From f37e40e3de5ff493c60c61a054026dabf7b79032 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Jul 2020 16:12:35 +0200
Subject: [PATCH 01/18] Kickstart zipl_bls_entries_option template
Create initial version of zIPL specific BLS entries
template by copying bls_entries_option template.
---
.../template_OVAL_zipl_bls_entries_option | 32 +++++++++++++++++++
ssg/templates.py | 5 +++
2 files changed, 37 insertions(+)
create mode 100644 shared/templates/template_OVAL_zipl_bls_entries_option
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
new file mode 100644
index 0000000000..a19bd5a89c
--- /dev/null
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -0,0 +1,32 @@
+<def-group>
+ <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
+ <metadata>
+ <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
+ {{{- oval_affected(products) }}}
+ <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test id="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="check for kernel option {{{ ARG_NAME_VALUE }}} for all snippets in /boot/loader/entries"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_bls_{{{ SANITIZED_ARG_NAME }}}_options" />
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ version="1">
+ <ind:filepath operation="pattern match">^/boot/loader/entries/.*\.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
+ version="1">
+ <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
+ </ind:textfilecontent54_state>
+</def-group>
diff --git a/ssg/templates.py b/ssg/templates.py
index 2795267abd..fc09416abe 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -340,6 +340,22 @@ def bls_entries_option(data, lang):
return data
+@template(["oval"])
+def bls_entries_option(data, lang):
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
+ if lang == "oval":
+ # escape dot, this is used in oval regex
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+ # replace . with _, this is used in test / object / state ids
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
+ return data
+
+
+@template(["oval"])
+def zipl_bls_entries_option(data, lang):
+ return bls_entries_option(data, lang)
+
+
class Builder(object):
"""
Class for building all templated content for a given product.
From f54c3c974b6a3ce6d40533a51f867d2e8985b688 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:11:04 +0200
Subject: [PATCH 02/18] zipl_bls_entries_option: check opts after install
Extend zipl_bls_entries_option template to check that the kernel option
is also configure in /etc/kernel/cmdline.
The presence of the argument in /etc/kernel/cmdline ensures that newly
installed kernels will be configure if the option.
---
.../template_OVAL_zipl_bls_entries_option | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
index a19bd5a89c..9af1bcfbee 100644
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -6,8 +6,10 @@
<description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
</metadata>
<criteria operator="AND">
- <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ <criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
</criteria>
</definition>
@@ -25,6 +27,19 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+ <ind:textfilecontent54_test id="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ comment="Check for option {{{ ARG_NAME_VALUE }}} in /etc/kernel/cmdline"
+ check="all" check_existence="all_exist" version="1">
+ <ind:object object_ref="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option" />
+ <ind:state state_ref="state_bls_{{{ SANITIZED_ARG_NAME }}}_option" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
+ version="1">
+ <ind:filepath>/etc/kernel/cmdline</ind:filepath>
+ <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_bls_{{{ SANITIZED_ARG_NAME }}}_option"
version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression>
From 5b66eff84794b99a4ba7a626c46f1970715b1bcd Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:12:32 +0200
Subject: [PATCH 03/18] zipl_bls_entries_option: Add Ansible and Bash
---
.../template_ANSIBLE_zipl_bls_entries_option | 48 +++++++++++++++++++
.../template_BASH_zipl_bls_entries_option | 12 +++++
ssg/templates.py | 2 +-
3 files changed, 61 insertions(+), 1 deletion(-)
create mode 100644 shared/templates/template_ANSIBLE_zipl_bls_entries_option
create mode 100644 shared/templates/template_BASH_zipl_bls_entries_option
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
new file mode 100644
index 0000000000..c0cb131b82
--- /dev/null
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
@@ -0,0 +1,48 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = true
+# strategy = configure
+# complexity = medium
+# disruption = low
+
+- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
+ block:
+ - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
+ find:
+ paths: "/boot/loader/entries/"
+ contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
+ patterns: "*.conf"
+ register: entries_options
+
+ - name: "Update boot entries options"
+ command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+ when: entries_options is defined and entries_options.examined != entries_options.matched
+ # The conditional above assumes that only *.conf files are present in /boot/loader/entries
+ # Then, the number of conf files is the same as examined files
+
+ - name: "Check if /etc/kernel/cmdline exists"
+ stat:
+ path: /etc/kernel/cmdline
+ register: cmdline_stat
+
+ - name: "Check if /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ find:
+ paths: "/etc/kernel/"
+ patterns: "cmdline"
+ contains: "^.*{{{ ARG_NAME_VALUE }}}.*$"
+ register: cmdline_find
+
+ - name: "Add /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ lineinfile:
+ create: yes
+ path: "/etc/kernel/cmdline"
+ line: '{{{ ARG_NAME_VALUE }}}'
+ when: cmdline_stat is defined and not cmdline_stat.stat.exists
+
+ - name: "Append /etc/kernel/cmdline contains {{{ ARG_NAME_VALUE }}}"
+ lineinfile:
+ path: "/etc/kernel/cmdline"
+ backrefs: yes
+ regexp: "^(.*)$"
+ line: '\1 {{{ ARG_NAME_VALUE }}}'
+ when: cmdline_stat is defined and cmdline_stat.stat.exists and cmdline_find is defined and cmdline_find.matched == 0
+
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
new file mode 100644
index 0000000000..9fc8865486
--- /dev/null
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
@@ -0,0 +1,12 @@
+# platform = Red Hat Enterprise Linux 8
+
+# Correct BLS option using grubby, which is a thin wrapper around BLS operations
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
+
+# Ensure new kernels and boot entries retain the boot option
+if [ ! -f /etc/kernel/cmdline ]; then
+ echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
+elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
+ echo " audit=1" >> /etc/kernel/cmdline
+ sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
+fi
diff --git a/ssg/templates.py b/ssg/templates.py
index fc09416abe..a27fbb6cb6 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -340,7 +340,7 @@ def bls_entries_option(data, lang):
return data
-@template(["oval"])
+@template(["ansible", "bash", "oval"])
def zipl_bls_entries_option(data, lang):
return bls_entries_option(data, lang)
From fd2d807f60a4a36ad96f5ac37df9b4651fe3480e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 3 Jul 2020 15:50:56 +0200
Subject: [PATCH 04/18] Enable zIPL in argument rules
---
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 6 ++++++
.../zipl_audit_backlog_limit_argument/rule.yml | 6 ++++++
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 6 ++++++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 6 ++++++
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 6 ++++++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 6 ++++++
6 files changed, 36 insertions(+)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 624b4e7041..894bf7995f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable audit.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: audit
+ arg_value: '1'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index faf114591a..12334c9905 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: audit_backlog_limit
+ arg_value: '8192'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 866664c01b..f5a36ee1b3 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: page_poison
+ arg_value: '1'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 2f02d9668c..168dae46a1 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -27,3 +27,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: pti
+ arg_value: 'on'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 0cb10d3cd8..84a374e36f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -28,3 +28,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that does not enable poisoning.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: slub_debug
+ arg_value: 'P'
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index f79adeb083..c37e8bbefd 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -25,3 +25,9 @@ ocil: |-
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
platform: machine
+
+template:
+ name: zipl_bls_entries_option
+ vars:
+ arg_name: vsyscall
+ arg_value: 'none'
From 08db1a1d4bb3362195c34e266feb9bac31ba4be8 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Sat, 4 Jul 2020 01:15:49 +0200
Subject: [PATCH 05/18] zipl_audit_backlog_limit_argument: Fix OCIL typo
Fix typo
---
.../bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 12334c9905..15729dc6b6 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -24,7 +24,7 @@ ocil_clause: 'audit backlog limit is not configured'
ocil: |-
To check that all boot entries extend the backlog limit;
Check that all boot entries extend the log events queue:
- <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
+ <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
platform: machine
From 779506348675557e204e1d88f214833b313c0f20 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 12:00:10 +0200
Subject: [PATCH 06/18] zipl_slub_debug_argument: Fix description
Description about how to ensure that new boot entries continue compliant
was incorrect due to copy-pasta mistake.
---
.../system/bootloader-zipl/zipl_slub_debug_argument/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 84a374e36f..83e043179d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,7 +8,7 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- To ensure that new kernels and boot entries continue to extend the audit log events queue,
+ To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
rationale: |-
From 6a3f2f6bdc13188e780f0f3e4f829f6fa79351b2 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 12:06:56 +0200
Subject: [PATCH 07/18] Add CCEs to zIPL argument rules
---
.../system/bootloader-zipl/zipl_audit_argument/rule.yml | 3 +++
.../zipl_audit_backlog_limit_argument/rule.yml | 3 +++
.../bootloader-zipl/zipl_page_poison_argument/rule.yml | 3 +++
.../guide/system/bootloader-zipl/zipl_pti_argument/rule.yml | 3 +++
.../bootloader-zipl/zipl_slub_debug_argument/rule.yml | 3 +++
.../system/bootloader-zipl/zipl_vsyscall_argument/rule.yml | 3 +++
7 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 894bf7995f..b1307ef3f2 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83321-0
+
ocil_clause: 'auditing is not enabled at boot time'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 15729dc6b6..18391bee6c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -19,6 +19,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83341-8
+
ocil_clause: 'audit backlog limit is not configured'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index f5a36ee1b3..7ffea8ce6a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83351-7
+
ocil_clause: 'page allocator poisoning is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 168dae46a1..6fd1082292 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -19,6 +19,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83361-6
+
ocil_clause: 'Kernel page-table isolation is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 83e043179d..c499140c35 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -20,6 +20,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83371-5
+
ocil_clause: 'SLUB/SLAB poisoning is not enabled'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index c37e8bbefd..7edd43074f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -17,6 +17,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83381-4
+
ocil_clause: 'vsyscalls are enabled'
ocil: |-
From a7c33132a8d5f8cdf9c0d5f38b4910376ff1330b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 14:36:28 +0200
Subject: [PATCH 08/18] Select zipl BLS option rules in OSPP Profile
These rules check and ensure configuration of BLS boot options used by
zIPL.
---
rhel8/profiles/ospp.profile | 8 ++++++++
rhel8/profiles/stig.profile | 6 ++++++
2 files changed, 14 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 80e4b71fff..d3732fa805 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -419,3 +419,11 @@ selections:
# zIPl specific rules
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
+ - zipl_audit_argument
+ - zipl_audit_backlog_limit_argument
+ - zipl_slub_debug_argument
+ - zipl_page_poison_argument
+ - zipl_vsyscall_argument
+ - zipl_vsyscall_argument.role=unscored
+ - zipl_vsyscall_argument.severity=info
+ - zipl_pti_argument
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index cfc2160be1..69d5222a32 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -49,3 +49,9 @@ selections:
# Unselect zIPL rules from OSPP
- "!zipl_bls_entries_only"
- "!zipl_bootmap_is_up_to_date"
+ - "!zipl_audit_argument"
+ - "!zipl_audit_backlog_limit_argument"
+ - "!zipl_page_poison_argument"
+ - "!zipl_pti_argument"
+ - "!zipl_slub_debug_argument"
+ - "!zipl_vsyscall_argument"
From be070d56abed9efc9244b6c989d0a0df1f78b5ff Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 22:30:25 +0200
Subject: [PATCH 09/18] Extend Profile resolution to undo rule refinements
Just like rule selection, allows rule refinements to be unselected, or "undone".
---
build-scripts/compile_profiles.py | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/build-scripts/compile_profiles.py b/build-scripts/compile_profiles.py
index 0967252348..d1ce8984b2 100644
--- a/build-scripts/compile_profiles.py
+++ b/build-scripts/compile_profiles.py
@@ -3,6 +3,7 @@
import argparse
import sys
import os.path
+from copy import deepcopy
from glob import glob
import ssg.build_yaml
@@ -36,7 +37,8 @@ def resolve(self, all_profiles):
updated_variables.update(self.variables)
self.variables = updated_variables
- updated_refinements = dict(extended_profile.refine_rules)
+ extended_refinements = deepcopy(extended_profile.refine_rules)
+ updated_refinements = self._subtract_refinements(extended_refinements)
updated_refinements.update(self.refine_rules)
self.refine_rules = updated_refinements
@@ -50,6 +52,18 @@ def resolve(self, all_profiles):
self.resolved = True
+ def _subtract_refinements(self, extended_refinements):
+ """
+ Given a dict of rule refinements from the extended profile,
+ "undo" every refinement prefixed with '!' in this profile.
+ """
+ for rule, refinements in list(self.refine_rules.items()):
+ if rule.startswith("!"):
+ for prop, val in refinements:
+ extended_refinements[rule[1:]].remove((prop, val))
+ del self.refine_rules[rule]
+ return extended_refinements
+
def create_parser():
parser = argparse.ArgumentParser()
From 2ea270b1796139f42a1d56cbb31351b3f6ad3a6e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 9 Jul 2020 22:32:32 +0200
Subject: [PATCH 10/18] Undo rule refinements done to zIPL rules
Remove the zIPl rule refinementes from STIG profile
---
rhel8/profiles/stig.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 69d5222a32..53647475aa 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -55,3 +55,5 @@ selections:
- "!zipl_pti_argument"
- "!zipl_slub_debug_argument"
- "!zipl_vsyscall_argument"
+ - "!zipl_vsyscall_argument.role=unscored"
+ - "!zipl_vsyscall_argument.severity=info"
From 90d62ba0cd088eb95aa151fe08a9c3c9fd959a00 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 09:38:57 +0200
Subject: [PATCH 11/18] Update stable test for OSPP Profile
I just copied the resolved profile to profile_stability directory.
---
tests/data/profile_stability/rhel8/ospp.profile | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 08dcccf24c..5aa3592496 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -168,6 +168,7 @@ selections:
- service_rngd_enabled
- service_systemd-coredump_disabled
- service_usbguard_enabled
+- ssh_client_rekey_limit
- sshd_disable_empty_passwords
- sshd_disable_gssapi_auth
- sshd_disable_kerb_auth
@@ -213,8 +214,14 @@ selections:
- sysctl_user_max_user_namespaces
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
+- zipl_audit_argument
+- zipl_audit_backlog_limit_argument
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
+- zipl_page_poison_argument
+- zipl_pti_argument
+- zipl_slub_debug_argument
+- zipl_vsyscall_argument
- var_sshd_set_keepalive=0
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
@@ -238,11 +245,12 @@ selections:
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
+- var_ssh_client_rekey_limit_size=1G
+- var_ssh_client_rekey_limit_time=1hour
- grub2_vsyscall_argument.role=unscored
- grub2_vsyscall_argument.severity=info
- sysctl_user_max_user_namespaces.role=unscored
- sysctl_user_max_user_namespaces.severity=info
-- ssh_client_rekey_limit
-- var_ssh_client_rekey_limit_size=1G
-- var_ssh_client_rekey_limit_time=1hour
+- zipl_vsyscall_argument.role=unscored
+- zipl_vsyscall_argument.severity=info
title: Protection Profile for General Purpose Operating Systems
From b5d5b0f1d4319663aba9f051fc01f5209234da6f Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 15:15:25 +0200
Subject: [PATCH 12/18] zipl_bls_entries_option: Add test scenarios
---
.../tests/correct_option.pass.sh | 16 ++++++++++++++++
.../tests/missing_in_cmdline.fail.sh | 14 ++++++++++++++
.../tests/missing_in_entry.fail.sh | 14 ++++++++++++++
3 files changed, 44 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
new file mode 100644
index 0000000000..a9bd49dd0b
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+ sed -i '/^options / s/$/audit=1/' "$file"
+ fi
+done
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
new file mode 100644
index 0000000000..d4d1d978c8
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure boot loader entries contain audit=1
+for file in /boot/loader/entries/*.conf
+do
+ if ! grep -q '^options.*audit=1.*$' "$file" ; then
+ sed -i '/^options / s/$/audit=1/' "$file"
+ fi
+done
+
+# Make sure /etc/kernel/cmdline doesn't contain audit=1
+sed -Ei 's/(^.*)audit=1(.*?)$/\1\2/' /etc/kernel/cmdline || true
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
new file mode 100644
index 0000000000..3e412c0542
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Remove audit=1 from all boot entries
+sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
+# But make sure one boot loader entry contains audit=1
+sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
+sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
+
+# Make sure /etc/kernel/cmdline contains audit=1
+if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+ echo "audit=1" >> /etc/kernel/cmdline
+fi
From 3b52ab44e043adb289ef0a96798cffaf3e1f35a1 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 15:34:52 +0200
Subject: [PATCH 13/18] zipl_bls_entries_option: Remove hardcoded values
The template shouldn't have any hardcoded values.
---
shared/templates/template_BASH_zipl_bls_entries_option | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/shared/templates/template_BASH_zipl_bls_entries_option b/shared/templates/template_BASH_zipl_bls_entries_option
index 9fc8865486..dde8c948f7 100644
--- a/shared/templates/template_BASH_zipl_bls_entries_option
+++ b/shared/templates/template_BASH_zipl_bls_entries_option
@@ -7,6 +7,5 @@ grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
if [ ! -f /etc/kernel/cmdline ]; then
echo "{{{ ARG_NAME_VALUE }}}" >> /etc/kernel/cmdline
elif ! grep -q '^(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$' /etc/kernel/cmdline; then
- echo " audit=1" >> /etc/kernel/cmdline
- sed -Ei 's/^(.*)$/\1 audit=1/' /etc/kernel/cmdline
+ sed -Ei 's/^(.*)$/\1 {{{ ARG_NAME_VALUE }}}/' /etc/kernel/cmdline
fi
From 68bff71c7f60a7c68cf0bd9aa153f8a78ec02b7d Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:08:26 +0200
Subject: [PATCH 14/18] Improve conditional check for the grubby command
Let's not trust that /boot/loader/entries/ only contains *.conf files.
Count the number of conf files and how many set the propper options.
---
.../template_ANSIBLE_zipl_bls_entries_option | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/shared/templates/template_ANSIBLE_zipl_bls_entries_option b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
index c0cb131b82..bccad2267c 100644
--- a/shared/templates/template_ANSIBLE_zipl_bls_entries_option
+++ b/shared/templates/template_ANSIBLE_zipl_bls_entries_option
@@ -6,18 +6,22 @@
- name: "Ensure BLS boot entries options contain {{{ ARG_NAME_VALUE }}}"
block:
- - name: "Check if any boot entry misses {{{ ARG_NAME_VALUE }}}"
+ - name: "Check how many boot entries exist "
+ find:
+ paths: "/boot/loader/entries/"
+ patterns: "*.conf"
+ register: n_entries
+
+ - name: "Check how many boot entries set {{{ ARG_NAME_VALUE }}}"
find:
paths: "/boot/loader/entries/"
contains: "^options .*{{{ ARG_NAME_VALUE }}}.*$"
patterns: "*.conf"
- register: entries_options
+ register: n_entries_options
- name: "Update boot entries options"
command: grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
- when: entries_options is defined and entries_options.examined != entries_options.matched
- # The conditional above assumes that only *.conf files are present in /boot/loader/entries
- # Then, the number of conf files is the same as examined files
+ when: n_entries is defined and n_entries_options is defined and n_entries.matched != n_entries_options.matched
- name: "Check if /etc/kernel/cmdline exists"
stat:
From 79c60bb40288c17381bf1e4a84e6cfd300bd8446 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:17:27 +0200
Subject: [PATCH 15/18] zipl_bls_entries_option: Fix sed in test scenario
Append "audit=1" space from last option.
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index a9bd49dd0b..5fcbcc5667 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -6,7 +6,7 @@
for file in /boot/loader/entries/*.conf
do
if ! grep -q '^options.*audit=1.*$' "$file" ; then
- sed -i '/^options / s/$/audit=1/' "$file"
+ sed -i '/^options / s/$/ audit=1/' "$file"
fi
done
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
index d4d1d978c8..b75165f904 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -6,7 +6,7 @@
for file in /boot/loader/entries/*.conf
do
if ! grep -q '^options.*audit=1.*$' "$file" ; then
- sed -i '/^options / s/$/audit=1/' "$file"
+ sed -i '/^options / s/$/ audit=1/' "$file"
fi
done
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index 3e412c0542..e3d342d533 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -5,7 +5,7 @@
# Remove audit=1 from all boot entries
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
# But make sure one boot loader entry contains audit=1
-sed -i '/^options / s/$/audit=1/' /boot/loader/entries/*rescue.conf
+sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
# Make sure /etc/kernel/cmdline contains audit=1
From d513177d2cea39db364a0ff39a599ded36a25395 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:29:06 +0200
Subject: [PATCH 16/18] Extend scenarios platform and allow remediation
These test scenarios can be run on any OS that supports BLS and provides
grubby.
But it will evaluate to not applicable if the OS doesn't use zIPL (i.e.:
has s390utils-base installed).
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 3 +--
.../zipl_audit_argument/tests/missing_in_cmdline.fail.sh | 3 +--
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 3 +--
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index 5fcbcc5667..73ed0eae0f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Make sure boot loader entries contain audit=1
for file in /boot/loader/entries/*.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
index b75165f904..3af83d30d8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_cmdline.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Make sure boot loader entries contain audit=1
for file in /boot/loader/entries/*.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index e3d342d533..142f75ba60 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -1,6 +1,5 @@
#!/bin/bash
-# platform = Red Hat Enterprise Linux 8
-# remediation = none
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8
# Remove audit=1 from all boot entries
sed -Ei 's/(^options.*\s)audit=1(.*?)$/\1\2/' /boot/loader/entries/*
From 2e841722d30551c86f14558ff39bdaa5dda55711 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 16:35:55 +0200
Subject: [PATCH 17/18] Update comment in OVAL zipl_bls_entries_option
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
shared/templates/template_OVAL_zipl_bls_entries_option | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
index 9af1bcfbee..502d5e7d9a 100644
--- a/shared/templates/template_OVAL_zipl_bls_entries_option
+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
@@ -7,7 +7,7 @@
</metadata>
<criteria operator="AND">
<criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
- comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
+ comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
<criterion test_ref="test_kernel_update_{{{ SANITIZED_ARG_NAME }}}_option"
comment="Make sure that newly installed kernels will retain {{{ ARG_NAME_VALUE }}} option" />
</criteria>
From 9bd0afbde47ef368444ba1785da593980e6e00aa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 10 Jul 2020 17:15:46 +0200
Subject: [PATCH 18/18] zipl_bls_entries_option: Supress grep error messages
/etc/kernel/cmdline is not always present. Lest suppress any error
message about absent file in the test scenarios.
---
.../zipl_audit_argument/tests/correct_option.pass.sh | 2 +-
.../zipl_audit_argument/tests/missing_in_entry.fail.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
index 73ed0eae0f..7a828837fe 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/correct_option.pass.sh
@@ -10,6 +10,6 @@ do
done
# Make sure /etc/kernel/cmdline contains audit=1
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
echo "audit=1" >> /etc/kernel/cmdline
fi
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
index 142f75ba60..5650cc0a74 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/tests/missing_in_entry.fail.sh
@@ -8,6 +8,6 @@ sed -i '/^options / s/$/ audit=1/' /boot/loader/entries/*rescue.conf
sed -Ei 's/(^options.*\s)\$kernelopts(.*?)$/\1\2/' /boot/loader/entries/*rescue.conf
# Make sure /etc/kernel/cmdline contains audit=1
-if ! grep -q '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
+if ! grep -qs '^(.*\s)?audit=1(\s.*)?$' /etc/kernel/cmdline ; then
echo "audit=1" >> /etc/kernel/cmdline
fi