From 51a826878ade2ebb564405991937ba0e2b2b7717 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 2 Feb 2022 14:25:30 +0100 Subject: [PATCH 1/8] create two macros one provides description for grub2_argument templated rules the second provides ocil for those cases --- shared/macros.jinja | 56 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/shared/macros.jinja b/shared/macros.jinja index 00358e2f67c..3d41c998b0c 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -1620,3 +1620,59 @@ The audit daemon must be restarted for the changes to take effect. - no_ovirt {{%- endif %}} {{% endmacro %}} + +{{# + Describe how to configure Grub2 to add an argument to the default kernel command line. + The parameter should be in form `parameter=value`. +#}} +{{%- macro describe_grub2_argument(arg_name_value) -%}} +{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}} +To ensure that {{{ arg_name_value }}} is added as a kernel command line +argument to newly installed kernels, ad {{{ arg_name_value }}} to the +default Grub2 command line for Linux operating systems. Modify the line within +/etc/default/grub as shown below: +
GRUB_CMDLINE_LINUX="... {{{ arg_name_value }}} ..."
+Run the following command to update command line for already installed kernels: +{{%- if 'ubuntu' in product -%}} +
# update-grub
+{{%- else -%}} +
# grubby --update-kernel=ALL --args="{{{ arg_name_value }}}"
+{{%- endif -%}} +{{%- else -%}} +Configure the default Grub2 kernel command line to contain {{{ arg_name_value }}} as follows: +
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ arg_name_value }}}"
+{{%- endif -%}} +{{%- endmacro -%}} + +{{# + Provide OCIL for checking if an argument for kernel command line is configured with Grub2. + The parameter should have form `parameter=value`. +#}} +{{%- macro ocil_grub2_argument(arg_name_value) -%}} +{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}} +Inspect the form of default GRUB 2 command line for the Linux operating system +in /etc/default/grub. If it includes {{{ arg_name_value }}}, +then auditinng will be enabled for newly installed kernels. +First check if the GRUB recovery is enabled: +
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
+If this option is set to true, then check that a line is output by the following command: +
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*{{{ arg_name_value }}}.*' /etc/default/grub
+If the recovery is disabled, check the line with +
$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub
. +{{%- if 'ubuntu' in product -%}} +Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. +
# grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'
+This command should not return any output. +{{%- else -%}} +Moreover, command line parameters for currently installed kernels should be checked as well. +Run the following command: +
# grubby --info=ALL | grep args | grep -v '{{{ arg_name_value }}}'
+The command should not return any output. +{{%- endif -%}} +{{%- else -%}} +Inspect the form of default GRUB 2 command line for the Linux operating system +in {{{ grub2_boot_path }}}/grubenv. If they include {{{ arg_name_value }}}, then auditing +is enabled at boot time. +
# grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv
+{{%- endif -%}} +{{%- endmacro -%}} From c8cb579db19bd55eebcb0bdc4b1432368a5c1b77 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 2 Feb 2022 14:26:26 +0100 Subject: [PATCH 2/8] use new macros in grub2_audit_argument --- .../auditing/grub2_audit_argument/rule.yml | 45 ++----------------- 1 file changed, 3 insertions(+), 42 deletions(-) diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index 96dbe67699e..aff0521ee73 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -7,15 +7,8 @@ title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' description: |- To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default - GRUB 2 command line for the Linux operating system in -{{% if product in ["rhel7", "ol7"] %}} - /etc/default/grub, so that the line looks similar to - 
GRUB_CMDLINE_LINUX="... audit=1 ..."
- In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. -{{% else %}} - {{{ grub2_boot_path }}}/grubenv, in the manner below: - 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
-{{% endif %}} + GRUB 2 command line for the Linux operating system. + {{{ describe_grub2_argument("audit=1") | indent(4) }}} rationale: |- Each process on the system carries an "auditable" flag which indicates whether @@ -59,39 +52,7 @@ references: ocil_clause: 'auditing is not enabled at boot time' ocil: |- -{{% if product in ["rhel7", "ol7", "sle12","sle15"] %}} - Inspect the form of default GRUB 2 command line for the Linux operating system - in /etc/default/grub. If it includes audit=1, then auditing - is enabled at boot time. - First check if the GRUB recovery is enabled: - 
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
- If this option is set to true, then check that a line is output by the following command: - 
$ grep 'GRUB_CMDLINE_LINUX_DEFAULT.*audit=1.*' /etc/default/grub
- If the recovery is disabled, check the line with - 
$ grep 'GRUB_CMDLINE_LINUX.*audit=1.*' /etc/default/grub
. - Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. - 
# grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'audit=1'
- This command should not return any output. If it does, update the configuration with - 
# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
-

- Alternatively, to ensure audit=1 is configured on all installed kernels, the - following command may be used: -
- 
$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"
-
-{{% else %}} - Inspect the form of default GRUB 2 command line for the Linux operating system - in {{{ grub2_boot_path }}}/grubenv. If they include audit=1, then auditing - is enabled at boot time. - 
# grep 'kernelopts.*audit=1.*' {{{ grub2_boot_path }}}/grubenv
-

- To ensure audit=1 is configured on all installed kernels, the - following command may be used: -
- 
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
-
-{{% endif %}} - + {{{ ocil_grub2_argument("audit=1") | indent(4) }}} warnings: - management: |- From 3ff2c245408d3fe892222eee8171e2f84868f705 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 3 Feb 2022 14:25:34 +0100 Subject: [PATCH 3/8] fix omission in ocil jinja macro --- shared/macros.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shared/macros.jinja b/shared/macros.jinja index 3d41c998b0c..16a0404b668 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -1652,7 +1652,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} {{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}} Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If it includes {{{ arg_name_value }}}, -then auditinng will be enabled for newly installed kernels. +then the parameter will be configured for newly installed kernels. First check if the GRUB recovery is enabled: 
$ grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
If this option is set to true, then check that a line is output by the following command: @@ -1671,8 +1671,8 @@ The command should not return any output. {{%- endif -%}} {{%- else -%}} Inspect the form of default GRUB 2 command line for the Linux operating system -in {{{ grub2_boot_path }}}/grubenv. If they include {{{ arg_name_value }}}, then auditing -is enabled at boot time. +in {{{ grub2_boot_path }}}/grubenv. If they include {{{ arg_name_value }}}, then the parameter +is configured at boot time. 
# grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv
{{%- endif -%}} {{%- endmacro -%}} From 976da69681d03d9b9380fc57216c30c7b4891f50 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 3 Feb 2022 14:26:33 +0100 Subject: [PATCH 4/8] use new jinja macros in all grub2 related rules --- .../rule.yml | 15 ++----- .../grub2_enable_iommu_force/rule.yml | 9 +++- .../grub2_init_on_alloc_argument/rule.yml | 18 ++------ .../grub2_kernel_trust_cpu_rng/rule.yml | 11 ++--- .../grub2_pti_argument/rule.yml | 15 ++----- .../grub2_vsyscall_argument/rule.yml | 15 ++----- .../grub2_ipv6_disable_argument/rule.yml | 45 ++----------------- .../grub2_page_poison_argument/rule.yml | 15 ++----- .../grub2_slub_debug_argument/rule.yml | 15 ++----- 9 files changed, 33 insertions(+), 125 deletions(-) diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml index f94ddab2fe1..868d525014f 100644 --- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml @@ -7,9 +7,8 @@ title: 'Extend Audit Backlog Limit for the Audit Daemon' description: |- To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default - GRUB 2 command line for the Linux operating system in - /etc/default/grub, in the manner below: - 
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"
+ GRUB 2 command line for the Linux operating system. + {{{ describe_grub2_argument("audit_backlog_limit=8192") | indent(4) }}} rationale: |- audit_backlog_limit sets the queue length for audit events awaiting transfer @@ -40,15 +39,7 @@ references: ocil_clause: 'audit backlog limit is not configured' ocil: |- - Inspect the form of default GRUB 2 command line for the Linux operating system - in /etc/default/grub. If they include audit=1, then auditing - is enabled at boot time. -

- To ensure audit_backlog_limit=8192 is configured on all installed kernels, the - following command may be used: -
- 
$ sudo /sbin/grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
-
+ {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}} warnings: - management: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml index 0a0d76aeb23..1ff5a4d5f26 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml @@ -5,9 +5,10 @@ title: 'IOMMU configuration directive' description: |- On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. + {{{ describe_grub2_argument("iommu=force") | indent(4) }}} rationale: |- - On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by + On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by hardware devices. severity: unknown @@ -22,6 +23,12 @@ references: platform: machine +ocil_clause: 'I/OMMU is not activated' + +ocil: |- + {{{ ocil_grub2_argument("iommu=force") | indent(4) }}} + + warnings: - functionality: Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml index a9253c74cc6..3bb645dadb7 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml @@ -6,12 +6,8 @@ title: 'Configure kernel to zero out memory before allocation' description: |- To configure the kernel to zero out memory before allocating it, add the - init_on_alloc=1 argument to the default GRUB 2 command line for - the Linux operating system in /etc/default/grub, in the manner - below: - 
GRUB_CMDLINE_LINUX="crashkernel=auto quiet rd.shell=0 audit=1 audit_backlog_limit=8192 init_on_alloc=1"
- Update the boot parameter for existing kernels by running the following command: - 
# grubby --update-kernel=ALL --args="init_on_alloc=1"
+ init_on_alloc=1 argument to the default GRUB 2 command line. + {{{ describe_grub2_argument("init_on_alloc=1") | indent(4) }}} rationale: |- When the kernel configuration option init_on_alloc is enabled, @@ -27,15 +23,7 @@ identifiers: ocil_clause: 'the kernel is not configured to zero out memory before allocation' ocil: |- - Make sure that the kernel is configured to zero out memory before - allocation. Ensure that the parameter is configured in - /etc/default/grub: - 
grep GRUB_CMDLINE_LINUX /etc/default/grub
- The output should contain init_on_alloc=1. - Run the following command to display command line parameters of all - installed kernels: - 
# grubby --info=ALL | grep args
- Ensure that each line contains the init_on_alloc=1 parameter. + {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}} platform: machine diff --git a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml index 308ae9cb735..d6bfc02f345 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml @@ -11,8 +11,8 @@ description: |- Y, make sure that it is not overridden with the boot parameter. There must not exist the boot parameter random.trust_cpu=off. If the option is not compiled in, make sure that random.trust_cpu=on - is configured as a boot parameter by running the following command: - 
sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"
+ is configured as a boot parameter. + {{{ describe_grub2_argument("random.trust_cpu=on") | indent(4) }}} rationale: |- The Linux kernel offers an option which signifies if the kernel should trust @@ -44,11 +44,8 @@ ocil: |- option is not overridden through a boot parameter: 
sudo grep 'kernelopts.*random\.trust_cpu=off.*' {{{ grub2_boot_path }}}/grubenv
The command should not return any output. If the option is not compiled into - the kernel, check that the option is configured through boot parameter with - the following command: - 
sudo grep 'kernelopts.*random\.trust_cpu=on.*' {{{ grub2_boot_path }}}/grubenv
- If the command does not return any output, then the boot parameter is - missing. + the kernel, check that the option is configured through boot parameter. + {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}} platform: machine diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml index f4f3fa39510..51b0a284746 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml @@ -7,9 +7,8 @@ title: 'Enable Kernel Page-Table Isolation (KPTI)' description: |- To enable Kernel page-table isolation, add the argument pti=on to the default - GRUB 2 command line for the Linux operating system in - /etc/default/grub, in the manner below: - 
GRUB_CMDLINE_LINUX="pti=on"
+ GRUB 2 command line for the Linux operating system. + {{{ describe_grub2_argument("pti=on") | indent(4) }}} rationale: |- Kernel page-table isolation is a kernel feature that mitigates @@ -33,15 +32,7 @@ references: ocil_clause: 'Kernel page-table isolation is not enabled' ocil: |- - Inspect the form of default GRUB 2 command line for the Linux operating system - in /etc/default/grub. If they include pti=on, - then Kernel page-table isolation is enabled at boot time. -

- To ensure pti=on is configured on all installed kernels, the - following command may be used: -
- 
$ sudo /sbin/grubby --update-kernel=ALL --args="pti=on
-
+ {{{ ocil_grub2_argument("pti=on") | indent(4) }}} warnings: - management: |- diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml index 9f38a1c13b9..1b88d13bd3c 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml @@ -7,9 +7,8 @@ title: 'Disable vsyscalls' description: |- To disable use of virtual syscalls, add the argument vsyscall=none to the default - GRUB 2 command line for the Linux operating system in - /etc/default/grub, in the manner below: - 
GRUB_CMDLINE_LINUX="vsyscall=none"
+ GRUB 2 command line for the Linux operating system. + {{{ describe_grub2_argument("vsyscall=none") | indent(4) }}} rationale: |- Virtual Syscalls provide an opportunity of attack for a user who has control @@ -33,15 +32,7 @@ references: ocil_clause: 'vsyscalls are enabled' ocil: |- - Inspect the form of default GRUB 2 command line for the Linux operating system - in /etc/default/grub. If they include vsyscall=none, - then virtyal syscalls are not enabled at boot time. -

- To ensure vsyscall=none is configured on all installed kernels, the - following command may be used: -
- 
$ sudo /sbin/grubby --update-kernel=ALL --args="vsyscall=none
-
+ {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}} warnings: - management: |- diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml index b8ff66c7d6e..c0fda343a1a 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml @@ -7,20 +7,8 @@ title: 'Ensure IPv6 is disabled through kernel boot parameter' description: |- To disable IPv6 protocol support in the Linux kernel, add the argument ipv6.disable=1 to the default - GRUB2 command line for the Linux operating system in -{{% if product in ["rhel7", "ol7"] %}} - /etc/default/grub, so that the line looks similar to - 
GRUB_CMDLINE_LINUX="... ipv6.disable=1 ..."
- In case the GRUB_DISABLE_RECOVERY is set to true, then the parameter should be added to the GRUB_CMDLINE_LINUX_DEFAULT instead. - Run one of following command to ensure that the configuration is applied when booting currently installed kernels: - 
sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
- or - 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
-{{% else %}} - {{{ grub2_boot_path }}}/grubenv, in the manner below: - 
sudo  grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-{{% endif %}} - + GRUB2 command line for the Linux operating system. + {{{ describe_grub2_argument("ipv6.disable=1") | indent(4) }}} rationale: |- Any unnecessary network stacks, including IPv6, should be disabled to reduce @@ -40,34 +28,7 @@ references: ocil_clause: 'IPv6 is not disabled' ocil: |- - {{% if product in ["rhel7", "ol7"] %}} - Inspect the form of default GRUB2 command line for the Linux operating system - in /etc/default/grub. Check if it includes ipv6.disable=1. - First check if the GRUB recovery is enabled: - 
grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
- If this option is set to true, then check that the following line is output by the following command: - 
grep 'GRUB_CMDLINE_LINUX_DEFAULT.*ipv6.disable=1.*' /etc/default/grub
- If the recovery is disabled, check the line with - 
grep 'GRUB_CMDLINE_LINUX.*ipv6.disable=1.*' /etc/default/grub
. - Moreover, current GRUB2 config file in /etc/grub2/grub.cfg must be checked. - 
sudo grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v 'ipv6.disable=1'
- This command should not return any output. If it does, update the configuration with one of following commands: - 
sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
- or - 
sudo /sbin/grubby --update-kernel=ALL --args="ipv6.disable=1"
-
-{{% else %}} - Inspect the form of default GRUB2 command line for the Linux operating system - in {{{ grub2_boot_path }}}/grubenv. Check if it includes ipv6.disable=1. - 
sudo grep 'kernelopts.*ipv6.disable=1.*' {{{ grub2_boot_path }}}/grubenv
-

- To ensure ipv6.disable=1 is configured on all installed kernels, the - following command may be used: -
- 
sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"
-
-{{% endif %}} - + {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}} warnings: - management: |- diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml index 3bf592fb4d8..1f4e183d9e7 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml @@ -7,9 +7,8 @@ title: 'Enable page allocator poisoning' description: |- To enable poisoning of free pages, add the argument page_poison=1 to the default - GRUB 2 command line for the Linux operating system in - /etc/default/grub, in the manner below: - 
GRUB_CMDLINE_LINUX="page_poison=1"
+ GRUB 2 command line for the Linux operating system. + {{{ describe_grub2_argument("page_poison=1") | indent(4) }}} rationale: |- Poisoning writes an arbitrary value to freed pages, so any modification or @@ -35,15 +34,7 @@ references: ocil_clause: 'page allocator poisoning is not enabled' ocil: |- - Inspect the form of default GRUB 2 command line for the Linux operating system - in /etc/default/grub. If they include page_poison=1, - then page poisoning is enabled at boot time. -

- To ensure page_poison=1 is configured on all installed kernels, the - following command may be used: -
- 
$ sudo /sbin/grubby --update-kernel=ALL --args="page_poison=1
-
+ {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}} warnings: - management: |- diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml index 9964399650a..bb5dbc6c125 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml @@ -7,9 +7,8 @@ title: 'Enable SLUB/SLAB allocator poisoning' description: |- To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default - GRUB 2 command line for the Linux operating system in - /etc/default/grub, in the manner below: - 
GRUB_CMDLINE_LINUX="slub_debug=P"
+ GRUB 2 command line for the Linux operating system. + {{{ describe_grub2_argument("slub_debug=P") | indent(4) }}} rationale: |- Poisoning writes an arbitrary value to freed objects, so any modification or @@ -35,15 +34,7 @@ references: ocil_clause: 'SLUB/SLAB poisoning is not enabled' ocil: |- - Inspect the form of default GRUB 2 command line for the Linux operating system - in /etc/default/grub. If they include slub_debug=P, - then SLUB/SLAB poisoning is enabled at boot time. -

- To ensure slub_debug=P is configured on all installed kernels, the - following command may be used: -
- 
$ sudo /sbin/grubby --update-kernel=ALL --args="slub_debug=P
-
+ {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}} warnings: - management: |- From 5c39cf81d49f0eb5bb73337057fb95356784e5c6 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 9 Feb 2022 16:05:59 +0100 Subject: [PATCH 5/8] fix an error in ubuntu version of macro --- shared/macros.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/macros.jinja b/shared/macros.jinja index 16a0404b668..54d2b299a47 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -1660,7 +1660,7 @@ If this option is set to true, then check that a line is output by the following If the recovery is disabled, check the line with 
$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub
. {{%- if 'ubuntu' in product -%}} -Moreover, current Grub2 config file in /etc/grub2/grub.cfg must be checked. +Moreover, current Grub2 config file in {{{ grub2_boot_path }}}/grub.cfg must be checked. 
# grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'
This command should not return any output. {{%- else -%}} From f100d190833d168127715215e788347f806736f3 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 9 Feb 2022 16:16:21 +0100 Subject: [PATCH 6/8] remove warnings from rules they are no longer relevant, we do not use grub2-mkconfig anymore --- .../auditing/grub2_audit_argument/rule.yml | 18 ------------------ .../rule.yml | 18 ------------------ .../grub2_pti_argument/rule.yml | 18 ------------------ .../grub2_vsyscall_argument/rule.yml | 18 ------------------ .../grub2_ipv6_disable_argument/rule.yml | 18 ------------------ .../grub2_page_poison_argument/rule.yml | 18 ------------------ .../grub2_slub_debug_argument/rule.yml | 18 ------------------ 7 files changed, 126 deletions(-) diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml index aff0521ee73..00a4ded2738 100644 --- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml @@ -54,24 +54,6 @@ ocil_clause: 'auditing is not enabled at boot time' ocil: |- {{{ ocil_grub2_argument("audit=1") | indent(4) }}} -warnings: - - management: |- - The GRUB 2 configuration file, grub.cfg, - is automatically updated each time a new kernel is installed. Note that any - changes to /etc/default/grub require rebuilding the grub.cfg - file. To update the GRUB 2 configuration file manually, use the - 
grub2-mkconfig -o
command as follows: -
    -
  • On BIOS-based machines, issue the following command as root: - 
    ~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
    • -
  • On UEFI-based machines, issue the following command as root: -{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • -{{% else %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -{{% endif %}} -
- platform: grub2 template: diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml index 868d525014f..efbc3dae1c1 100644 --- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml @@ -41,24 +41,6 @@ ocil_clause: 'audit backlog limit is not configured' ocil: |- {{{ ocil_grub2_argument("audit_backlog_limit=8192") | indent(4) }}} -warnings: - - management: |- - The GRUB 2 configuration file, grub.cfg, - is automatically updated each time a new kernel is installed. Note that any - changes to /etc/default/grub require rebuilding the grub.cfg - file. To update the GRUB 2 configuration file manually, use the - 
grub2-mkconfig -o
command as follows: -
    -
  • On BIOS-based machines, issue the following command as root: - 
    ~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
    • -
  • On UEFI-based machines, issue the following command as root: -{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • -{{% else %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -{{% endif %}} -
- platform: grub2 template: diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml index 51b0a284746..52a308e3247 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml @@ -34,24 +34,6 @@ ocil_clause: 'Kernel page-table isolation is not enabled' ocil: |- {{{ ocil_grub2_argument("pti=on") | indent(4) }}} -warnings: - - management: |- - The GRUB 2 configuration file, grub.cfg, - is automatically updated each time a new kernel is installed. Note that any - changes to /etc/default/grub require rebuilding the grub.cfg - file. To update the GRUB 2 configuration file manually, use the - 
grub2-mkconfig -o
command as follows: -
    -
  • On BIOS-based machines, issue the following command as root: - 
    ~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
    • -
  • On UEFI-based machines, issue the following command as root: -{{% if product in ["rhel8", "ol8"] %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • -{{% else %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -{{% endif %}} -
- platform: machine template: diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml index 1b88d13bd3c..93eb31dad7b 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml @@ -34,24 +34,6 @@ ocil_clause: 'vsyscalls are enabled' ocil: |- {{{ ocil_grub2_argument("vsyscall=none") | indent(4) }}} -warnings: - - management: |- - The GRUB 2 configuration file, grub.cfg, - is automatically updated each time a new kernel is installed. Note that any - changes to /etc/default/grub require rebuilding the grub.cfg - file. To update the GRUB 2 configuration file manually, use the - 
grub2-mkconfig -o
command as follows: -
    -
  • On BIOS-based machines, issue the following command as root: - 
    ~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
    • -
  • On UEFI-based machines, issue the following command as root: -{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • -{{% else %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -{{% endif %}} -
- platform: machine template: diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml index c0fda343a1a..9e1ca48efe0 100644 --- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml @@ -30,24 +30,6 @@ ocil_clause: 'IPv6 is not disabled' ocil: |- {{{ ocil_grub2_argument("ipv6.disable=1") | indent(4) }}} -warnings: - - management: |- - The GRUB 2 configuration file, grub.cfg, - is automatically updated each time a new kernel is installed. Note that any - changes to /etc/default/grub require rebuilding the grub.cfg - file. To update the GRUB 2 configuration file manually, use the - 
grub2-mkconfig -o
command as follows: -
    -
  • On BIOS-based machines, issue the following command: - 
    sudo grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
    • -
  • On UEFI-based machines, issue the following command: -{{% if product in ["rhel7", "ol7", "rhel8", "ol8"] %}} - 
    sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • -{{% else %}} - 
    sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -{{% endif %}} -
- platform: grub2 template: diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml index 1f4e183d9e7..1ad6c6b3c44 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml @@ -36,24 +36,6 @@ ocil_clause: 'page allocator poisoning is not enabled' ocil: |- {{{ ocil_grub2_argument("page_poison=1") | indent(4) }}} -warnings: - - management: |- - The GRUB 2 configuration file, grub.cfg, - is automatically updated each time a new kernel is installed. Note that any - changes to /etc/default/grub require rebuilding the grub.cfg - file. To update the GRUB 2 configuration file manually, use the - 
grub2-mkconfig -o
command as follows: -
    -
  • On BIOS-based machines, issue the following command as root: - 
    ~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
    • -
  • On UEFI-based machines, issue the following command as root: -{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • -{{% else %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -{{% endif %}} -
- platform: grub2 template: diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml index bb5dbc6c125..e40f5377c61 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml @@ -36,24 +36,6 @@ ocil_clause: 'SLUB/SLAB poisoning is not enabled' ocil: |- {{{ ocil_grub2_argument("slub_debug=P") | indent(4) }}} -warnings: - - management: |- - The GRUB 2 configuration file, grub.cfg, - is automatically updated each time a new kernel is installed. Note that any - changes to /etc/default/grub require rebuilding the grub.cfg - file. To update the GRUB 2 configuration file manually, use the - 
grub2-mkconfig -o
command as follows: -
    -
  • On BIOS-based machines, issue the following command as root: - 
    ~]# grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
    • -
  • On UEFI-based machines, issue the following command as root: -{{% if product in ["rhel7", "rhel8", "ol7", "ol8"] %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
    • -{{% else %}} - 
    ~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
    -{{% endif %}} -
- platform: grub2 template: From bbc3cc093004efd0457ccb33722a4fb14b0b2fb8 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Mon, 14 Feb 2022 14:29:15 +0100 Subject: [PATCH 7/8] Update shared/macros.jinja MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Matěj Týč --- shared/macros.jinja | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/shared/macros.jinja b/shared/macros.jinja index 54d2b299a47..392181e2b24 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -1671,7 +1671,12 @@ The command should not return any output. {{%- endif -%}} {{%- else -%}} Inspect the form of default GRUB 2 command line for the Linux operating system -in {{{ grub2_boot_path }}}/grubenv. If they include {{{ arg_name_value }}}, then the parameter +{{% if grub2_boot_path == grub2_uefi_boot_path or not grub2_uefi_boot_path -%}} +in {{{ grub2_boot_path }}}/grubenv. +{{%- else -%}} +in grubenv that can be found either in {{{ grub2_boot_path }}} in case of legacy BIOS systems, or in {{{ grub2_uefi_boot_path }}} in case of UEFI systems. +{{%- endif %}} +If they include {{{ arg_name_value }}}, then the parameter is configured at boot time. 
# grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv
{{%- endif -%}} From 8121376668b43d21cf0f9700994bc011c3e313d7 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 14 Feb 2022 15:17:33 +0100 Subject: [PATCH 8/8] more modifications to description and ocil final touches --- shared/macros.jinja | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/shared/macros.jinja b/shared/macros.jinja index 392181e2b24..a89bac12f53 100644 --- a/shared/macros.jinja +++ b/shared/macros.jinja @@ -1626,7 +1626,7 @@ The audit daemon must be restarted for the changes to take effect. The parameter should be in form `parameter=value`. #}} {{%- macro describe_grub2_argument(arg_name_value) -%}} -{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}} To ensure that {{{ arg_name_value }}} is added as a kernel command line argument to newly installed kernels, ad {{{ arg_name_value }}} to the default Grub2 command line for Linux operating systems. Modify the line within @@ -1649,7 +1649,7 @@ Configure the default Grub2 kernel command line to contain {{{ arg_name_value }} The parameter should have form `parameter=value`. #}} {{%- macro ocil_grub2_argument(arg_name_value) -%}} -{{%- if product in ["rhel7", "ol7", "rhel9"] or 'ubuntu' in product -%}} +{{%- if product in ["rhel7", "ol7", "rhel8", "ol8", "rhel9"] or 'ubuntu' in product -%}} Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If it includes {{{ arg_name_value }}}, then the parameter will be configured for newly installed kernels. @@ -1660,8 +1660,12 @@ If this option is set to true, then check that a line is output by the following If the recovery is disabled, check the line with 
$ grep 'GRUB_CMDLINE_LINUX.*{{{ arg_name_value }}}.*' /etc/default/grub
. {{%- if 'ubuntu' in product -%}} -Moreover, current Grub2 config file in {{{ grub2_boot_path }}}/grub.cfg must be checked. -
# grep vmlinuz {{{ grub2_boot_path }}}/grub.cfg | grep -v '{{{ arg_name_value }}}'
+Moreover, current Grub config file grub.cfg must be checked. The file can be found +either in {{{ grub2_boot_path }}} in case of legacy BIOS systems, or in {{{ grub2_uefi_boot_path }}} in case of UEFI systems. +If they include {{{ arg_name_value }}}, then the parameter +is configured at boot time. +
# grep vmlinuz GRUB_CFG_FILE_PATH | grep -v '{{{ arg_name_value }}}'
+Fill in GRUB_CFG_FILE_PATH based on information above. This command should not return any output. {{%- else -%}} Moreover, command line parameters for currently installed kernels should be checked as well. @@ -1678,6 +1682,7 @@ in grubenv that can be found either in {{{ grub2_boot_path }}} {{%- endif %}} If they include {{{ arg_name_value }}}, then the parameter is configured at boot time. -
# grep 'kernelopts.*{{{ arg_name_value }}}.*' {{{ grub2_boot_path }}}/grubenv
+
# grep 'kernelopts.*{{{ arg_name_value }}}.*' GRUBENV_FILE_LOCATION
+Fill in GRUBENV_FILE_LOCATION based on information above. {{%- endif -%}} {{%- endmacro -%}}