From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:29:31 +0200
Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS
Instead of having each zIPL argument rule check for BLS compliance,
let's split into its own rule.
---
.../zipl_audit_argument/rule.yml | 6 -----
.../rule.yml | 6 -----
.../zipl_bls_entries_only/rule.yml | 24 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 6 -----
.../zipl_page_poison_argument/rule.yml | 6 -----
.../zipl_pti_argument/rule.yml | 6 -----
.../zipl_slub_debug_argument/rule.yml | 6 -----
.../zipl_vsyscall_argument/rule.yml | 6 -----
8 files changed, 24 insertions(+), 42 deletions(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 2d31ef8ee7..1211a53295 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
@@ -30,10 +28,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable audit.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 40db232257..7d88e38686 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
new file mode 100644
index 0000000000..b6ccbb5343
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure all zIPL boot entries are BLS compliant'
+
+description: |-
+ Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
+ by checking that <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt>.
+
+rationale: |-
+ {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
+ configuration.
+
+severity: medium
+
+ocil_clause: 'a non BLS boot entry is configured'
+
+ocil: |-
+ Check that no boot image file is specified in <tt>/etc/zipl.conf</tt>:
+ <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+ No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 8d28d5495f..1c3bfeb246 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,8 +8,6 @@ description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
@@ -27,10 +25,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that disables SELinux.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 0a8e9a41e2..6dbfd501b7 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
To ensure that new kernels and boot entries continue to enable page poisoning,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 20c1448cc8..555fdf2b66 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable page-table isolation,
@@ -30,10 +28,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 54ac688ea0..dd7865bf81 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not enable poisoning.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index c5979a2016..18b7ade460 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
included in its options.<br />
- Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
- as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to disable virtual syscalls,
@@ -28,10 +26,6 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
- Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
- <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
- No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
and <tt>/etc/zipl.conf</tt>:
<pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 09:52:39 +0200
Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests
---
.../zipl_bls_entries_only/oval/shared.xml | 27 +++++++++++++++++++
.../tests/image_configured.fail.sh | 6 +++++
.../tests/no_image.pass.sh | 7 +++++
3 files changed, 40 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
new file mode 100644
index 0000000000..41e9773814
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -0,0 +1,27 @@
+<def-group>
+ <definition class="compliance" id="zipl_bls_entries_only" version="1">
+ <metadata>
+ <title>Ensure zIPL entries are BLS compliant</title>
+ {{{- oval_affected(products) }}}
+ <description>Check if /etc/zipl.conf configures any boot entry</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_zipl_bls_entries_only"
+ comment="Test presence of image configuration in /etc/zipl.conf" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test id="test_zipl_bls_entries_only"
+ comment="Test presence of image configuration in /etc/zipl.conf"
+ check="all" check_existence="none_exist" version="1">
+ <ind:object object_ref="object_zipl_bls_entries_only" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
+ version="1">
+ <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
new file mode 100644
index 0000000000..e3adb99638
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+echo 'image = /boot/image' >> /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
new file mode 100644
index 0000000000..47626442f6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+sed -Ei '/^image\s*=/d' /etc/zipl.conf
+true
From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 11:09:08 +0200
Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning
Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
is tricky and can lead to broken entries or removal of all of them.
---
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index b6ccbb5343..f792c5257f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -22,3 +22,8 @@ ocil: |-
No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
platform: machine
+
+warnings:
+ - general: |-
+ To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
+ automated remediation for this rule is not available.
From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:51:04 +0200
Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap
Instead of having each zIPL argument rule check if zIPL bootmap is up to
date, let's split it into its own rule.
---
.../zipl_audit_argument/rule.yml | 6 -----
.../rule.yml | 7 -----
.../zipl_bootmap_is_up_to_date/rule.yml | 27 +++++++++++++++++++
.../zipl_enable_selinux/rule.yml | 6 -----
.../zipl_page_poison_argument/rule.yml | 7 -----
.../zipl_pti_argument/rule.yml | 7 -----
.../zipl_slub_debug_argument/rule.yml | 7 -----
.../zipl_vsyscall_argument/rule.yml | 7 -----
8 files changed, 27 insertions(+), 47 deletions(-)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 1211a53295..624b4e7041 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,7 +8,6 @@ description: |-
To ensure all processes can be audited, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
To ensure that new kernels and boot entries continue to enable audit,
add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -28,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable audit.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 7d88e38686..faf114591a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not extend the log events queue.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
new file mode 100644
index 0000000000..082562d11e
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure zIPL bootmap is up to date'
+
+description: |-
+ Make sure that <tt>/boot/bootmap</tt> is up to date.<br />
+ Every time a boot entry or zIPL configuration is changed <tt>/boot/bootmap</tt> needs to
+ be updated to reflect the changes.<br />
+ Run <tt>zipl</tt> command to generate an updated <tt>/boot/bootmap</tt>.
+
+rationale: |-
+ The file <tt>/boot/bootmap</tt> contains all boot data, keeping it up to date is crucial to
+ boot correct kernel and options.
+
+severity: medium
+
+ocil_clause: 'the bootmap is outdated'
+
+ocil: |-
+ Make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+ and <tt>/etc/zipl.conf</tt>:
+ <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+ No line should be returned, if a line is returned <tt>/boot/bootmap</tt> is outdated and needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 1c3bfeb246..b0bc0fc374 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,7 +8,6 @@ description: |-
To ensure SELinux is not disabled at boot time,
check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
rationale: |-
Disabling a major host protection feature, such as SELinux, at boot time prevents
@@ -25,9 +24,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that disables SELinux.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 6dbfd501b7..866664c01b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of free pages,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
-
To ensure that new kernels and boot entries continue to enable page poisoning,
add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 555fdf2b66..2f02d9668c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable Kernel page-table isolation,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to enable page-table isolation,
add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -28,9 +26,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index dd7865bf81..0cb10d3cd8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To enable poisoning of SLUB/SLAB objects,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to extend the audit log events queue,
add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -29,9 +27,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that does not enable poisoning.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 18b7ade460..f79adeb083 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
To disable use of virtual syscalls,
check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
included in its options.<br />
- And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
To ensure that new kernels and boot entries continue to disable virtual syscalls,
add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -26,9 +24,4 @@ ocil: |-
<pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
- And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
- and <tt>/etc/zipl.conf</tt>:
- <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
- No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
platform: machine
From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 15:59:31 +0200
Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check
---
.../oval/shared.xml | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
new file mode 100644
index 0000000000..6c446cbe59
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+ <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
+ <metadata>
+ <title>Ensure zIPL bootmap is up to date</title>
+ {{{- oval_affected(products) }}}
+ <description>Check if /boot/bootmap is up to date</description>
+ </metadata>
+ <criteria operator="AND">
+ <criterion test_ref="test_zipl_bootmap_is_up_to_date"
+ comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="all_exist" id="test_zipl_bootmap_is_up_to_date" version="1" comment="Check /boot/bootmap timestamps">
+ <unix:object object_ref="object_zipl_boot_bootmap_file" />
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_zipl_conf" />
+ <unix:state state_ref="state_zipl_bootmap_is_newer_than_boot_entries" />
+ </unix:file_test>
+
+ <unix:file_object id="object_zipl_boot_bootmap_file" comment="current bootmap state" version="1">
+ <unix:filepath>/boot/bootmap</unix:filepath>
+ </unix:file_object>
+
+ <!-- Newer means modified more recently, which means more seconds since epoch -->
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_zipl_conf" version="1">
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+ var_ref="variable_zipl_conf_file_age" />
+ </unix:file_state>
+ <local_variable id="variable_zipl_conf_file_age" version="1" comment="Age of /etc/zipl.conf" datatype="int">
+ <object_component object_ref="zipl_conf_file" item_field="m_time"/>
+ </local_variable>
+ <unix:file_object id="zipl_conf_file" comment="/etc/zipl.conf state" version="1">
+ <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
+ </unix:file_object>
+
+ <unix:file_state id="state_zipl_bootmap_is_newer_than_boot_entries" version="1">
+ <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+ var_ref="variable_boot_entry_files_age" />
+ </unix:file_state>
+ <local_variable id="variable_boot_entry_files_age" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
+ <object_component object_ref="boot_entry_files" item_field="m_time"/>
+ </local_variable>
+ <unix:file_object id="boot_entry_files" comment="/boot/loader/entries/*.conf states" version="1">
+ <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
+ </unix:file_object>
+</def-group>
From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 16:15:35 +0200
Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests
These tests mock existence of zIPL files.
---
.../tests/newer_boot_entry.fail.sh | 10 ++++++++++
.../tests/newer_zipl_conf.fail.sh | 10 ++++++++++
.../tests/up_to_date.pass.sh | 9 +++++++++
3 files changed, 29 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
new file mode 100644
index 0000000000..728c6b7bdb
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/bootmap
+sleep 2
+touch /boot/loader/entries/zipl-entry-2.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
new file mode 100644
index 0000000000..1ae4d631ee
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap
+sleep 2
+touch /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
new file mode 100644
index 0000000000..7981ba8c5c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap
From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 3 Jul 2020 18:35:06 +0200
Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations
---
.../ansible/shared.yml | 24 +++++++++++++++++++
.../zipl_bootmap_is_up_to_date/bash/shared.sh | 3 +++
2 files changed, 27 insertions(+)
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
new file mode 100644
index 0000000000..e545eacc13
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
@@ -0,0 +1,24 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "Ensure zIPL bootmap is up to date"
+ block:
+ - name: "Obtain stats of /boot/bootmap"
+ stat:
+ path: /boot/bootmap
+ register: boot_bootmap
+
+ - name: "Obtain stats of /etc/zipl.conf"
+ stat:
+ path: /etc/zipl.conf
+ register: zipl_conf
+
+ # TODO: handle /boot/loader/entries/*.conf
+
+ - name: "Update zIPL bootmap"
+ command: /usr/sbin/zipl
+ changed_when: True
+ when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
new file mode 100644
index 0000000000..2cf7e388f0
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = Red Hat Enterprise Linux 8
+
+/usr/bin/zipl
From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Jul 2020 17:16:41 +0200
Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile
---
rhel8/profiles/ospp.profile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 07d32b814d..80e4b71fff 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -415,3 +415,7 @@ selections:
- ssh_client_rekey_limit
- var_ssh_client_rekey_limit_size=1G
- var_ssh_client_rekey_limit_time=1hour
+
+ # zIPl specific rules
+ - zipl_bls_entries_only
+ - zipl_bootmap_is_up_to_date
From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:03:21 +0200
Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation
---
.../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
index 2cf7e388f0..2310ca060d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -1,3 +1,3 @@
# platform = Red Hat Enterprise Linux 8
-/usr/bin/zipl
+/usr/sbin/zipl
From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:06:22 +0200
Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces
There can be leading spaces before 'image'.
---
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index 41e9773814..f68d91c128 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
version="1">
<ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
- <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:10:22 +0200
Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf
There is no need to perform pattern match, the check just needs to
examine /etc/zipl.conf file.
---
.../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index f68d91c128..1ebf03ee37 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -19,7 +19,7 @@
<ind:textfilecontent54_object id="object_zipl_bls_entries_only"
version="1">
- <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+ <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
<ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:13:26 +0200
Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules
Add RHEL-8 CCE identifiers for:
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
---
.../system/bootloader-zipl/zipl_bls_entries_only/rule.yml | 3 +++
.../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index f792c5257f..67cc061ce3 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -14,6 +14,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83485-3
+
ocil_clause: 'a non BLS boot entry is configured'
ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
index 082562d11e..da9411d00b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -16,6 +16,9 @@ rationale: |-
severity: medium
+identifiers:
+ cce@rhel8: 83486-1
+
ocil_clause: 'the bootmap is outdated'
ocil: |-
From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:16:58 +0200
Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test
Update the profile reference file.
---
tests/data/profile_stability/rhel8/ospp.profile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index b0d7672c36..08dcccf24c 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -213,6 +213,8 @@ selections:
- sysctl_user_max_user_namespaces
- timer_dnf-automatic_enabled
- usbguard_allow_hid_and_hub
+- zipl_bls_entries_only
+- zipl_bootmap_is_up_to_date
- var_sshd_set_keepalive=0
- var_rekey_limit_size=1G
- var_rekey_limit_time=1hour
From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 15:28:09 +0200
Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile
The zIPL rules are inherited from OSPP profile
---
rhel8/profiles/stig.profile | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 8f12852e26..cfc2160be1 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,3 +45,7 @@ selections:
- rsyslog_remote_tls
- rsyslog_remote_tls_cacert
- "!ssh_client_rekey_limit"
+
+ # Unselect zIPL rules from OSPP
+ - "!zipl_bls_entries_only"
+ - "!zipl_bootmap_is_up_to_date"