep") | indent(4) }}}
 
 rationale: |-
     Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
@@ -34,7 +31,6 @@ ocil: |-
     <pre>grep -q nosmep /boot/config-`uname -r`</pre>
     If the command returns a line, it means that SMEP is being disabled.
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument_absent

linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml

@@ -31,7 +31,6 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
 ocil: |-
     {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml

@@ -34,7 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled'
 ocil: |-
     {{{ ocil_grub2_argument("pti=on") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml

@@ -37,7 +37,6 @@ ocil_clause: 'trust on hardware random number generator is not configured approp
 ocil: |-
     {{{ ocil_grub2_argument("rng_core.default_quality=" + xccdf_value("var_rng_core_default_quality")) | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml

@@ -35,7 +35,6 @@ ocil_clause: 'merging of slabs with similar size is enabled'
 ocil: |-
     {{{ ocil_grub2_argument("slab_nomerge=yes") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml

@@ -39,7 +39,6 @@ ocil_clause: 'SSB is not configured appropriately'
 ocil: |-
     {{{ ocil_grub2_argument("spec_store_bypass_disable=" + xccdf_value("var_spec_store_bypass_disable_options")) | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml

@@ -32,7 +32,6 @@ ocil_clause: 'spectre_v2 mitigation is not enforced'
 ocil: |-
     {{{ ocil_grub2_argument("spectre_v2=on") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml

@@ -13,12 +13,10 @@ description: |-
     By default, the <tt>debug-shell</tt> systemd service is already disabled.
 
     Ensure the debug-shell is not enabled by the <tt>systemd.debug-shel=1</tt>
-    boot paramenter option.
+    boot parameter option.
+
+    {{{ describe_grub2_argument_absent("systemd.debug-shell")  | indent(4) }}}
 
-    Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
-    doesn't contain the argument <tt>systemd.debug-shell=1</tt>.
-    Run the following command to update command line for already installed kernels:
-    <pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</pre>
 
 rationale: |-
     This prevents attackers with physical access from trivially bypassing security
@@ -44,7 +42,6 @@ ocil: |-
 fixtext: |-
     {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}}
 
-platform: machine
 
 template:
     name: grub2_bootloader_argument_absent

linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml

@@ -33,7 +33,7 @@ ocil_clause: 'vsyscalls are enabled'
 ocil: |-
     {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}}
 
-platform: machine and x86_64_arch
+platform: x86_64_arch
 
 template:
     name: grub2_bootloader_argument

linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml

@@ -50,7 +50,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }}
 
 srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }}}'
 
-platform: system_with_kernel
 
 template:
     name: file_groupowner

linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml

@@ -44,7 +44,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }}
 
 srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }}}'
 
-platform: machine
 
 template:
     name: file_groupowner

linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml

@@ -46,7 +46,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", own
 ocil: |-
     {{{ ocil_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}}
 
-platform: system_with_kernel
 
 template:
     name: file_owner

linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml

@@ -39,7 +39,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/user.cfg", own
 ocil: |-
     {{{ ocil_file_owner(file=grub2_boot_path ~ "/user.cfg", owner="root") }}}
 
-platform: machine
 
 template:
     name: file_owner

linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml

@@ -46,7 +46,6 @@ ocil: |-
     If properly configured, the output should indicate the following
     permissions: <tt>-rw-------</tt>
 
-platform: system_with_kernel
 
 template:
     name: file_permissions

linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml

@@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_boot_path ~ "/user.cfg
 ocil: |-
     {{{ ocil_file_permissions(file=grub2_boot_path ~ "/user.cfg", perms="-rw-------") }}}
 
-platform: machine
 
 template:
     name: file_permissions

linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml

@@ -68,7 +68,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine
 
 fixtext: |-
     Configure {{{ full_name }}} to have a unique username for the grub superuser account.

linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml

@@ -38,4 +38,3 @@ ocil: |-
     media which should not exist in the lines:
     <pre>set root='hd0,msdos1'</pre>
 
-platform: machine

linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml

@@ -92,7 +92,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine
 
 fixtext: |-
     Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.

linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml

@@ -51,4 +51,3 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: system_with_kernel

linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml

@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/gru
 ocil: |-
     {{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", group="root") }}}
 
-platform: machine
 
 template:
     name: file_groupowner

linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml

@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/use
 ocil: |-
     {{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/user.cfg", group="root") }}}
 
-platform: machine
 
 template:
     name: file_groupowner

linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml

@@ -36,7 +36,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg"
 ocil: |-
     {{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", owner="root") }}}
 
-platform: machine
 
 template:
     name: file_owner

linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml

@@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg"
 ocil: |-
     {{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg", owner="root") }}}
 
-platform: machine
 
 template:
     name: file_owner

linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml

@@ -38,7 +38,6 @@ ocil: |-
     If properly configured, the output should indicate the following
     permissions: <tt>-rwx------</tt>
 
-platform: machine
 
 template:
     name: file_permissions

linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml

@@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_uefi_boot_path ~ "/use
 ocil: |-
     {{{ ocil_file_permissions(file=grub2_uefi_boot_path ~ "/user.cfg", perms="-rw-------") }}}
 
-platform: machine
 
 template:
     name: file_permissions

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml

@@ -69,7 +69,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine
 
 fixtext: |-
     Configure {{{ full_name }}} to have a unique username for the grub superuser account.

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml

@@ -93,7 +93,6 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: system_with_kernel
 
 fixtext: |-
     Configure {{{ full_name }}} to use a secure UEFI boot loader password.

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml

@@ -50,4 +50,3 @@ warnings:
         Also, do NOT manually add the superuser account and password to the
         <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
 
-platform: machine

linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml

@@ -38,4 +38,3 @@ ocil: |-
     media which should not exist in the lines:
     <pre>set root='hd0,msdos1'</pre>
 
-platform: machine

products/rhel10/product.yml

@@ -21,6 +21,7 @@ init_system: "systemd"
 # EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig
 
 sshd_distributed_config: "true"
+bootable_containers_supported: "true"
 
 dconf_gdm_dir: "distro.d"
 

products/rhel9/product.yml

@@ -25,6 +25,7 @@ groups:
     name: ssh_keys
 
 sshd_distributed_config: "true"
+bootable_containers_supported: "true"
 
 dconf_gdm_dir: "distro.d"
 

shared/checks/oval/bootc.xml

@@ -0,0 +1,13 @@
+<def-group>
+  <definition class="inventory" id="bootc" version="1">
+    {{{ oval_metadata("Bootable container or bootc system", affected_platforms=["multi_platform_all"]) }}}
+    <criteria operator="AND">
+      <criterion comment="kernel is installed" test_ref="bootc_platform_test_kernel_installed" />
+      <criterion comment="rpm-ostree is installed" test_ref="bootc_platform_test_rpm_ostree_installed" />
+      <criterion comment="bootc is installed" test_ref="bootc_platform_test_bootc_installed" />
+    </criteria>
+  </definition>
+{{{ oval_test_package_installed(package="kernel", test_id="bootc_platform_test_kernel_installed") }}}
+{{{ oval_test_package_installed(package="rpm-ostree", test_id="bootc_platform_test_rpm_ostree_installed") }}}
+{{{ oval_test_package_installed(package="bootc", test_id="bootc_platform_test_bootc_installed") }}}
+</def-group>