skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c8
  2.   SOURCES
  3.   scap-security-guide-0.1.53-fix-grub2-applicability-in-aarch64-ppc64le-PR_6153.patch
Blob Blame History Raw 
From cf1d85924b5945506e57f8701be066c83a894378 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 5 Oct 2020 16:40:39 +0200
Subject: [PATCH 1/2] Check for grub2-common instead of grub2-pc

Check for grub2 intallation based on grub2-common.
grub2-pc is a x86_64 package, but other arches use grub2 as well.
---
 .../checks/oval/installed_env_has_grub2_package.xml  | 12 ++++++------
 ssg/constants.py                                     |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
index e83f45bc3b..2a170d668e 100644
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -6,31 +6,31 @@
       <affected family="unix">
         <platform>multi_platform_all</platform>
       </affected>
-      <description>Checks if package grub2-pc is installed.</description>
+      <description>Checks if package grub2-common is installed.</description>
       <reference ref_id="cpe:/a:grub2" source="CPE" />
     </metadata>
     <criteria>
-      <criterion comment="Package grub2-pc is installed" test_ref="test_env_has_grub2_installed" />
+      <criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
     </criteria>
   </definition>
 
 {{% if pkg_system == "rpm" %}}
   <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
   id="test_env_has_grub2_installed" version="1"
-  comment="system has package grub2-pc installed">
+  comment="system has package grub2-common installed">
     <linux:object object_ref="obj_env_has_grub2_installed" />
   </linux:rpminfo_test>
   <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
-    <linux:name>grub2-pc</linux:name>
+    <linux:name>grub2-common</linux:name>
   </linux:rpminfo_object>
 {{% elif pkg_system == "dpkg" %}}
   <linux:dpkginfo_test check="all" check_existence="all_exist"
   id="test_env_has_grub2_installed" version="1"
-  comment="system has package grub2-pc installed">
+  comment="system has package grub2-common installed">
     <linux:object object_ref="obj_env_has_grub2_installed" />
   </linux:dpkginfo_test>
   <linux:dpkginfo_object id="obj_env_has_grub2_installed" version="1">
-    <linux:name>grub2-pc</linux:name>
+    <linux:name>grub2-common</linux:name>
   </linux:dpkginfo_object>
 {{% endif %}}
 
diff --git a/ssg/constants.py b/ssg/constants.py
index b07fe5f0fe..88316374b5 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -468,7 +468,7 @@
 
 # Default platform to package mapping
 XCCDF_PLATFORM_TO_PACKAGE = {
-  "grub2": "grub2-pc",
+  "grub2": "grub2-common",
   "login_defs": "login",
   "sssd": "sssd-common",
   "zipl": "s390utils-base",

From fba876cfc7f85f5b9a696d0f5fa1177299b7c6bb Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 5 Oct 2020 16:49:15 +0200
Subject: [PATCH 2/2] Handle exception of grub2-coomon in ppc64le

ppc64le systems can use Grub2 or OPAL and the package set will be the
same in both cases.
Add a few more checks to make sure ppc64le arch is handled correctly.
---
 .../oval/installed_env_has_grub2_package.xml  | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
index 2a170d668e..fb2c9cc784 100644
--- a/shared/checks/oval/installed_env_has_grub2_package.xml
+++ b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -9,8 +9,18 @@
       <description>Checks if package grub2-common is installed.</description>
       <reference ref_id="cpe:/a:grub2" source="CPE" />
     </metadata>
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="Package grub2-common is installed" test_ref="test_env_has_grub2_installed" />
+      <criteria operator="OR">
+        <!-- On ppc64le systems, OF (Grub2) or OPAL (petitboot) can be used,
+        and unfortunately the package set installed is the same in both cases.
+        But when OPAL is used, /sys/firmware/opal exists.
+        So the system uses grub when: -->
+        <!-- grub2-common is installed and arch is not a ppc64le -->
+        <criterion comment="Test for ppcle64 architecture" test_ref="test_system_info_architecture_ppcle_64" negate="true" />
+        <!-- or when grub2-common is installed, arch is a ppc64le but OPAL is not used -->
+        <criterion comment="Test if OPAL is not used" test_ref="test_system_using_opal" negate="true" />
+      </criteria>
     </criteria>
   </definition>
 
@@ -34,4 +44,11 @@
   </linux:dpkginfo_object>
 {{% endif %}}
 
+  <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firware/opal exists" id="test_system_using_opal" version="1">
+    <unix:object object_ref="object_system_using_opal" />
+  </unix:file_test>
+  <unix:file_object id="object_system_using_opal" version="1">
+    <unix:filepath>/sys/firmware/opal</unix:filepath>
+  </unix:file_object>
+
 </def-group>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation