|
 |
fe0dde |
From 30ad9f95ef5256fea1844d2240b19eb2d717ee4e Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Mon, 19 Oct 2020 16:34:06 +0200
|
|
|
fe0dde |
Subject: [PATCH 1/3] Remove extra single quote from OVAL macros.
|
|
|
fe0dde |
|
|
|
fe0dde |
---
|
|
|
fe0dde |
shared/macros-oval.jinja | 2 +-
|
|
|
fe0dde |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
|
|
fe0dde |
index 47033bedbe..5ea97c7537 100644
|
|
|
fe0dde |
--- a/shared/macros-oval.jinja
|
|
|
fe0dde |
+++ b/shared/macros-oval.jinja
|
|
|
fe0dde |
@@ -25,7 +25,7 @@
|
|
|
fe0dde |
{{%- endif -%}}
|
|
|
fe0dde |
<def-group>
|
|
|
fe0dde |
<definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
|
fe0dde |
- {{{ oval_metadata("Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in '" + path) }}}
|
|
|
fe0dde |
+ {{{ oval_metadata("Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in " + path) }}}
|
|
|
fe0dde |
{{%- if missing_config_file_fail %}}
|
|
|
fe0dde |
|
|
|
fe0dde |
operator="AND">
|
|
|
fe0dde |
|
|
|
fe0dde |
From 973a52024c21c3c2a97e8f159e53849eadc11285 Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Mon, 19 Oct 2020 16:50:39 +0200
|
|
|
fe0dde |
Subject: [PATCH 2/3] Create custom OVAL check for uefi_no_removeable_media.
|
|
|
fe0dde |
|
|
|
fe0dde |
Include the extended definition to check if the system is a UEFI system
|
|
|
fe0dde |
or not.
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../uefi_no_removeable_media/oval/shared.xml | 36 ++++++++++++++++++-
|
|
|
fe0dde |
.../tests/hard_disk_set.pass.sh | 12 +++++++
|
|
|
fe0dde |
.../tests/removable_media_set.fail.sh | 12 +++++++
|
|
|
fe0dde |
tests/shared/grub2.sh | 6 ++++
|
|
|
fe0dde |
4 files changed, 65 insertions(+), 1 deletion(-)
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
|
|
|
fe0dde |
index fd482a3d9d..44e54538c8 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
|
|
|
fe0dde |
@@ -1 +1,35 @@
|
|
|
fe0dde |
-{{{ oval_check_config_file(path='/boot/efi/EFI/redhat/grub.cfg', prefix_regex='^[ \\t]*', parameter='set root', separator_regex='=', value="'(?!fd)(?!cd)(?!usb).*'", missing_parameter_pass=false, missing_config_file_fail=true) }}}
|
|
|
fe0dde |
+{{% if product == "fedora" %}}
|
|
|
fe0dde |
+{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
|
|
|
fe0dde |
+{{% else %}}
|
|
|
fe0dde |
+{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
|
|
|
fe0dde |
+{{% endif %}}
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+<def-group>
|
|
|
fe0dde |
+ <definition class="compliance" id="uefi_no_removeable_media" version="1">
|
|
|
fe0dde |
+ {{{ oval_metadata("Ensure 'set root' is configured with value '(?!fd)(?!cd)(?!usb).*' in /boot/efi/EFI/redhat/grub.cfg") }}}
|
|
|
fe0dde |
+ <criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
|
|
|
fe0dde |
+ <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
|
|
|
fe0dde |
+ <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
|
|
|
fe0dde |
+ {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
fe0dde |
+ </criteria>
|
|
|
fe0dde |
+ </definition>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
|
|
|
fe0dde |
+ id="test_uefi_no_removeable_media" version="1">
|
|
|
fe0dde |
+ <ind:object object_ref="obj_uefi_no_removeable_media" />
|
|
|
fe0dde |
+ <ind:state state_ref="state_uefi_no_removeable_media" />
|
|
|
fe0dde |
+ </ind:textfilecontent54_test>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ <ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
|
|
|
fe0dde |
+ <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
|
|
|
fe0dde |
+ <ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
|
|
|
fe0dde |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
fe0dde |
+ </ind:textfilecontent54_object>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ <ind:textfilecontent54_state id="state_uefi_no_removeable_media" version="1">
|
|
|
fe0dde |
+ <ind:subexpression datatype="string" operation="pattern match">^'(?!fd)(?!cd)(?!usb).*'$</ind:subexpression>
|
|
|
fe0dde |
+ </ind:textfilecontent54_state>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
|
|
|
fe0dde |
+</def-group>
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..afe131c417
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
|
|
|
fe0dde |
@@ -0,0 +1,12 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+# remediation = none
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+. $SHARED/grub2.sh
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+set_grub_uefi_root
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+# make the check applicable since it tries to detect this directory first
|
|
|
fe0dde |
+# mkdir -p /sys/firmware/efi
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+set_root_unquoted "'hd0,msdos1'"
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..92499094c1
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
|
|
|
fe0dde |
@@ -0,0 +1,12 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+# remediation = none
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+. $SHARED/grub2.sh
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+set_grub_uefi_root
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+# make the check applicable since it tries to detect this directory first
|
|
|
fe0dde |
+# mkdir -p /sys/firmware/efi
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+set_root_unquoted "'usb0,msdos1'"
|
|
|
fe0dde |
diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
|
|
|
fe0dde |
index ce1943349e..bce7683a7c 100644
|
|
|
fe0dde |
--- a/tests/shared/grub2.sh
|
|
|
fe0dde |
+++ b/tests/shared/grub2.sh
|
|
|
fe0dde |
@@ -25,3 +25,9 @@ function set_superusers_unquoted {
|
|
|
fe0dde |
mkdir -p "$GRUB_CFG_ROOT"
|
|
|
fe0dde |
echo "set superusers=$1" > "$GRUB_CFG_ROOT/grub.cfg"
|
|
|
fe0dde |
}
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+function set_root_unquoted {
|
|
|
fe0dde |
+ mkdir -p "$GRUB_CFG_ROOT"
|
|
|
fe0dde |
+ echo "set root=$1" > "$GRUB_CFG_ROOT/grub.cfg"
|
|
|
fe0dde |
+}
|
|
|
fe0dde |
|
|
|
fe0dde |
From fc2b030015317ad465b9dd8c9d9e9714de9c8ac8 Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Tue, 20 Oct 2020 16:30:10 +0200
|
|
|
fe0dde |
Subject: [PATCH 3/3] Update
|
|
|
fe0dde |
linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
|
|
|
fe0dde |
|
|
|
fe0dde |
Co-authored-by: Gabe Alford <redhatrises@gmail.com>
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../bootloader-grub2/uefi_no_removeable_media/oval/shared.xml | 2 +-
|
|
|
fe0dde |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
|
|
|
fe0dde |
index 44e54538c8..5ae57cbfa6 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
|
|
|
fe0dde |
@@ -6,7 +6,7 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
<def-group>
|
|
|
fe0dde |
<definition class="compliance" id="uefi_no_removeable_media" version="1">
|
|
|
fe0dde |
- {{{ oval_metadata("Ensure 'set root' is configured with value '(?!fd)(?!cd)(?!usb).*' in /boot/efi/EFI/redhat/grub.cfg") }}}
|
|
|
fe0dde |
+ {{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
|
|
|
fe0dde |
<criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
|
|
|
fe0dde |
<extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
|
|
|
fe0dde |
<criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
|