Blob Blame History Raw
From 8cbec60a51b54df386bad72cdd82b83fbf9482fa Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:29:31 +0200
Subject: [PATCH 01/14] Add rule to check for zIPL conformance to BLS

Instead of having each zIPL argument rule check for BLS compliance,
let's split into its own rule.
---
 .../zipl_audit_argument/rule.yml              |  6 -----
 .../rule.yml                                  |  6 -----
 .../zipl_bls_entries_only/rule.yml            | 24 +++++++++++++++++++
 .../zipl_enable_selinux/rule.yml              |  6 -----
 .../zipl_page_poison_argument/rule.yml        |  6 -----
 .../zipl_pti_argument/rule.yml                |  6 -----
 .../zipl_slub_debug_argument/rule.yml         |  6 -----
 .../zipl_vsyscall_argument/rule.yml           |  6 -----
 8 files changed, 24 insertions(+), 42 deletions(-)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 2d31ef8ee7..1211a53295 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To ensure all processes can be audited, even those which start prior to the audit daemon,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
     included in its options.<br />
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
     And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to enable audit,
@@ -30,10 +28,6 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't enable audit.
 
-  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
-  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
   And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 40db232257..7d88e38686 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
     included in its options.<br />
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
     And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that does not extend the log events queue.
 
-  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
-  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
   And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
new file mode 100644
index 0000000000..b6ccbb5343
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure all zIPL boot entries are BLS compliant'
+
+description: |-
+    Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
+    by checking that <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt>.
+
+rationale: |-
+    {{{ full_name }}} adheres to Boot Loader Specification (BLS) and is the prefered method of
+    configuration.
+
+severity: medium
+
+ocil_clause: 'a non BLS boot entry is configured'
+
+ocil: |-
+  Check that no boot image file is specified in <tt>/etc/zipl.conf</tt>:
+  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
+  No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 8d28d5495f..1c3bfeb246 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To ensure SELinux is not disabled at boot time,
     check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
     included in its options.<br />
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
     And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
 rationale: |-
@@ -27,10 +25,6 @@ ocil: |-
     <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
     No line should be returned, each line returned is a boot entry that disables SELinux.
 
-    Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
-    <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
-    No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
     And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
     and <tt>/etc/zipl.conf</tt>:
     <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 0a8e9a41e2..6dbfd501b7 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To enable poisoning of free pages,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
     included in its options.<br />
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
     And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
 
     To ensure that new kernels and boot entries continue to enable page poisoning,
@@ -31,10 +29,6 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
 
-  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
-  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
   And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 20c1448cc8..555fdf2b66 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To enable Kernel page-table isolation,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
     included in its options.<br />
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
     And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to enable page-table isolation,
@@ -30,10 +28,6 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
 
-  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
-  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
   And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index 54ac688ea0..dd7865bf81 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To enable poisoning of SLUB/SLAB objects,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
     included in its options.<br />
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
     And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
@@ -31,10 +29,6 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that does not enable poisoning.
 
-  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
-  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
   And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index c5979a2016..18b7ade460 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To disable use of virtual syscalls,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
     included in its options.<br />
-    Make sure <tt>/etc/zipl.conf</tt> doesn't contain <tt>image = </tt> setting,
-    as {{{ full_name }}} adheres to Boot Loader Specification (BLS).<br />
     And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to disable virtual syscalls,
@@ -28,10 +26,6 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
 
-  Check that no image file is specified in <tt>/etc/zipl.conf</tt>:
-  <pre>grep -R "^image\s*=" /etc/zipl.conf</pre>
-  No line should be returned, if a line is returned zipl may load a different kernel than intended.
-
   And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
   and <tt>/etc/zipl.conf</tt>:
   <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>

From 5e3b19077d781d0441595019429c653efafede8e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 09:52:39 +0200
Subject: [PATCH 02/14] zipl_bls_entries_only: Add OVAL and tests

---
 .../zipl_bls_entries_only/oval/shared.xml     | 27 +++++++++++++++++++
 .../tests/image_configured.fail.sh            |  6 +++++
 .../tests/no_image.pass.sh                    |  7 +++++
 3 files changed, 40 insertions(+)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
new file mode 100644
index 0000000000..41e9773814
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -0,0 +1,27 @@
+<def-group>
+  <definition class="compliance" id="zipl_bls_entries_only" version="1">
+    <metadata>
+      <title>Ensure zIPL entries are BLS compliant</title>
+      {{{- oval_affected(products) }}}
+      <description>Check if /etc/zipl.conf configures any boot entry</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="test_zipl_bls_entries_only"
+      comment="Test presence of image configuration in /etc/zipl.conf" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_zipl_bls_entries_only"
+  comment="Test presence of image configuration in /etc/zipl.conf"
+  check="all" check_existence="none_exist" version="1">
+    <ind:object object_ref="object_zipl_bls_entries_only" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
+  version="1">
+    <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+    <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
new file mode 100644
index 0000000000..e3adb99638
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/image_configured.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+echo 'image = /boot/image' >> /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
new file mode 100644
index 0000000000..47626442f6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/tests/no_image.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+# Make sure no image configured in zipl config file
+sed -Ei '/^image\s*=/d' /etc/zipl.conf
+true

From 05e5b05b41080b7fbfaf42469cbb366eeffe35ec Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 11:09:08 +0200
Subject: [PATCH 03/14] zipl_bls_entries_only: Add no-remediation warning

Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
is tricky and can lead to broken entries or removal of all of them.
---
 .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index b6ccbb5343..f792c5257f 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -22,3 +22,8 @@ ocil: |-
   No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
 
 platform: machine
+
+warnings:
+  - general: |-
+      To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
+      automated remediation for this rule is not available.

From 53d811ed09cd63d4472a2133f3d9dc465dbd2962 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 25 Jun 2020 18:51:04 +0200
Subject: [PATCH 04/14] Add rule to check hotness of zIPL bootmap

Instead of having each zIPL argument rule check if zIPL bootmap is up to
date, let's split it into its own rule.
---
 .../zipl_audit_argument/rule.yml              |  6 -----
 .../rule.yml                                  |  7 -----
 .../zipl_bootmap_is_up_to_date/rule.yml       | 27 +++++++++++++++++++
 .../zipl_enable_selinux/rule.yml              |  6 -----
 .../zipl_page_poison_argument/rule.yml        |  7 -----
 .../zipl_pti_argument/rule.yml                |  7 -----
 .../zipl_slub_debug_argument/rule.yml         |  7 -----
 .../zipl_vsyscall_argument/rule.yml           |  7 -----
 8 files changed, 27 insertions(+), 47 deletions(-)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
index 1211a53295..624b4e7041 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_argument/rule.yml
@@ -8,7 +8,6 @@ description: |-
     To ensure all processes can be audited, even those which start prior to the audit daemon,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit=1</tt>
     included in its options.<br />
-    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
     To ensure that new kernels and boot entries continue to enable audit,
     add <tt>audit=1</tt> to <tt>/etc/kernel/cmdline</tt>.
@@ -28,9 +27,4 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't enable audit.
 
-  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
-  and <tt>/etc/zipl.conf</tt>:
-  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
-  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
 platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
index 7d88e38686..faf114591a 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_audit_backlog_limit_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>audit_backlog_limit=8192</tt>
     included in its options.<br />
-    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
     add <tt>audit_backlog_limit=8192</tt> to <tt>/etc/kernel/cmdline</tt>.
 
@@ -29,9 +27,4 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\baudit_backlog_limit=0\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that does not extend the log events queue.
 
-  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
-  and <tt>/etc/zipl.conf</tt>:
-  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
-  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
 platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
new file mode 100644
index 0000000000..082562d11e
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -0,0 +1,27 @@
+documentation_complete: true
+
+prodtype: rhel8
+
+title: 'Ensure zIPL bootmap is up to date'
+
+description: |-
+    Make sure that <tt>/boot/bootmap</tt> is up to date.<br />
+    Every time a boot entry or zIPL configuration is changed <tt>/boot/bootmap</tt> needs to
+    be updated to reflect the changes.<br />
+    Run <tt>zipl</tt> command to generate an updated <tt>/boot/bootmap</tt>.
+
+rationale: |-
+    The file <tt>/boot/bootmap</tt> contains all boot data, keeping it up to date is crucial to
+    boot correct kernel and options.
+
+severity: medium
+
+ocil_clause: 'the bootmap is outdated'
+
+ocil: |-
+  Make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
+  and <tt>/etc/zipl.conf</tt>:
+  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
+  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> is outdated and needs to be regenerated.
+
+platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
index 1c3bfeb246..b0bc0fc374 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_enable_selinux/rule.yml
@@ -8,7 +8,6 @@ description: |-
     To ensure SELinux is not disabled at boot time,
     check that no boot entry in <tt>/boot/loader/entries/*.conf</tt> has <tt>selinux=0</tt>
     included in its options.<br />
-    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
 
 rationale: |-
     Disabling a major host protection feature, such as SELinux, at boot time prevents
@@ -25,9 +24,4 @@ ocil: |-
     <pre>sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf</pre>
     No line should be returned, each line returned is a boot entry that disables SELinux.
 
-    And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
-    and <tt>/etc/zipl.conf</tt>:
-    <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
-    No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
 platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
index 6dbfd501b7..866664c01b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_page_poison_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To enable poisoning of free pages,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>page_poison=1</tt>
     included in its options.<br />
-    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br />
-
     To ensure that new kernels and boot entries continue to enable page poisoning,
     add <tt>page_poison=1</tt> to <tt>/etc/kernel/cmdline</tt>.
 
@@ -29,9 +27,4 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
 
-  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
-  and <tt>/etc/zipl.conf</tt>:
-  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
-  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
 platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
index 555fdf2b66..2f02d9668c 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_pti_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To enable Kernel page-table isolation,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>pti=on</tt>
     included in its options.<br />
-    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
     To ensure that new kernels and boot entries continue to enable page-table isolation,
     add <tt>pti=on</tt> to <tt>/etc/kernel/cmdline</tt>.
 
@@ -28,9 +26,4 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bpti=on\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't enable page-table isolation .
 
-  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
-  and <tt>/etc/zipl.conf</tt>:
-  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
-  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
 platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
index dd7865bf81..0cb10d3cd8 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_slub_debug_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To enable poisoning of SLUB/SLAB objects,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>slub_debug=P</tt>
     included in its options.<br />
-    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
     To ensure that new kernels and boot entries continue to extend the audit log events queue,
     add <tt>slub_debug=P</tt> to <tt>/etc/kernel/cmdline</tt>.
 
@@ -29,9 +27,4 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that does not enable poisoning.
 
-  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
-  and <tt>/etc/zipl.conf</tt>:
-  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
-  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
 platform: machine
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
index 18b7ade460..f79adeb083 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_vsyscall_argument/rule.yml
@@ -8,8 +8,6 @@ description: |-
     To disable use of virtual syscalls,
     check that all boot entries in <tt>/boot/loader/entries/*.conf</tt> have <tt>vsyscall=none</tt>
     included in its options.<br />
-    And run <tt>zipl</tt> command so that <tt>/boot/bootmap</tt> is updated.<br /><br />
-
     To ensure that new kernels and boot entries continue to disable virtual syscalls,
     add <tt>vsyscall=none</tt> to <tt>/etc/kernel/cmdline</tt>.
 
@@ -26,9 +24,4 @@ ocil: |-
   <pre>sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf</pre>
   No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
 
-  And make sure that <tt>/boot/bootmap</tt> is newer than <tt>/boot/loader/entries/*.conf</tt>
-  and <tt>/etc/zipl.conf</tt>:
-  <pre>find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap</pre>
-  No line should be returned, if a line is returned <tt>/boot/bootmap</tt> needs to be regenerated.
-
 platform: machine

From b9f27383a09afbc6cef61bbbaad0f18f9ebec075 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 15:59:31 +0200
Subject: [PATCH 05/14] zipl_bootmap_is_up_to_date: Add OVAL check

---
 .../oval/shared.xml                           | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
new file mode 100644
index 0000000000..6c446cbe59
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+  <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
+    <metadata>
+      <title>Ensure zIPL bootmap is up to date</title>
+      {{{- oval_affected(products) }}}
+      <description>Check if /boot/bootmap is up to date</description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="test_zipl_bootmap_is_up_to_date"
+      comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="all_exist" id="test_zipl_bootmap_is_up_to_date" version="1" comment="Check /boot/bootmap timestamps">
+    <unix:object object_ref="object_zipl_boot_bootmap_file" />
+    <unix:state state_ref="state_zipl_bootmap_is_newer_than_zipl_conf" />
+    <unix:state state_ref="state_zipl_bootmap_is_newer_than_boot_entries" />
+  </unix:file_test>
+
+  <unix:file_object id="object_zipl_boot_bootmap_file" comment="current bootmap state" version="1">
+    <unix:filepath>/boot/bootmap</unix:filepath>
+  </unix:file_object>
+
+  <!-- Newer means modified more recently, which means more seconds since epoch -->
+  <unix:file_state id="state_zipl_bootmap_is_newer_than_zipl_conf" version="1">
+    <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+    var_ref="variable_zipl_conf_file_age" />
+  </unix:file_state>
+  <local_variable id="variable_zipl_conf_file_age" version="1" comment="Age of /etc/zipl.conf" datatype="int">
+    <object_component object_ref="zipl_conf_file" item_field="m_time"/>
+  </local_variable>
+  <unix:file_object id="zipl_conf_file" comment="/etc/zipl.conf state" version="1">
+    <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
+  </unix:file_object>
+
+  <unix:file_state id="state_zipl_bootmap_is_newer_than_boot_entries" version="1">
+    <unix:m_time datatype="int" operation="greater than or equal" var_check="all"
+    var_ref="variable_boot_entry_files_age" />
+  </unix:file_state>
+  <local_variable id="variable_boot_entry_files_age" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
+    <object_component object_ref="boot_entry_files" item_field="m_time"/>
+  </local_variable>
+  <unix:file_object id="boot_entry_files" comment="/boot/loader/entries/*.conf states" version="1">
+    <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
+  </unix:file_object>
+</def-group>

From 97aff87a403f9b319e87967561c43dc99e8a672e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 2 Jul 2020 16:15:35 +0200
Subject: [PATCH 06/14] zipl_bootmap_is_up_to_date: Add mock tests

These tests mock existence of zIPL files.
---
 .../tests/newer_boot_entry.fail.sh                     | 10 ++++++++++
 .../tests/newer_zipl_conf.fail.sh                      | 10 ++++++++++
 .../tests/up_to_date.pass.sh                           |  9 +++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
new file mode 100644
index 0000000000..728c6b7bdb
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_boot_entry.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/bootmap
+sleep 2
+touch /boot/loader/entries/zipl-entry-2.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
new file mode 100644
index 0000000000..1ae4d631ee
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/newer_zipl_conf.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap
+sleep 2
+touch /etc/zipl.conf
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
new file mode 100644
index 0000000000..7981ba8c5c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/tests/up_to_date.pass.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+# remediation = none
+
+touch /etc/zipl.conf
+touch /boot/loader/entries/*.conf # Update current existing entries
+touch /boot/loader/entries/zipl-entry-1.conf
+touch /boot/loader/entries/zipl-entry-2.conf
+touch /boot/bootmap

From 180e57bd23154c1ed8dc2575fbf9660c2f83a803 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 3 Jul 2020 18:35:06 +0200
Subject: [PATCH 07/14] zipl_bootmap_is_up_to_date: Add remediations

---
 .../ansible/shared.yml                        | 24 +++++++++++++++++++
 .../zipl_bootmap_is_up_to_date/bash/shared.sh |  3 +++
 2 files changed, 27 insertions(+)
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
 create mode 100644 linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
new file mode 100644
index 0000000000..e545eacc13
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
@@ -0,0 +1,24 @@
+# platform = Red Hat Enterprise Linux 8
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+- name: "Ensure zIPL bootmap is up to date"
+  block:
+    - name: "Obtain stats of /boot/bootmap"
+      stat:
+        path: /boot/bootmap
+      register: boot_bootmap
+
+    - name: "Obtain stats of /etc/zipl.conf"
+      stat:
+        path: /etc/zipl.conf
+      register: zipl_conf
+
+    # TODO: handle /boot/loader/entries/*.conf
+
+    - name: "Update zIPL bootmap"
+      command: /usr/sbin/zipl
+      changed_when: True
+      when: boot_bootmap.stat.mtime < zipl_conf.stat.mtime
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
new file mode 100644
index 0000000000..2cf7e388f0
--- /dev/null
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = Red Hat Enterprise Linux 8
+
+/usr/bin/zipl

From 93703727b12a34edb26de25410bf23ff72fead2a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 1 Jul 2020 17:16:41 +0200
Subject: [PATCH 08/14] Select zIPL specific rules in OSPP profile

---
 rhel8/profiles/ospp.profile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 07d32b814d..80e4b71fff 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -415,3 +415,7 @@ selections:
     - ssh_client_rekey_limit
     - var_ssh_client_rekey_limit_size=1G
     - var_ssh_client_rekey_limit_time=1hour
+
+    # zIPl specific rules
+    - zipl_bls_entries_only
+    - zipl_bootmap_is_up_to_date

From 260891e9b2f38d50fadf9eaacd9ee9ca98c977ee Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:03:21 +0200
Subject: [PATCH 09/14] Fix path to zipl binary in Bash remediation

---
 .../bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
index 2cf7e388f0..2310ca060d 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/bash/shared.sh
@@ -1,3 +1,3 @@
 # platform = Red Hat Enterprise Linux 8
 
-/usr/bin/zipl
+/usr/sbin/zipl

From 46d2b1584cf769ae8dbaaa2657541bd0db056a9c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:06:22 +0200
Subject: [PATCH 10/14] zipl_bls_entries_only: there can be leading spaces

There can be leading spaces before 'image'.
---
 .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index 41e9773814..f68d91c128 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -20,7 +20,7 @@
   <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
   version="1">
     <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
-    <ind:pattern operation="pattern match">^image\s*=.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 

From 0a89ed181803c15e3b73cfb2e13f0ec1cb7689ad Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:10:22 +0200
Subject: [PATCH 11/14] zipl_bls_entries_only: check file /etc/zipl.conf

There is no need to perform pattern match, the check just needs to
examine /etc/zipl.conf file.
---
 .../bootloader-zipl/zipl_bls_entries_only/oval/shared.xml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
index f68d91c128..1ebf03ee37 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
@@ -19,7 +19,7 @@
 
   <ind:textfilecontent54_object id="object_zipl_bls_entries_only"
   version="1">
-    <ind:filepath operation="pattern match">^/etc/zipl.conf$</ind:filepath>
+    <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
     <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>

From 699d5f5bd3075e019387e6fb6b3af81182987c43 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:13:26 +0200
Subject: [PATCH 12/14] Add CCE identifiers to bootmap and bls only rules

Add RHEL-8 CCE identifiers for:
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
---
 .../system/bootloader-zipl/zipl_bls_entries_only/rule.yml      | 3 +++
 .../system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml | 3 +++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
index f792c5257f..67cc061ce3 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -14,6 +14,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83485-3
+
 ocil_clause: 'a non BLS boot entry is configured'
 
 ocil: |-
diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
index 082562d11e..da9411d00b 100644
--- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -16,6 +16,9 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+    cce@rhel8: 83486-1
+
 ocil_clause: 'the bootmap is outdated'
 
 ocil: |-

From 2ebc3d188e4c243d8e60a9e669d5b661b77f2301 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 14:16:58 +0200
Subject: [PATCH 13/14] Incorporate OSPP selection changes to profile test

Update the profile reference file.
---
 tests/data/profile_stability/rhel8/ospp.profile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index b0d7672c36..08dcccf24c 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -213,6 +213,8 @@ selections:
 - sysctl_user_max_user_namespaces
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
+- zipl_bls_entries_only
+- zipl_bootmap_is_up_to_date
 - var_sshd_set_keepalive=0
 - var_rekey_limit_size=1G
 - var_rekey_limit_time=1hour

From 33bae25bd543880315433925214868917ec8e399 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 8 Jul 2020 15:28:09 +0200
Subject: [PATCH 14/14] Unselect zIPL rules from STIG Profile

The zIPL rules are inherited from OSPP profile
---
 rhel8/profiles/stig.profile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile
index 8f12852e26..cfc2160be1 100644
--- a/rhel8/profiles/stig.profile
+++ b/rhel8/profiles/stig.profile
@@ -45,3 +45,7 @@ selections:
     - rsyslog_remote_tls
     - rsyslog_remote_tls_cacert
     - "!ssh_client_rekey_limit"
+
+    # Unselect zIPL rules from OSPP
+    - "!zipl_bls_entries_only"
+    - "!zipl_bootmap_is_up_to_date"