|
|
28bffe |
diff --git a/shared/fixes/bash/grub2_audit_argument.sh
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 913ebd6788..0000000000
|
|
|
28bffe |
--- a/shared/fixes/bash/grub2_audit_argument.sh
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,13 +0,0 @@
|
|
|
28bffe |
-# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
|
|
|
28bffe |
-
|
|
|
28bffe |
-# Correct the form of default kernel command line in GRUB
|
|
|
28bffe |
-if grep -q '^GRUB_CMDLINE_LINUX=.*audit=.*"' '/etc/default/grub' ; then
|
|
|
28bffe |
- # modify the GRUB command-line if an audit= arg already exists
|
|
|
28bffe |
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit=[^[:space:]]*\(.*"\)/\1 audit=1 \2/' '/etc/default/grub'
|
|
|
28bffe |
-else
|
|
|
28bffe |
- # no audit=arg is present, append it
|
|
|
28bffe |
- sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit=1"/' '/etc/default/grub'
|
|
|
28bffe |
-fi
|
|
|
28bffe |
-
|
|
|
28bffe |
-# Correct the form of kernel command line for each installed kernel in the bootloader
|
|
|
28bffe |
-grubby --update-kernel=ALL --args="audit=1"
|
|
|
28bffe |
diff --git a/shared/checks/oval/grub2_audit_argument.xml
|
|
|
28bffe |
deleted file mode 100644
|
|
|
28bffe |
index 0a943fd97a..0000000000
|
|
|
28bffe |
--- a/shared/checks/oval/grub2_audit_argument.xml
|
|
|
28bffe |
+++ /dev/null
|
|
|
28bffe |
@@ -1,55 +0,0 @@
|
|
|
28bffe |
-<def-group>
|
|
|
28bffe |
- <definition class="compliance" id="grub2_audit_argument" version="2">
|
|
|
28bffe |
- <metadata>
|
|
|
28bffe |
- <title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
|
|
|
28bffe |
- <affected family="unix">
|
|
|
28bffe |
- <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
- <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
- </affected>
|
|
|
28bffe |
- <description>Look for argument audit=1 in the kernel line in /etc/default/grub.</description>
|
|
|
28bffe |
- </metadata>
|
|
|
28bffe |
- <criteria operator="OR">
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" />
|
|
|
28bffe |
- <criteria operator="AND">
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </criteria>
|
|
|
28bffe |
- </definition>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX"
|
|
|
28bffe |
- check="all" check_existence="all_exist" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_grub2_audit_argument" />
|
|
|
28bffe |
- <ind:state state_ref="state_grub2_audit_argument" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
-
|
|
|
28bffe |
- <ind:textfilecontent54_object id="object_grub2_audit_argument" version="1">
|
|
|
28bffe |
- <ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
|
|
|
28bffe |
- check="all" check_existence="all_exist" version="1">
|
|
|
28bffe |
- <ind:object object_ref="object_grub2_audit_argument_default" />
|
|
|
28bffe |
- <ind:state state_ref="state_grub2_audit_argument" />
|
|
|
28bffe |
- </ind:textfilecontent54_test>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- version="1">
|
|
|
28bffe |
- <ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
28bffe |
- <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
|
|
|
28bffe |
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
- </ind:textfilecontent54_object>
|
|
|
28bffe |
-
|
|
|
28bffe |
-
|
|
|
28bffe |
- version="1">
|
|
|
28bffe |
- <ind:subexpression datatype="string" operation="pattern match">^.*audit=1.*$</ind:subexpression>
|
|
|
28bffe |
- </ind:textfilecontent54_state>
|
|
|
28bffe |
-
|
|
|
28bffe |
-</def-group>
|
|
|
28bffe |
diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..361a6b9853
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument.rule
|
|
|
28bffe |
@@ -0,0 +1,51 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Extend Audit Backlog Limit for the Audit Daemon'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ To improve the kernel capacity to queue all log events, even those which occurred
|
|
|
28bffe |
+ prior to the audit daemon, add the argument <tt>audit_backlog_limit=8192</tt> to the default
|
|
|
28bffe |
+ GRUB 2 command line for the Linux operating system in
|
|
|
28bffe |
+ <tt>/etc/default/grub</tt>, in the manner below:
|
|
|
28bffe |
+ GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ audit_backlog_limit sets the queue length for audit events awaiting transfer
|
|
|
28bffe |
+ to the audit daemon. Until the audit daemon is up and running, all log messages
|
|
|
28bffe |
+ are stored in this queue. If the queue is overrun during boot process, the action
|
|
|
28bffe |
+ defined by audit failure flag is taken.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: unknown
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'audit backlog limit is not configured'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
28bffe |
+ in <tt>/etc/default/grub</tt>. If they include <tt>audit_backlog_limit=1</tt>, then auditing
|
|
|
28bffe |
+ is enabled at boot time.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ To ensure <tt>audit_backlog_limit=1</tt> is configured on all installed kernels, the
|
|
|
28bffe |
+ following command may be used:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ $ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=1"
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - management: |-
|
|
|
28bffe |
+ The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
|
|
28bffe |
+ is automatically updated each time a new kernel is installed. Note that any
|
|
|
28bffe |
+ changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
|
|
28bffe |
+ file. To update the GRUB 2 configuration file manually, use the
|
|
|
28bffe |
+ grub2-mkconfig -o command as follows:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ On BIOS-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
28bffe |
+ On UEFI-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+{{% if product == "rhel7" %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
28bffe |
+{{% else %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
28bffe |
+{{% endif %}}
|
|
|
28bffe |
+
|
|
|
28bffe |
diff --git a/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..8773f2407f
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/permissions/restrictions/grub2_vsyscall_argument.rule
|
|
|
28bffe |
@@ -0,0 +1,49 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Disable vsyscalls'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ To disable use of virtual syscalls,
|
|
|
28bffe |
+ add the argument <tt>vsyscall=none</tt> to the default
|
|
|
28bffe |
+ GRUB 2 command line for the Linux operating system in
|
|
|
28bffe |
+ <tt>/etc/default/grub</tt>, in the manner below:
|
|
|
28bffe |
+ GRUB_CMDLINE_LINUX="vsyscall=none"
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Virtual Syscalls provide an opportunity of attack for a user who has control
|
|
|
28bffe |
+ of the return instruction pointer.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: unknown
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'vsyscalls are enabled'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
28bffe |
+ in <tt>/etc/default/grub</tt>. If they include <tt>vsyscall=none</tt>,
|
|
|
28bffe |
+ then virtyal syscalls are not enabled at boot time.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ To ensure <tt>vsyscall=none</tt> is configured on all installed kernels, the
|
|
|
28bffe |
+ following command may be used:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ $ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - management: |-
|
|
|
28bffe |
+ The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
|
|
28bffe |
+ is automatically updated each time a new kernel is installed. Note that any
|
|
|
28bffe |
+ changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
|
|
28bffe |
+ file. To update the GRUB 2 configuration file manually, use the
|
|
|
28bffe |
+ grub2-mkconfig -o command as follows:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ On BIOS-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
28bffe |
+ On UEFI-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+{{% if product == "rhel7" %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
28bffe |
+{{% else %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
28bffe |
+{{% endif %}}
|
|
|
28bffe |
+
|
|
|
28bffe |
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/group.yml b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..6a7a370f2b
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/group.yml
|
|
|
28bffe |
@@ -0,0 +1,8 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Memory Poisoning'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ Memory Poisoning consists of writing a special value to uninitialized or freed memory.
|
|
|
28bffe |
+ Poisoning can be used as a mechanism to prevent leak of information and detection of
|
|
|
28bffe |
+ corrupted memory.
|
|
|
28bffe |
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..9056613b0d
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument.rule
|
|
|
28bffe |
@@ -0,0 +1,52 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Enable page allocator poisoning'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ To enable poisoning of free pages,
|
|
|
28bffe |
+ add the argument <tt>page_poison=1</tt> to the default
|
|
|
28bffe |
+ GRUB 2 command line for the Linux operating system in
|
|
|
28bffe |
+ <tt>/etc/default/grub</tt>, in the manner below:
|
|
|
28bffe |
+ GRUB_CMDLINE_LINUX="page_poison=1"
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Poisoning writes an arbitrary value to freed pages, so any modification or
|
|
|
28bffe |
+ reference to that page after being freed or before being initialized will be
|
|
|
28bffe |
+ detected and prevented.
|
|
|
28bffe |
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
|
|
28bffe |
+ Also prevents leak of data and detection of corrupted memory.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: unknown
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'page allocator poisoning is not enabled'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
28bffe |
+ in <tt>/etc/default/grub</tt>. If they include <tt>page_poison=1</tt>,
|
|
|
28bffe |
+ then page poisoning is enabled at boot time.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ To ensure <tt>page_poison=1</tt> is configured on all installed kernels, the
|
|
|
28bffe |
+ following command may be used:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ $ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - management: |-
|
|
|
28bffe |
+ The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
|
|
28bffe |
+ is automatically updated each time a new kernel is installed. Note that any
|
|
|
28bffe |
+ changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
|
|
28bffe |
+ file. To update the GRUB 2 configuration file manually, use the
|
|
|
28bffe |
+ grub2-mkconfig -o command as follows:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ On BIOS-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
28bffe |
+ On UEFI-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+{{% if product == "rhel7" %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
28bffe |
+{{% else %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
28bffe |
+{{% endif %}}
|
|
|
28bffe |
+
|
|
|
28bffe |
diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..ea982ee216
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument.rule
|
|
|
28bffe |
@@ -0,0 +1,52 @@
|
|
|
28bffe |
+documentation_complete: true
|
|
|
28bffe |
+
|
|
|
28bffe |
+prodtype: rhel7,fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+title: 'Enable SLUB/SLAB allocator poisoning'
|
|
|
28bffe |
+
|
|
|
28bffe |
+description: |-
|
|
|
28bffe |
+ To enable poisoning of SLUB/SLAB objects,
|
|
|
28bffe |
+ add the argument <tt>slub_debug=P</tt> to the default
|
|
|
28bffe |
+ GRUB 2 command line for the Linux operating system in
|
|
|
28bffe |
+ <tt>/etc/default/grub</tt>, in the manner below:
|
|
|
28bffe |
+ GRUB_CMDLINE_LINUX="slub_debug=P"
|
|
|
28bffe |
+
|
|
|
28bffe |
+rationale: |-
|
|
|
28bffe |
+ Poisoning writes an arbitrary value to freed objects, so any modification or
|
|
|
28bffe |
+ reference to that object after being freed or before being initialized will be
|
|
|
28bffe |
+ detected and prevented.
|
|
|
28bffe |
+ This prevents many types of use-after-free vulnerabilities at little performance cost.
|
|
|
28bffe |
+ Also prevents leak of data and detection of corrupted memory.
|
|
|
28bffe |
+
|
|
|
28bffe |
+severity: unknown
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil_clause: 'SLUB/SLAB poisoning is not enabled'
|
|
|
28bffe |
+
|
|
|
28bffe |
+ocil: |-
|
|
|
28bffe |
+ Inspect the form of default GRUB 2 command line for the Linux operating system
|
|
|
28bffe |
+ in <tt>/etc/default/grub</tt>. If they include <tt>slub_debug=P</tt>,
|
|
|
28bffe |
+ then SLUB/SLAB poisoning is enabled at boot time.
|
|
|
28bffe |
+
|
|
|
28bffe |
+ To ensure <tt>slub_debug=P</tt> is configured on all installed kernels, the
|
|
|
28bffe |
+ following command may be used:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ $ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+warnings:
|
|
|
28bffe |
+ - management: |-
|
|
|
28bffe |
+ The GRUB 2 configuration file, <tt>grub.cfg</tt>,
|
|
|
28bffe |
+ is automatically updated each time a new kernel is installed. Note that any
|
|
|
28bffe |
+ changes to <tt>/etc/default/grub</tt> require rebuilding the <tt>grub.cfg</tt>
|
|
|
28bffe |
+ file. To update the GRUB 2 configuration file manually, use the
|
|
|
28bffe |
+ grub2-mkconfig -o command as follows:
|
|
|
28bffe |
+
|
|
|
28bffe |
+ On BIOS-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
|
|
|
28bffe |
+ On UEFI-based machines, issue the following command as <tt>root</tt>:
|
|
|
28bffe |
+{{% if product == "rhel7" %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
|
|
|
28bffe |
+{{% else %}}
|
|
|
28bffe |
+ ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
|
|
|
28bffe |
+{{% endif %}}
|
|
|
28bffe |
+
|
|
|
28bffe |
diff --git a/rhel7/profiles/ospp42.profile b/rhel7/profiles/ospp42.profile
|
|
|
28bffe |
index bfdc68de8b..dd157a6e5b 100644
|
|
|
28bffe |
--- a/rhel7/profiles/ospp42.profile
|
|
|
28bffe |
+++ b/rhel7/profiles/ospp42.profile
|
|
|
28bffe |
@@ -15,6 +15,7 @@ description: |-
|
|
|
28bffe |
selections:
|
|
|
28bffe |
- installed_OS_is_certified
|
|
|
28bffe |
- grub2_audit_argument
|
|
|
28bffe |
+ - grub2_audit_backlog_limit_argument
|
|
|
28bffe |
- service_auditd_enabled
|
|
|
28bffe |
- grub2_enable_fips_mode
|
|
|
28bffe |
- rpm_verify_hashes
|
|
|
28bffe |
@@ -53,6 +54,9 @@ selections:
|
|
|
28bffe |
- grub2_password
|
|
|
28bffe |
- grub2_uefi_password
|
|
|
28bffe |
- grub2_disable_interactive_boot
|
|
|
28bffe |
+ - grub2_slub_debug_argument
|
|
|
28bffe |
+ - grub2_page_poison_argument
|
|
|
28bffe |
+ - grub2_vsyscall_argument
|
|
|
28bffe |
- no_empty_passwords
|
|
|
28bffe |
- require_singleuser_auth
|
|
|
28bffe |
- service_debug-shell_disabled
|
|
|
28bffe |
diff --git a/shared/templates/create_grub2_bootloader_argument.py b/shared/templates/create_grub2_bootloader_argument.py
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..bbd6e46a82
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/create_grub2_bootloader_argument.py
|
|
|
28bffe |
@@ -0,0 +1,40 @@
|
|
|
28bffe |
+#!/usr/bin/python2
|
|
|
28bffe |
+
|
|
|
28bffe |
+#
|
|
|
28bffe |
+# create_grub2_bootloader_argument.py
|
|
|
28bffe |
+# generate template-based checks for unsuccessful file modifications detailed
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+from template_common import FilesGenerator, UnknownTargetError
|
|
|
28bffe |
+
|
|
|
28bffe |
+import re
|
|
|
28bffe |
+
|
|
|
28bffe |
+class GRUB2BootloaderArgumentGenerator(FilesGenerator):
|
|
|
28bffe |
+ def generate(self, target, args):
|
|
|
28bffe |
+ arg_name, arg_value = args[0:2]
|
|
|
28bffe |
+ arg_name_value = arg_name + '=' + arg_value
|
|
|
28bffe |
+
|
|
|
28bffe |
+ if target == "bash":
|
|
|
28bffe |
+ self.file_from_template(
|
|
|
28bffe |
+ "./template_BASH_grub2_bootloader_argument",
|
|
|
28bffe |
+ {
|
|
|
28bffe |
+ "ARG_NAME": arg_name,
|
|
|
28bffe |
+ "ARG_NAME_VALUE": arg_name_value
|
|
|
28bffe |
+ },
|
|
|
28bffe |
+ "./bash/grub2_{0}_argument.sh", arg_name
|
|
|
28bffe |
+ )
|
|
|
28bffe |
+ elif target == "oval":
|
|
|
28bffe |
+ self.file_from_template(
|
|
|
28bffe |
+ "./template_OVAL_grub2_bootloader_argument",
|
|
|
28bffe |
+ {
|
|
|
28bffe |
+ "ARG_NAME": arg_name,
|
|
|
28bffe |
+ "ARG_NAME_VALUE": arg_name_value
|
|
|
28bffe |
+ },
|
|
|
28bffe |
+ "./oval/grub2_{0}_argument.xml", arg_name
|
|
|
28bffe |
+ )
|
|
|
28bffe |
+ else:
|
|
|
28bffe |
+ raise UnknownTargetError(target)
|
|
|
28bffe |
+
|
|
|
28bffe |
+ def csv_format(self):
|
|
|
28bffe |
+ return("CSV should contains lines of the format: " +
|
|
|
28bffe |
+ "SYSCALL")
|
|
|
28bffe |
diff --git a/shared/templates/csv/grub2_bootloader_argument.csv b/shared/templates/csv/grub2_bootloader_argument.csv
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..8610111715
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/csv/grub2_bootloader_argument.csv
|
|
|
28bffe |
@@ -0,0 +1,10 @@
|
|
|
28bffe |
+# format:
|
|
|
28bffe |
+# <argument_name>,<value>
|
|
|
28bffe |
+# - argument_name is the name of argument for the bootloader
|
|
|
28bffe |
+# - value is the value for the argument
|
|
|
28bffe |
+
|
|
|
28bffe |
+audit,1
|
|
|
28bffe |
+audit_backlog_limit,8192
|
|
|
28bffe |
+slub_debug,P
|
|
|
28bffe |
+page_poison,1
|
|
|
28bffe |
+vsyscall,none
|
|
|
28bffe |
diff --git a/shared/templates/template_BASH_grub2_bootloader_argument b/shared/templates/template_BASH_grub2_bootloader_argument
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..9f48517415
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/template_BASH_grub2_bootloader_argument
|
|
|
28bffe |
@@ -0,0 +1,13 @@
|
|
|
28bffe |
+# platform = Red Hat Enterprise Linux 7, multi_platform_fedora
|
|
|
28bffe |
+
|
|
|
28bffe |
+# Correct the form of default kernel command line in GRUB
|
|
|
28bffe |
+if grep -q '^GRUB_CMDLINE_LINUX=.*{{{ ARG_NAME }}}=.*"' '/etc/default/grub' ; then
|
|
|
28bffe |
+ # modify the GRUB command-line if an {{{ ARG_NAME }}}= arg already exists
|
|
|
28bffe |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\){{{ ARG_NAME }}}=[^[:space:]]*\(.*"\)/\1 {{{ ARG_NAME_VALUE }}} \2/' '/etc/default/grub'
|
|
|
28bffe |
+else
|
|
|
28bffe |
+ # no {{{ ARG_NAME }}}=arg is present, append it
|
|
|
28bffe |
+ sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 {{{ ARG_NAME_VALUE }}}"/' '/etc/default/grub'
|
|
|
28bffe |
+fi
|
|
|
28bffe |
+
|
|
|
28bffe |
+# Correct the form of kernel command line for each installed kernel in the bootloader
|
|
|
28bffe |
+grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}"
|
|
|
28bffe |
diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
28bffe |
new file mode 100644
|
|
|
28bffe |
index 0000000000..b6f4b1397a
|
|
|
28bffe |
--- /dev/null
|
|
|
28bffe |
+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
|
|
|
28bffe |
@@ -0,0 +1,55 @@
|
|
|
28bffe |
+<def-group>
|
|
|
28bffe |
+ <definition class="compliance" id="grub2_{{{ ARG_NAME }}}_argument" version="2">
|
|
|
28bffe |
+ <metadata>
|
|
|
28bffe |
+ <title>Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
|
|
|
28bffe |
+ <affected family="unix">
|
|
|
28bffe |
+ <platform>Red Hat Enterprise Linux 7</platform>
|
|
|
28bffe |
+ <platform>multi_platform_fedora</platform>
|
|
|
28bffe |
+ </affected>
|
|
|
28bffe |
+ <description>Look for argument {{{ ARG_NAME_VALUE }}} in the kernel line in /etc/default/grub.</description>
|
|
|
28bffe |
+ </metadata>
|
|
|
28bffe |
+ <criteria operator="OR">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX" />
|
|
|
28bffe |
+ <criteria operator="AND">
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" />
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </criteria>
|
|
|
28bffe |
+ </definition>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX"
|
|
|
28bffe |
+ check="all" check_existence="all_exist" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
28bffe |
+ <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+
|
|
|
28bffe |
+ <ind:textfilecontent54_object id="object_grub2_{{{ ARG_NAME }}}_argument" version="1">
|
|
|
28bffe |
+ <ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ comment="check for {{{ ARG_NAME_VALUE }}} in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"
|
|
|
28bffe |
+ check="all" check_existence="all_exist" version="1">
|
|
|
28bffe |
+ <ind:object object_ref="object_grub2_{{{ ARG_NAME }}}_argument_default" />
|
|
|
28bffe |
+ <ind:state state_ref="state_grub2_{{{ ARG_NAME }}}_argument" />
|
|
|
28bffe |
+ </ind:textfilecontent54_test>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ version="1">
|
|
|
28bffe |
+ <ind:filepath>/etc/default/grub</ind:filepath>
|
|
|
28bffe |
+ <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
|
|
|
28bffe |
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
28bffe |
+ </ind:textfilecontent54_object>
|
|
|
28bffe |
+
|
|
|
28bffe |
+
|
|
|
28bffe |
+ version="1">
|
|
|
28bffe |
+ <ind:subexpression datatype="string" operation="pattern match">^.*{{{ ARG_NAME_VALUE }}}.*$</ind:subexpression>
|
|
|
28bffe |
+ </ind:textfilecontent54_state>
|
|
|
28bffe |
+
|
|
|
28bffe |
+</def-group>
|
|
|
28bffe |
diff --git a/ssg/build_templates.py b/ssg/build_templates.py
|
|
|
28bffe |
index f4373553b2..c36bbbacc4 100644
|
|
|
28bffe |
--- a/ssg/build_templates.py
|
|
|
28bffe |
+++ b/ssg/build_templates.py
|
|
|
28bffe |
@@ -28,6 +28,7 @@
|
|
|
28bffe |
from create_audit_rules_usergroup_modification import AuditRulesUserGroupModificationGenerator
|
|
|
28bffe |
from create_audit_rules_execution import AuditRulesExecutionGenerator
|
|
|
28bffe |
from create_audit_rules_path_syscall import AuditRulesPathSyscallGenerator
|
|
|
28bffe |
+from create_grub2_bootloader_argument import GRUB2BootloaderArgumentGenerator
|
|
|
28bffe |
|
|
|
28bffe |
|
|
|
28bffe |
class Builder(object):
|
|
|
28bffe |
@@ -74,6 +75,7 @@ def __init__(self, env_yaml):
|
|
|
28bffe |
"audit_rules_usergroup_modification.csv": AuditRulesUserGroupModificationGenerator(),
|
|
|
28bffe |
"audit_rules_execution.csv": AuditRulesExecutionGenerator(),
|
|
|
28bffe |
"audit_rules_path_syscall.csv": AuditRulesPathSyscallGenerator(),
|
|
|
28bffe |
+ "grub2_bootloader_argument.csv": GRUB2BootloaderArgumentGenerator(),
|
|
|
28bffe |
}
|
|
|
28bffe |
self.langs = TEMPLATED_LANGUAGES
|
|
|
28bffe |
utils_dir = os.path.dirname(os.path.realpath(__file__))
|