diff --git a/linux_os/guide/system/bootloader-grub2/group.yml b/linux_os/guide/system/bootloader-grub2/group.yml index 4ffb40c0e8c..d1b4a3e3389 100644 --- a/linux_os/guide/system/bootloader-grub2/group.yml +++ b/linux_os/guide/system/bootloader-grub2/group.yml @@ -15,4 +15,4 @@ description: |- with a password and ensure its configuration file's permissions are set properly. -platform: grub2 +platform: grub2 and system_with_kernel diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml index 6919ef54873..e8878c4cd45 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml @@ -41,5 +41,3 @@ fixtext: |- Then, run the following command: $ sudo {{{ grub_command("update") }}} - -platform: grub2 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml index 84d077c730a..41ee2618721 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml @@ -20,7 +20,6 @@ identifiers: cce@sle12: CCE-91532-2 cce@sle15: CCE-91217-0 -platform: machine ocil_clause: 'I/OMMU is not activated' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml index 09418dce6ce..2e721d99c54 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -24,7 +24,6 @@ ocil_clause: 'the kernel is not configured to zero out memory before allocation' ocil: |- {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml index 1abeb706b4f..3d6b750d92f 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml @@ -46,7 +46,6 @@ ocil: |- the kernel, check that the option is configured through boot parameter. {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml index c2294d46d55..8776d5bf328 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml @@ -36,7 +36,6 @@ ocil_clause: 'l1tf mitigations are not configured appropriately' ocil: |- {{{ ocil_grub2_argument("l1tf=" + xccdf_value("var_l1tf_options")) | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml index 1878c63fa04..b9d0db90b0f 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml @@ -29,7 +29,6 @@ ocil_clause: 'MCE tolerance is not set to zero' ocil: |- {{{ ocil_grub2_argument("mce=0") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml index e9d37a1d3c1..6e24c5e5e07 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml @@ -47,7 +47,6 @@ ocil_clause: 'MDS mitigations are not configured appropriately' ocil: |- {{{ ocil_grub2_argument("mds=" + xccdf_value(var_mds_options)) | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml index 08f237cce8c..78d2204659c 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_mitigation_argument/rule.yml @@ -9,6 +9,8 @@ description: |- The mitigations must not be set to "off". + {{{ describe_grub2_argument_absent("mitigations=off") | indent(4) }}} + rationale: |- Hardware vulnerabilities allow programs to steal data that is currently processed on the computer. While programs are typically not permitted to read data from other programs, a @@ -24,7 +26,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-010424 -platform: grub2 ocil_clause: 'mitigations is set to off' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml index db1fdff2117..f54daaf2b3e 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmap_argument_absent/rule.yml @@ -10,10 +10,7 @@ description: |- Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by the nosmap boot paramenter option. - Check that the line
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub - doesn't contain the argument nosmap. - Run the following command to update command line for already installed kernels: -
# grubby --update-kernel=ALL --remove-args="nosmap"
+ {{{ describe_grub2_argument_absent("nosmap") | indent(4) }}} rationale: |- Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and @@ -34,7 +31,6 @@ ocil: |-
grep -q nosmap /boot/config-`uname -r`
If the command returns a line, it means that SMAP is being disabled. -platform: machine template: name: grub2_bootloader_argument_absent diff --git a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml index 3bdd52aa725..fd643ee7192 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_nosmep_argument_absent/rule.yml @@ -10,10 +10,7 @@ description: |- Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by the nosmep boot paramenter option. - Check that the line
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub - doesn't contain the argument nosmep. - Run the following command to update command line for already installed kernels: -
# grubby --update-kernel=ALL --remove-args="nosmep"
+ {{{ describe_grub2_argument_absent("nosmep") | indent(4) }}} rationale: |- Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows @@ -34,7 +31,6 @@ ocil: |-
grep -q nosmep /boot/config-`uname -r`
If the command returns a line, it means that SMEP is being disabled. -platform: machine template: name: grub2_bootloader_argument_absent diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml index e483044c000..f94c8556847 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml @@ -31,7 +31,6 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel' ocil: |- {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml index eeaf319fadb..43ac06be3c1 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml @@ -34,7 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled' ocil: |- {{{ ocil_grub2_argument("pti=on") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml index 7d8006c8bfb..ed4f2ce3dfc 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml @@ -37,7 +37,6 @@ ocil_clause: 'trust on hardware random number generator is not configured approp ocil: |- {{{ ocil_grub2_argument("rng_core.default_quality=" + xccdf_value("var_rng_core_default_quality")) | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml index fc87c9c677b..bc977ab55fa 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml @@ -35,7 +35,6 @@ ocil_clause: 'merging of slabs with similar size is enabled' ocil: |- {{{ ocil_grub2_argument("slab_nomerge=yes") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml index c5a8bf55a47..31e883c710e 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml @@ -39,7 +39,6 @@ ocil_clause: 'SSB is not configured appropriately' ocil: |- {{{ ocil_grub2_argument("spec_store_bypass_disable=" + xccdf_value("var_spec_store_bypass_disable_options")) | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml index 30fac26201b..6d449bf5d21 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml @@ -32,7 +32,6 @@ ocil_clause: 'spectre_v2 mitigation is not enforced' ocil: |- {{{ ocil_grub2_argument("spectre_v2=on") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml index 55d8e0e7f64..5649cb56a45 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_systemd_debug-shell_argument_absent/rule.yml @@ -13,12 +13,10 @@ description: |- By default, the debug-shell systemd service is already disabled. Ensure the debug-shell is not enabled by the systemd.debug-shel=1 - boot paramenter option. + boot parameter option. + + {{{ describe_grub2_argument_absent("systemd.debug-shell") | indent(4) }}} - Check that the line
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub - doesn't contain the argument systemd.debug-shell=1. - Run the following command to update command line for already installed kernels: -
# grubby --update-kernel=ALL --remove-args="systemd.debug-shell"
rationale: |- This prevents attackers with physical access from trivially bypassing security @@ -44,7 +42,6 @@ ocil: |- fixtext: |- {{{ fixtext_grub2_bootloader_argument_absent("debug-shell") | indent(4) }}} -platform: machine template: name: grub2_bootloader_argument_absent diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml index 3e1e837c8f2..28da623cf90 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml @@ -33,7 +33,7 @@ ocil_clause: 'vsyscalls are enabled' ocil: |- {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}} -platform: machine and x86_64_arch +platform: x86_64_arch template: name: grub2_bootloader_argument diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml index 5c9a0b07154..fea605a8699 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_grub2_cfg/rule.yml @@ -50,7 +50,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }} srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/grub.cfg", "root") }}}' -platform: system_with_kernel template: name: file_groupowner diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml index 9dac1e38944..038ae369e6e 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_groupowner_user_cfg/rule.yml @@ -44,7 +44,6 @@ fixtext: '{{{ fixtext_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }} srg_requirement: '{{{ srg_requirement_file_group_owner(grub2_boot_path ~ "/user.cfg", "root") }}}' -platform: machine template: name: file_groupowner diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml index 0e797faaadd..2bbb3449f7e 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_grub2_cfg/rule.yml @@ -46,7 +46,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/grub.cfg", own ocil: |- {{{ ocil_file_owner(file=grub2_boot_path ~ "/grub.cfg", owner="root") }}} -platform: system_with_kernel template: name: file_owner diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml index 85899b1ee9f..9d55b3ded1e 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_owner_user_cfg/rule.yml @@ -39,7 +39,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/user.cfg", own ocil: |- {{{ ocil_file_owner(file=grub2_boot_path ~ "/user.cfg", owner="root") }}} -platform: machine template: name: file_owner diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml index 08a379d1712..9bd39315826 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_grub2_cfg/rule.yml @@ -46,7 +46,6 @@ ocil: |- If properly configured, the output should indicate the following permissions: -rw------- -platform: system_with_kernel template: name: file_permissions diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml index b8258f5e9f3..55653bd8c6d 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/file_permissions_user_cfg/rule.yml @@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_boot_path ~ "/user.cfg ocil: |- {{{ ocil_file_permissions(file=grub2_boot_path ~ "/user.cfg", perms="-rw-------") }}} -platform: machine template: name: file_permissions diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index c476ddec3f4..9f8cc264b95 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -68,7 +68,6 @@ warnings: Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. -platform: machine fixtext: |- Configure {{{ full_name }}} to have a unique username for the grub superuser account. diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml index eabe7356e79..114cfd9340f 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml @@ -38,4 +38,3 @@ ocil: |- media which should not exist in the lines:
set root='hd0,msdos1'
-platform: machine diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index bb7ceedc8f8..a2b97c4ee57 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -92,7 +92,6 @@ warnings: Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. -platform: machine fixtext: |- Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account. diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml index e492a98fa3f..b4f144c18b4 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password_legacy/rule.yml @@ -51,4 +51,3 @@ warnings: Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. -platform: system_with_kernel diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml index 1b18ddff95a..2cde2a0533e 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_grub2_cfg/rule.yml @@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/gru ocil: |- {{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", group="root") }}} -platform: machine template: name: file_groupowner diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml index 55e0ccb1334..bea3273644f 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_groupowner_efi_user_cfg/rule.yml @@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_group_owner(file=grub2_uefi_boot_path ~ "/use ocil: |- {{{ ocil_file_group_owner(file=grub2_uefi_boot_path ~ "/user.cfg", group="root") }}} -platform: machine template: name: file_groupowner diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml index 63e6683341b..acbf05579a4 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_grub2_cfg/rule.yml @@ -36,7 +36,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg" ocil: |- {{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", owner="root") }}} -platform: machine template: name: file_owner diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml index 4c154afd3d2..ff55a8112e1 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_owner_efi_user_cfg/rule.yml @@ -38,7 +38,6 @@ ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg" ocil: |- {{{ ocil_file_owner(file=grub2_uefi_boot_path ~ "/user.cfg", owner="root") }}} -platform: machine template: name: file_owner diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml index e6c401a43c9..16acb38ae7a 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml @@ -38,7 +38,6 @@ ocil: |- If properly configured, the output should indicate the following permissions: -rwx------ -platform: machine template: name: file_permissions diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml index 1254dfbaade..6112e68f8b0 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_user_cfg/rule.yml @@ -35,7 +35,6 @@ ocil_clause: '{{{ ocil_clause_file_permissions(file=grub2_uefi_boot_path ~ "/use ocil: |- {{{ ocil_file_permissions(file=grub2_uefi_boot_path ~ "/user.cfg", perms="-rw-------") }}} -platform: machine template: name: file_permissions diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index bd64b621f10..83be376b8dc 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -69,7 +69,6 @@ warnings: Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. -platform: machine fixtext: |- Configure {{{ full_name }}} to have a unique username for the grub superuser account. diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 4cf5ee4725c..831aa6ec3dd 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -93,7 +93,6 @@ warnings: Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. -platform: system_with_kernel fixtext: |- Configure {{{ full_name }}} to use a secure UEFI boot loader password. diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml index 8014fa95781..75218ef36d3 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password_legacy/rule.yml @@ -50,4 +50,3 @@ warnings: Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. -platform: machine diff --git a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml index 059e63db720..f03bda5d61f 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml @@ -38,4 +38,3 @@ ocil: |- media which should not exist in the lines:
set root='hd0,msdos1'
-platform: machine diff --git a/products/rhel10/product.yml b/products/rhel10/product.yml index c0aa8a3d56e..6104f9d2e22 100644 --- a/products/rhel10/product.yml +++ b/products/rhel10/product.yml @@ -21,6 +21,7 @@ init_system: "systemd" # EFI and non-EFI configs are stored in same path, see https://fedoraproject.org/wiki/Changes/UnifyGrubConfig sshd_distributed_config: "true" +bootable_containers_supported: "true" dconf_gdm_dir: "distro.d" diff --git a/products/rhel9/product.yml b/products/rhel9/product.yml index 30cbdeb0c22..eb0c0ac15ae 100644 --- a/products/rhel9/product.yml +++ b/products/rhel9/product.yml @@ -25,6 +25,7 @@ groups: name: ssh_keys sshd_distributed_config: "true" +bootable_containers_supported: "true" dconf_gdm_dir: "distro.d" diff --git a/shared/checks/oval/bootc.xml b/shared/checks/oval/bootc.xml new file mode 100644 index 00000000000..c42129ba964 --- /dev/null +++ b/shared/checks/oval/bootc.xml @@ -0,0 +1,13 @@ + + + {{{ oval_metadata("Bootable container or bootc system", affected_platforms=["multi_platform_all"]) }}} + + + + + + +{{{ oval_test_package_installed(package="kernel", test_id="bootc_platform_test_kernel_installed") }}} +{{{ oval_test_package_installed(package="rpm-ostree", test_id="bootc_platform_test_rpm_ostree_installed") }}} +{{{ oval_test_package_installed(package="bootc", test_id="bootc_platform_test_bootc_installed") }}} + diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja index 4089d4d8707..22787371dea 100644 --- a/shared/macros/01-general.jinja +++ b/shared/macros/01-general.jinja @@ -1069,8 +1069,34 @@ Run the following command to update command line for already installed kernels: Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"
{{%- endif -%}} +{{% if bootable_containers_supported == "true" %}} +If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the following method needs to be used instead. +The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML file that has the following form: +
+# /usr/lib/bootc/kargs.d/10-example.toml
+kargs = ["{{{ arg_name_value }}}"]
+
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}. +{{%- endif -%}} {{%- endmacro -%}} +{{# + Describe how to remove a kernel argument from Grub2 default kernel command line. + +:param arg_name: The kernel parameter name +:type arg_name: str +#}} +{{%- macro describe_grub2_argument_absent(arg_name) -%}} +Check that the line
GRUB_CMDLINE_LINUX="..."
within /etc/default/grub +doesn't contain the argument {{{ arg_name }}}. +Run the following command to update command line for already installed kernels: +
# grubby --update-kernel=ALL --remove-args="{{{ arg_name }}}"
+{{% if bootable_containers_supported == "true" %}} +If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the kernel arguments should be configured using TOML files located in the /usr/lib/bootc/kargs.d directory. +Remove all occurences of {{{ arg_name }}} from all files in /usr/lib/bootc/kargs.d. +For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}. +{{%- endif -%}} +{{%- endmacro -%}} {{# Describe how to check a kernel compile parameter diff --git a/shared/templates/grub2_bootloader_argument/bash.template b/shared/templates/grub2_bootloader_argument/bash.template index 3a60d19bdcc..484a7165d62 100644 --- a/shared/templates/grub2_bootloader_argument/bash.template +++ b/shared/templates/grub2_bootloader_argument/bash.template @@ -3,9 +3,22 @@ See the OVAL template for more comments. Product-specific categorization should be synced across all template content types -#}} + {{%- if ARG_VARIABLE %}} {{{- bash_instantiate_variables(ARG_VARIABLE) }}} {{%- set ARG_NAME_VALUE= ARG_NAME ~ "=$" ~ ARG_VARIABLE %}} -{{%- endif %}} +expected_value="${{{ ARG_VARIABLE }}}" +{{% else %}} +expected_value="{{{ ARG_VALUE }}}" +{{% endif %}} -{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) }}} +if {{{ bash_bootc_build() }}} ; then + KARGS_DIR="/usr/lib/bootc/kargs.d/" + if grep -q -E "{{{ ARG_NAME }}}" "$KARGS_DIR/*.toml" ; then + sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"(.*]\s*)/\1\"{{{ ARG_NAME }}}=$expected_value\"\2/" "$KARGS_DIR/*.toml" + else + echo "kargs = [\"{{{ ARG_NAME }}}=$expected_value\"]" >> "$KARGS_DIR/10-{{{ SANITIZED_ARG_NAME }}}.toml" + fi +else +{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) | indent(4) }}} +fi diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template index 7da54a99f1b..eaf78a6bf62 100644 --- a/shared/templates/grub2_bootloader_argument/oval.template +++ b/shared/templates/grub2_bootloader_argument/oval.template @@ -33,11 +33,14 @@ {{% set system_with_bios_and_uefi_support = true %}} {{%- endif -%}} - {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}} + + {{% if bootable_containers_supported == "true" %}} + + {{% endif %}} {{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}} @@ -109,6 +112,13 @@ {{%- endif %}} + {{% if bootable_containers_supported == "true" %}} + + + + + {{% endif %}} + {{% if system_with_expanded_kernel_options_in_loader_entries_or_with_options_in_grubenv %}} @@ -307,4 +317,46 @@ {{% endif %}} +{{% if bootable_containers_supported == "true" %}} + + + + + + /usr/lib/bootc/kargs.d/ + ^.*\.toml$ + ^kargs = \[([^\]]+)\]$ + 1 + +{{% if ARG_VALUE %}} + + ^.*"{{{ ESCAPED_ARG_NAME_VALUE }}}".*$ + +{{% else %}} + + + + + + + ^.*"{{{ ARG_NAME }}}= + {{% if IS_SUBSTRING == "true" %}} + \S* + {{% endif %}} + + {{% if IS_SUBSTRING == "true" %}} + \S* + {{% endif %}} + ".*$ + + + + +{{% endif %}} +{{% endif %}} + diff --git a/shared/templates/grub2_bootloader_argument/template.py b/shared/templates/grub2_bootloader_argument/template.py index 9189d1dc543..af42a9007ec 100644 --- a/shared/templates/grub2_bootloader_argument/template.py +++ b/shared/templates/grub2_bootloader_argument/template.py @@ -21,5 +21,6 @@ def preprocess(data, lang): data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.") data["escaped_arg_name"] = data["arg_name"].replace(".", "\\.") # replace . with _, this is used in test / object / state ids - data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"]) + + data["sanitized_arg_name"] = ssg.utils.escape_id(data["arg_name"]) return data diff --git a/shared/templates/grub2_bootloader_argument_absent/bash.template b/shared/templates/grub2_bootloader_argument_absent/bash.template index 8d7d6e9ea83..bf3a443bf48 100644 --- a/shared/templates/grub2_bootloader_argument_absent/bash.template +++ b/shared/templates/grub2_bootloader_argument_absent/bash.template @@ -3,4 +3,9 @@ See the OVAL template for more comments. Product-specific categorization should be synced across all template content types -#}} +if {{{ bash_bootc_build() }}} ; then + sed -i -E "/kargs\s*=\s*\[\s*\"{{{ ARG_NAME }}}=[^\"]*\"\s*]/{:a;N;/^\n$/ba;N;/match-architectures.*/d;}" "$KARGS_DIR/*.toml" + sed -i -E -e "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"[,[:space:]]*(.*]\s*)/\1\2/" -e "s/^(\s*kargs.*),\s*\]$/\1\]/" "$KARGS_DIR/*.toml" +else {{{ grub2_bootloader_argument_absent_remediation(ARG_NAME) }}} +fi diff --git a/shared/templates/grub2_bootloader_argument_absent/oval.template b/shared/templates/grub2_bootloader_argument_absent/oval.template index e59b944cbd7..915bb86a717 100644 --- a/shared/templates/grub2_bootloader_argument_absent/oval.template +++ b/shared/templates/grub2_bootloader_argument_absent/oval.template @@ -32,7 +32,11 @@ {{{ oval_metadata("Ensure " + ARG_NAME + " is not set in the kernel line in /etc/default/grub.") }}} + + {{% if bootable_containers_supported == "true" %}} + + {{% endif %}} {{% if system_with_kernel_options_in_grubenv -%}} {{% if system_with_bios_and_uefi_support -%}} @@ -77,6 +81,13 @@ {{%- endif %}} + {{% if bootable_containers_supported == "true" %}} + + + + + {{% endif %}} + {{%- if system_with_kernel_options_in_etc_default_grub %}} @@ -174,4 +185,17 @@ {{%- endif %}} {{%- endif %}} +{{% if bootable_containers_supported == "true" %}} + + + + + /usr/lib/bootc/kargs.d/ + ^.*\.toml$ + ^kargs = \["{{{ ARG_NAME }}}.*"\]$ + 1 + +{{% endif %}} diff --git a/ssg/constants.py b/ssg/constants.py index f64c168495a..baa5484df23 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -457,6 +457,7 @@ DEFAULT_CHRONY_D_PATH = '/etc/chrony.d/' DEFAULT_AUDISP_CONF_PATH = '/etc/audit' DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE = 'false' +DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED = 'false' # Constants for OVAL object model diff --git a/ssg/products.py b/ssg/products.py index 6f895bb53bc..59136e1b30c 100644 --- a/ssg/products.py +++ b/ssg/products.py @@ -20,6 +20,7 @@ DEFAULT_AUDISP_CONF_PATH, DEFAULT_FAILLOCK_PATH, DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE, + DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED, PKG_MANAGER_TO_SYSTEM, PKG_MANAGER_TO_CONFIG_FILE, XCCDF_PLATFORM_TO_PACKAGE, @@ -115,6 +116,9 @@ def _get_implied_properties(existing_properties): if "sysctl_remediate_drop_in_file" not in existing_properties: result["sysctl_remediate_drop_in_file"] = DEFAULT_SYSCTL_REMEDIATE_DROP_IN_FILE + if "bootable_containers_supported" not in existing_properties: + result["bootable_containers_supported"] = DEFAULT_BOOTABLE_CONTAINERS_SUPPORTED + return result diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml index 1d0d21086e4..5d78e56d1c0 100644 --- a/tests/data/product_stability/alinux2.yml +++ b/tests/data/product_stability/alinux2.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: ALINUX-2 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml index b9911b65b23..a35c8bc095a 100644 --- a/tests/data/product_stability/alinux3.yml +++ b/tests/data/product_stability/alinux3.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: ALINUX-3 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml index 5d075e1dbae..5cf40e76f80 100644 --- a/tests/data/product_stability/anolis23.yml +++ b/tests/data/product_stability/anolis23.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: ANOLIS-23 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml index 1234155c677..6897ec95e56 100644 --- a/tests/data/product_stability/anolis8.yml +++ b/tests/data/product_stability/anolis8.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: ANOLIS-8 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/chromium.yml b/tests/data/product_stability/chromium.yml index 988756f6b2a..cabfac582bb 100644 --- a/tests/data/product_stability/chromium.yml +++ b/tests/data/product_stability/chromium.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: CHROMIUM benchmark_root: ./guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml index 781766106c0..fd61f5233c5 100644 --- a/tests/data/product_stability/debian11.yml +++ b/tests/data/product_stability/debian11.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: DEBIAN-11 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml index e255f44fdda..e97bfc39f9e 100644 --- a/tests/data/product_stability/debian12.yml +++ b/tests/data/product_stability/debian12.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: DEBIAN-12 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony/chrony.conf chrony_d_path: /etc/chrony/chrony.d/ cpes: diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml index 8d5d75abbaa..c509b65d65c 100644 --- a/tests/data/product_stability/eks.yml +++ b/tests/data/product_stability/eks.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: EKS benchmark_root: ../../applications +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml index d57b09f6bc8..b0194b338be 100644 --- a/tests/data/product_stability/example.yml +++ b/tests/data/product_stability/example.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: EXAMPLE benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ components_root: ../../components diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml index 6e90589886b..0b8886d55df 100644 --- a/tests/data/product_stability/fedora.yml +++ b/tests/data/product_stability/fedora.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: FEDORA benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ components_root: ../../components diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml index d34ed55f33b..843bedc1b55 100644 --- a/tests/data/product_stability/firefox.yml +++ b/tests/data/product_stability/firefox.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: FIREFOX benchmark_root: ./guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/macos1015.yml b/tests/data/product_stability/macos1015.yml index c5be4ce23ef..ec7e7c1b948 100644 --- a/tests/data/product_stability/macos1015.yml +++ b/tests/data/product_stability/macos1015.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: macOS-1015 benchmark_root: ../../apple_os/ +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml index fabaf419733..8a791680945 100644 --- a/tests/data/product_stability/ocp4.yml +++ b/tests/data/product_stability/ocp4.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: OCP-4 benchmark_root: ../../applications +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml index 6540a69e646..a82c12ecf64 100644 --- a/tests/data/product_stability/ol7.yml +++ b/tests/data/product_stability/ol7.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: OL-7 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml index 3de5d9a3218..5ff104357a2 100644 --- a/tests/data/product_stability/ol8.yml +++ b/tests/data/product_stability/ol8.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: OL-8 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml index 7bea10ac3eb..cdb1a8ad617 100644 --- a/tests/data/product_stability/ol9.yml +++ b/tests/data/product_stability/ol9.yml @@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 982231759C7467065D0CE9B2A7DD07088B4EFBE6 basic_properties_derived: true benchmark_id: OL-9 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml index c94f79d4c41..dc88232705a 100644 --- a/tests/data/product_stability/openembedded.yml +++ b/tests/data/product_stability/openembedded.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: OPENEMBEDDED benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml index bd26608bfcd..ff9555f3abb 100644 --- a/tests/data/product_stability/opensuse.yml +++ b/tests/data/product_stability/opensuse.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: OPENSUSE benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml index aabfed5ee07..cafb6b18c3c 100644 --- a/tests/data/product_stability/rhcos4.yml +++ b/tests/data/product_stability/rhcos4.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: RHCOS-4 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml index be505770304..61ed42a1285 100644 --- a/tests/data/product_stability/rhel8.yml +++ b/tests/data/product_stability/rhel8.yml @@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792 basic_properties_derived: true benchmark_id: RHEL-8 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' centos_major_version: '8' centos_pkg_release: 5ccc5b19 centos_pkg_version: 8483c65d diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml index 839bc42a030..1f4b5144bcd 100644 --- a/tests/data/product_stability/rhel9.yml +++ b/tests/data/product_stability/rhel9.yml @@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 7E4624258C406535D56D6F135054E4A45A6340B3 basic_properties_derived: true benchmark_id: RHEL-9 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'true' centos_major_version: '9' centos_pkg_release: 5ccc5b19 centos_pkg_version: 8483c65d diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml index 1d023d03201..0746eeaa7d3 100644 --- a/tests/data/product_stability/rhv4.yml +++ b/tests/data/product_stability/rhv4.yml @@ -10,6 +10,7 @@ auxiliary_key_fingerprint: 6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792 basic_properties_derived: true benchmark_id: RHV-4 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml index 870ac6482da..2b0962bde5f 100644 --- a/tests/data/product_stability/sle12.yml +++ b/tests/data/product_stability/sle12.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: SLE-12 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml index fb226b17f5c..fca0213d418 100644 --- a/tests/data/product_stability/sle15.yml +++ b/tests/data/product_stability/sle15.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: SLE-15 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony.conf chrony_d_path: /etc/chrony.d/ cpes: diff --git a/tests/data/product_stability/ubuntu1604.yml b/tests/data/product_stability/ubuntu1604.yml index 938835c6c64..b4288d197aa 100644 --- a/tests/data/product_stability/ubuntu1604.yml +++ b/tests/data/product_stability/ubuntu1604.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: UBUNTU-XENIAL benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony/chrony.conf chrony_d_path: /etc/chrony/conf.d/ cpes: diff --git a/tests/data/product_stability/ubuntu1804.yml b/tests/data/product_stability/ubuntu1804.yml index b2cff15e15f..176cd33d297 100644 --- a/tests/data/product_stability/ubuntu1804.yml +++ b/tests/data/product_stability/ubuntu1804.yml @@ -7,6 +7,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: UBUNTU-BIONIC benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony/chrony.conf chrony_d_path: /etc/chrony/conf.d/ cpes: diff --git a/tests/data/product_stability/ubuntu2004.yml b/tests/data/product_stability/ubuntu2004.yml index 17a596d37cd..416270f9c8b 100644 --- a/tests/data/product_stability/ubuntu2004.yml +++ b/tests/data/product_stability/ubuntu2004.yml @@ -8,6 +8,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: UBUNTU_20-04 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony/chrony.conf chrony_d_path: /etc/chrony/conf.d/ cpes: diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml index e4a53f9749d..4b0c515c1c6 100644 --- a/tests/data/product_stability/ubuntu2204.yml +++ b/tests/data/product_stability/ubuntu2204.yml @@ -8,6 +8,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: UBUNTU_22-04 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony/chrony.conf chrony_d_path: /etc/chrony/conf.d/ cpes: diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml index 50d4e232f1a..62853e25cb5 100644 --- a/tests/data/product_stability/ubuntu2404.yml +++ b/tests/data/product_stability/ubuntu2404.yml @@ -8,6 +8,7 @@ auid: 1000 basic_properties_derived: true benchmark_id: UBUNTU_24-04 benchmark_root: ../../linux_os/guide +bootable_containers_supported: 'false' chrony_conf_path: /etc/chrony/chrony.conf chrony_d_path: /etc/chrony/conf.d/ components_root: ../../components