Blame SOURCES/scap-security-guide-0.1.41-grub2_bootloader_arguments.patch

28bffe
diff --git a/shared/fixes/bash/grub2_audit_argument.sh
28bffe
deleted file mode 100644
28bffe
index 913ebd6788..0000000000
28bffe
--- a/shared/fixes/bash/grub2_audit_argument.sh
28bffe
+++ /dev/null
28bffe
@@ -1,13 +0,0 @@
28bffe
-# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
28bffe
-
28bffe
-# Correct the form of default kernel command line in GRUB
28bffe
-if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"'  '/etc/default/grub' ; then
28bffe
-	# modify the GRUB command-line if an audit= arg already exists
28bffe
-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/'  '/etc/default/grub'
28bffe
-else
28bffe
-	# no audit=arg is present, append it
28bffe
-	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/'  '/etc/default/grub'
28bffe
-fi
28bffe
-
28bffe
-# Correct the form of kernel command line for each installed kernel in the bootloader
28bffe
-grubby --update-kernel=ALL --args="audit=1"
28bffe
diff --git a/shared/checks/oval/grub2_audit_argument.xml
28bffe
deleted file mode 100644
28bffe
index 0a943fd97a..0000000000
28bffe
--- a/shared/checks/oval/grub2_audit_argument.xml
28bffe
+++ /dev/null
28bffe
@@ -1,55 +0,0 @@
28bffe
-<def-group>
28bffe
-  <definition class="compliance" id="grub2_audit_argument" version="2">
28bffe
-    <metadata>
28bffe
-      <title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
28bffe
-      <affected family="unix">
28bffe
-        <platform>Red Hat Enterprise Linux 7</platform>
28bffe
-        <platform>multi_platform_fedora</platform>
28bffe
-      </affected>
28bffe
-      <description>Look for argument audit=1 in the kernel line in /etc/default/grub.</description>
28bffe
-    </metadata>
28bffe
-    <criteria operator="OR">
28bffe
-      
28bffe
-      comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" />
28bffe
-      <criteria operator="AND">
28bffe
-        
28bffe
-        comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
28bffe
-        
28bffe
-        comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
28bffe
-      </criteria>
28bffe
-    </criteria>
28bffe
-  </definition>
28bffe
-
28bffe
-  
28bffe
-  comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX"
28bffe
-  check="all" check_existence="all_exist" version="1">
28bffe
-    <ind:object object_ref="object_grub2_audit_argument" />
28bffe
-    <ind:state state_ref="state_grub2_audit_argument" />
28bffe
-  </ind:textfilecontent54_test>
28bffe
-
28bffe
-  <ind:textfilecontent54_object id="object_grub2_audit_argument" version="1">
28bffe
-    <ind:filepath>/etc/default/grub</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
28bffe
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
-  </ind:textfilecontent54_object>
28bffe
-
28bffe
-  
28bffe
-  comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
28bffe
-  check="all" check_existence="all_exist" version="1">
28bffe
-    <ind:object object_ref="object_grub2_audit_argument_default" />
28bffe
-    <ind:state state_ref="state_grub2_audit_argument" />
28bffe
-  </ind:textfilecontent54_test>
28bffe
-
28bffe
-  
28bffe
-  version="1">
28bffe
-    <ind:filepath>/etc/default/grub</ind:filepath>
28bffe
-    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
28bffe
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
28bffe
-  </ind:textfilecontent54_object>
28bffe
-
28bffe
-  
28bffe
-  version="1">
28bffe
-    <ind:subexpression datatype="string" operation="pattern match">^.*audit=1.*$</ind:subexpression>
28bffe
-  </ind:textfilecontent54_state>
28bffe
-
28bffe
-</def-group>
28bffe
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
28bffe
new file mode 100644
28bffe
index 0000000000..361a6b9853
28bffe
--- /dev/null
28bffe
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
28bffe
@@ -0,0 +1,51 @@
28bffe
+documentation_complete: true
28bffe
+
28bffe
+prodtype: rhel7,fedora
28bffe
+
28bffe
+title: 'Extend Audit Backlog Limit for the Audit Daemon'
28bffe
+
28bffe
+description: |-
28bffe
+    To improve the kernel capacity to queue all log events, even those which occurred
28bffe
+    prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
28bffe
+    GRUB 2 command line for the Linux operating system in
28bffe
+    <tt>/etc/default/grub</tt>, in the manner below:
28bffe
+    
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"
28bffe
+
28bffe
+rationale: |-
28bffe
+    audit_backlog_limit sets the queue length for audit events awaiting transfer
28bffe
+    to the audit daemon. Until the audit daemon is up and running, all log messages
28bffe
+    are stored in this queue.  If the queue is overrun during boot process, the action
28bffe
+    defined by audit failure flag is taken.
28bffe
+
28bffe
+severity: unknown
28bffe
+
28bffe
+ocil_clause: 'audit backlog limit is not configured'
28bffe
+
28bffe
+ocil: |-
28bffe
+    Inspect the form of default GRUB 2 command line for the Linux operating system
28bffe
+    in <tt>/etc/default/grub</tt>. If they include <tt>audit_backlog_limit=1</tt>, then auditing
28bffe
+    is enabled at boot time.
28bffe
+    

28bffe
+    To ensure <tt>audit_backlog_limit=1</tt> is configured on all installed kernels, the
28bffe
+    following command may be used:
28bffe
+    
28bffe
+    
$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=1"
28bffe
+    
28bffe
+
28bffe
+warnings:
28bffe
+    - management: |-
28bffe
+        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
28bffe
+        is automatically updated each time a new kernel is installed. Note that any
28bffe
+        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
28bffe
+        file. To update the GRUB 2 configuration file manually, use the
28bffe
+        
grub2-mkconfig -o
command as follows:
28bffe
+        
    28bffe
    +        
  • On BIOS-based machines, issue the following command as <tt>root</tt>:
  • 28bffe
    +        
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
    28bffe
    +        
  • On UEFI-based machines, issue the following command as <tt>root</tt>:
  • 28bffe
    +{{% if product == "rhel7" %}}
    28bffe
    +        
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    28bffe
    +{{% else %}}
    28bffe
    +        
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    28bffe
    +{{% endif %}}
    28bffe
    +        
    28bffe
    diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
    28bffe
    new file mode 100644
    28bffe
    index 0000000000..8773f2407f
    28bffe
    --- /dev/null
    28bffe
    +++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
    28bffe
    @@ -0,0 +1,49 @@
    28bffe
    +documentation_complete: true
    28bffe
    +
    28bffe
    +prodtype: rhel7,fedora
    28bffe
    +
    28bffe
    +title: 'Disable vsyscalls'
    28bffe
    +
    28bffe
    +description: |-
    28bffe
    +    To disable use of virtual syscalls,
    28bffe
    +    add the argument <tt>vsyscall=none</tt> to the default
    28bffe
    +    GRUB 2 command line for the Linux operating system in
    28bffe
    +    <tt>/etc/default/grub</tt>, in the manner below:
    28bffe
    +    
    GRUB_CMDLINE_LINUX="vsyscall=none"
    28bffe
    +
    28bffe
    +rationale: |-
    28bffe
    +    Virtual Syscalls provide an opportunity of attack for a user who has control
    28bffe
    +    of the return instruction pointer.
    28bffe
    +
    28bffe
    +severity: unknown
    28bffe
    +
    28bffe
    +ocil_clause: 'vsyscalls are enabled'
    28bffe
    +
    28bffe
    +ocil: |-
    28bffe
    +    Inspect the form of default GRUB 2 command line for the Linux operating system
    28bffe
    +    in <tt>/etc/default/grub</tt>. If they include <tt>vsyscall=none</tt>,
    28bffe
    +    then virtyal syscalls are not enabled at boot time.
    28bffe
    +    

    28bffe
    +    To ensure <tt>vsyscall=none</tt> is configured on all installed kernels, the
    28bffe
    +    following command may be used:
    28bffe
    +    
    28bffe
    +    
    $ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none
    28bffe
    +    
    28bffe
    +
    28bffe
    +warnings:
    28bffe
    +    - management: |-
    28bffe
    +        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
    28bffe
    +        is automatically updated each time a new kernel is installed. Note that any
    28bffe
    +        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
    28bffe
    +        file. To update the GRUB 2 configuration file manually, use the
    28bffe
    +        
    grub2-mkconfig -o
    command as follows:
    28bffe
    +        
      28bffe
      +        
    • On BIOS-based machines, issue the following command as <tt>root</tt>:
    • 28bffe
      +        
      ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
      28bffe
      +        
    • On UEFI-based machines, issue the following command as <tt>root</tt>:
    • 28bffe
      +{{% if product == "rhel7" %}}
      28bffe
      +        
      ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
      28bffe
      +{{% else %}}
      28bffe
      +        
      ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
      28bffe
      +{{% endif %}}
      28bffe
      +        
      28bffe
      diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
      28bffe
      new file mode 100644
      28bffe
      index 0000000000..6a7a370f2b
      28bffe
      --- /dev/null
      28bffe
      +++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
      28bffe
      @@ -0,0 +1,8 @@
      28bffe
      +documentation_complete: true
      28bffe
      +
      28bffe
      +title: 'Memory Poisoning'
      28bffe
      +
      28bffe
      +description: |-
      28bffe
      +    Memory Poisoning consists of writing a special value to uninitialized or freed memory.
      28bffe
      +    Poisoning can be used as a mechanism to prevent leak of information and detection of
      28bffe
      +    corrupted memory.
      28bffe
      diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
      28bffe
      new file mode 100644
      28bffe
      index 0000000000..9056613b0d
      28bffe
      --- /dev/null
      28bffe
      +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
      28bffe
      @@ -0,0 +1,52 @@
      28bffe
      +documentation_complete: true
      28bffe
      +
      28bffe
      +prodtype: rhel7,fedora
      28bffe
      +
      28bffe
      +title: 'Enable page allocator poisoning'
      28bffe
      +
      28bffe
      +description: |-
      28bffe
      +    To enable poisoning of free pages,
      28bffe
      +    add the argument <tt>page_poison=1</tt> to the default
      28bffe
      +    GRUB 2 command line for the Linux operating system in
      28bffe
      +    <tt>/etc/default/grub</tt>, in the manner below:
      28bffe
      +    
      GRUB_CMDLINE_LINUX="page_poison=1"
      28bffe
      +
      28bffe
      +rationale: |-
      28bffe
      +    Poisoning writes an arbitrary value to freed pages, so any modification or
      28bffe
      +    reference to that page after being freed or before being initialized will be
      28bffe
      +    detected and prevented.
      28bffe
      +    This prevents many types of use-after-free vulnerabilities at little performance cost.
      28bffe
      +    Also prevents leak of data and detection of corrupted memory.
      28bffe
      +
      28bffe
      +severity: unknown
      28bffe
      +
      28bffe
      +ocil_clause: 'page allocator poisoning is not enabled'
      28bffe
      +
      28bffe
      +ocil: |-
      28bffe
      +    Inspect the form of default GRUB 2 command line for the Linux operating system
      28bffe
      +    in <tt>/etc/default/grub</tt>. If they include <tt>page_poison=1</tt>,
      28bffe
      +    then page poisoning is enabled at boot time.
      28bffe
      +    

      28bffe
      +    To ensure <tt>page_poison=1</tt> is configured on all installed kernels, the
      28bffe
      +    following command may be used:
      28bffe
      +    
      28bffe
      +    
      $ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1
      28bffe
      +    
      28bffe
      +
      28bffe
      +warnings:
      28bffe
      +    - management: |-
      28bffe
      +        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
      28bffe
      +        is automatically updated each time a new kernel is installed. Note that any
      28bffe
      +        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
      28bffe
      +        file. To update the GRUB 2 configuration file manually, use the
      28bffe
      +        
      grub2-mkconfig -o
      command as follows:
      28bffe
      +        
        28bffe
        +        
      • On BIOS-based machines, issue the following command as <tt>root</tt>:
      • 28bffe
        +        
        ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
        28bffe
        +        
      • On UEFI-based machines, issue the following command as <tt>root</tt>:
      • 28bffe
        +{{% if product == "rhel7" %}}
        28bffe
        +        
        ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
        28bffe
        +{{% else %}}
        28bffe
        +        
        ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
        28bffe
        +{{% endif %}}
        28bffe
        +        
        28bffe
        diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
        28bffe
        new file mode 100644
        28bffe
        index 0000000000..ea982ee216
        28bffe
        --- /dev/null
        28bffe
        +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
        28bffe
        @@ -0,0 +1,52 @@
        28bffe
        +documentation_complete: true
        28bffe
        +
        28bffe
        +prodtype: rhel7,fedora
        28bffe
        +
        28bffe
        +title: 'Enable SLUB/SLAB allocator poisoning'
        28bffe
        +
        28bffe
        +description: |-
        28bffe
        +    To enable poisoning of SLUB/SLAB objects,
        28bffe
        +    add the argument <tt>slub_debug=P</tt> to the default
        28bffe
        +    GRUB 2 command line for the Linux operating system in
        28bffe
        +    <tt>/etc/default/grub</tt>, in the manner below:
        28bffe
        +    
        GRUB_CMDLINE_LINUX="slub_debug=P"
        28bffe
        +
        28bffe
        +rationale: |-
        28bffe
        +    Poisoning writes an arbitrary value to freed objects, so any modification or
        28bffe
        +    reference to that object after being freed or before being initialized will be
        28bffe
        +    detected and prevented.
        28bffe
        +    This prevents many types of use-after-free vulnerabilities at little performance cost.
        28bffe
        +    Also prevents leak of data and detection of corrupted memory.
        28bffe
        +
        28bffe
        +severity: unknown
        28bffe
        +
        28bffe
        +ocil_clause: 'SLUB/SLAB poisoning is not enabled'
        28bffe
        +
        28bffe
        +ocil: |-
        28bffe
        +    Inspect the form of default GRUB 2 command line for the Linux operating system
        28bffe
        +    in <tt>/etc/default/grub</tt>. If they include <tt>slub_debug=P</tt>,
        28bffe
        +    then SLUB/SLAB poisoning is enabled at boot time.
        28bffe
        +    

        28bffe
        +    To ensure <tt>slub_debug=P</tt> is configured on all installed kernels, the
        28bffe
        +    following command may be used:
        28bffe
        +    
        28bffe
        +    
        $ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P
        28bffe
        +    
        28bffe
        +
        28bffe
        +warnings:
        28bffe
        +    - management: |-
        28bffe
        +        The GRUB 2 configuration file, <tt>grub.cfg</tt>,
        28bffe
        +        is automatically updated each time a new kernel is installed. Note that any
        28bffe
        +        changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
        28bffe
        +        file. To update the GRUB 2 configuration file manually, use the
        28bffe
        +        
        grub2-mkconfig -o
        command as follows:
        28bffe
        +        
          28bffe
          +        
        • On BIOS-based machines, issue the following command as <tt>root</tt>:
        • 28bffe
          +        
          ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
          28bffe
          +        
        • On UEFI-based machines, issue the following command as <tt>root</tt>:
        • 28bffe
          +{{% if product == "rhel7" %}}
          28bffe
          +        
          ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
          28bffe
          +{{% else %}}
          28bffe
          +        
          ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
          28bffe
          +{{% endif %}}
          28bffe
          +        
          28bffe
          diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
          28bffe
          index bfdc68de8b..dd157a6e5b 100644
          28bffe
          --- a/rhel7/profiles/ospp42.profile
          28bffe
          +++ b/rhel7/profiles/ospp42.profile
          28bffe
          @@ -15,6 +15,7 @@ description: |-
          28bffe
           selections:
          28bffe
               - installed_OS_is_certified
          28bffe
               - grub2_audit_argument
          28bffe
          +    - grub2_audit_backlog_limit_argument
          28bffe
               - service_auditd_enabled
          28bffe
               - grub2_enable_fips_mode
          28bffe
               - rpm_verify_hashes
          28bffe
          @@ -53,6 +54,9 @@ selections:
          28bffe
               - grub2_password
          28bffe
               - grub2_uefi_password
          28bffe
               - grub2_disable_interactive_boot
          28bffe
          +    - grub2_slub_debug_argument
          28bffe
          +    - grub2_page_poison_argument
          28bffe
          +    - grub2_vsyscall_argument
          28bffe
               - no_empty_passwords
          28bffe
               - require_singleuser_auth
          28bffe
               - service_debug-shell_disabled
          28bffe
          diff --git a/shared/templates/create_grub2_bootloader_argument.py b/shared/templates/create_grub2_bootloader_argument.py
          28bffe
          new file mode 100644
          28bffe
          index 0000000000..bbd6e46a82
          28bffe
          --- /dev/null
          28bffe
          +++ b/shared/templates/create_grub2_bootloader_argument.py
          28bffe
          @@ -0,0 +1,40 @@
          28bffe
          +#!/usr/bin/python2
          28bffe
          +
          28bffe
          +#
          28bffe
          +# create_grub2_bootloader_argument.py
          28bffe
          +#        generate template-based checks for unsuccessful file modifications detailed
          28bffe
          +
          28bffe
          +
          28bffe
          +from template_common import FilesGenerator, UnknownTargetError
          28bffe
          +
          28bffe
          +import re
          28bffe
          +
          28bffe
          +class GRUB2BootloaderArgumentGenerator(FilesGenerator):
          28bffe
          +    def generate(self, target, args):
          28bffe
          +        arg_name, arg_value = args[0:2]
          28bffe
          +        arg_name_value = arg_name + '=' + arg_value
          28bffe
          +
          28bffe
          +        if target == "bash":
          28bffe
          +            self.file_from_template(
          28bffe
          +                "./template_BASH_grub2_bootloader_argument",
          28bffe
          +                {
          28bffe
          +                    "ARG_NAME": arg_name,
          28bffe
          +                    "ARG_NAME_VALUE": arg_name_value
          28bffe
          +                },
          28bffe
          +                "./bash/grub2_{0}_argument.sh", arg_name
          28bffe
          +            )
          28bffe
          +        elif target == "oval":
          28bffe
          +            self.file_from_template(
          28bffe
          +                "./template_OVAL_grub2_bootloader_argument",
          28bffe
          +                {
          28bffe
          +                    "ARG_NAME": arg_name,
          28bffe
          +                    "ARG_NAME_VALUE": arg_name_value
          28bffe
          +                },
          28bffe
          +                "./oval/grub2_{0}_argument.xml", arg_name
          28bffe
          +            )
          28bffe
          +        else:
          28bffe
          +            raise UnknownTargetError(target)
          28bffe
          +
          28bffe
          +    def csv_format(self):
          28bffe
          +        return("CSV should contains lines of the format: " +
          28bffe
          +               "SYSCALL")
          28bffe
          diff --git a/shared/templates/csv/grub2_bootloader_argument.csv b/shared/templates/csv/grub2_bootloader_argument.csv
          28bffe
          new file mode 100644
          28bffe
          index 0000000000..8610111715
          28bffe
          --- /dev/null
          28bffe
          +++ b/shared/templates/csv/grub2_bootloader_argument.csv
          28bffe
          @@ -0,0 +1,10 @@
          28bffe
          +# format:
          28bffe
          +# <argument_name>,<value>
          28bffe
          +# - argument_name is the name of argument for the bootloader
          28bffe
          +# - value is the value for the argument
          28bffe
          +
          28bffe
          +audit,1
          28bffe
          +audit_backlog_limit,8192
          28bffe
          +slub_debug,P
          28bffe
          +page_poison,1
          28bffe
          +vsyscall,none
          28bffe
          diff --git a/shared/templates/template_BASH_grub2_bootloader_argument b/shared/templates/template_BASH_grub2_bootloader_argument
          28bffe
          new file mode 100644
          28bffe
          index 0000000000..9f48517415
          28bffe
          --- /dev/null
          28bffe
          +++ b/shared/templates/template_BASH_grub2_bootloader_argument
          28bffe
          @@ -0,0 +1,13 @@
          28bffe
          +# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
          28bffe
          +
          28bffe
          +# Correct the form of default kernel command line in GRUB
          28bffe
          +if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"'  '/etc/default/grub' ; then
          28bffe
          +	# modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
          28bffe
          +	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/'  '/etc/default/grub'
          28bffe
          +else
          28bffe
          +	# no {{{ ARG_NAME }}}=arg is present, append it
          28bffe
          +	sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/'  '/etc/default/grub'
          28bffe
          +fi
          28bffe
          +
          28bffe
          +# Correct the form of kernel command line for each installed kernel in the bootloader
          28bffe
          +grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
          28bffe
          diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
          28bffe
          new file mode 100644
          28bffe
          index 0000000000..b6f4b1397a
          28bffe
          --- /dev/null
          28bffe
          +++ b/shared/templates/template_OVAL_grub2_bootloader_argument
          28bffe
          @@ -0,0 +1,55 @@
          28bffe
          +<def-group>
          28bffe
          +  <definition class="compliance" id="grub2_{{{ ARG_NAME }}}_argument" version="2">
          28bffe
          +    <metadata>
          28bffe
          +      <title>Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
          28bffe
          +      <affected family="unix">
          28bffe
          +        <platform>Red Hat Enterprise Linux 7</platform>
          28bffe
          +        <platform>multi_platform_fedora</platform>
          28bffe
          +      </affected>
          28bffe
          +      <description>Look for argument {{{ ARG_NAME_VALUE }}} in the kernel line in /etc/default/grub.</description>
          28bffe
          +    </metadata>
          28bffe
          +    <criteria operator="OR">
          28bffe
          +      
          28bffe
          +      comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
          28bffe
          +      <criteria operator="AND">
          28bffe
          +        
          28bffe
          +        comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
          28bffe
          +        
          28bffe
          +        comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
          28bffe
          +      </criteria>
          28bffe
          +    </criteria>
          28bffe
          +  </definition>
          28bffe
          +
          28bffe
          +  
          28bffe
          +  comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
          28bffe
          +  check="all" check_existence="all_exist" version="1">
          28bffe
          +    <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument" />
          28bffe
          +    <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
          28bffe
          +  </ind:textfilecontent54_test>
          28bffe
          +
          28bffe
          +  <ind:textfilecontent54_object id="object_grub2_{{{ ARG_NAME }}}_argument" version="1">
          28bffe
          +    <ind:filepath>/etc/default/grub</ind:filepath>
          28bffe
          +    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
          28bffe
          +    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
          28bffe
          +  </ind:textfilecontent54_object>
          28bffe
          +
          28bffe
          +  
          28bffe
          +  comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
          28bffe
          +  check="all" check_existence="all_exist" version="1">
          28bffe
          +    <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_default" />
          28bffe
          +    <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
          28bffe
          +  </ind:textfilecontent54_test>
          28bffe
          +
          28bffe
          +  
          28bffe
          +  version="1">
          28bffe
          +    <ind:filepath>/etc/default/grub</ind:filepath>
          28bffe
          +    <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
          28bffe
          +    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
          28bffe
          +  </ind:textfilecontent54_object>
          28bffe
          +
          28bffe
          +  
          28bffe
          +  version="1">
          28bffe
          +    <ind:subexpression datatype="string" operation="pattern match">^.*{{{ ARG_NAME_VALUE }}}.*$</ind:subexpression>
          28bffe
          +  </ind:textfilecontent54_state>
          28bffe
          +
          28bffe
          +</def-group>
          28bffe
          diff --git a/ssg/build_templates.py b/ssg/build_templates.py
          28bffe
          index f4373553b2..c36bbbacc4 100644
          28bffe
          --- a/ssg/build_templates.py
          28bffe
          +++ b/ssg/build_templates.py
          28bffe
          @@ -28,6 +28,7 @@
          28bffe
           from create_audit_rules_usergroup_modification import AuditRulesUserGroupModificationGenerator
          28bffe
           from create_audit_rules_execution import AuditRulesExecutionGenerator
          28bffe
           from create_audit_rules_path_syscall import AuditRulesPathSyscallGenerator
          28bffe
          +from create_grub2_bootloader_argument import GRUB2BootloaderArgumentGenerator
          28bffe
           
          28bffe
           
          28bffe
           class Builder(object):
          28bffe
          @@ -74,6 +75,7 @@ def __init__(self, env_yaml):
          28bffe
                       "audit_rules_usergroup_modification.csv":  AuditRulesUserGroupModificationGenerator(),
          28bffe
                       "audit_rules_execution.csv":        AuditRulesExecutionGenerator(),
          28bffe
                       "audit_rules_path_syscall.csv":        AuditRulesPathSyscallGenerator(),
          28bffe
          +            "grub2_bootloader_argument.csv":        GRUB2BootloaderArgumentGenerator(),
          28bffe
                   }
          28bffe
                   self.langs = TEMPLATED_LANGUAGES
          28bffe
                   utils_dir = os.path.dirname(os.path.realpath(__file__))