Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry #6088
There are no files selected for viewing
File renamed without changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -48,7 +48,7 @@ ocil: |- | |
| <br /> | ||
|
|
||
| template: | ||
| name: coreos_kernel_option | ||
| vars: | ||
| arg_name: audit | ||
| arg_value: '1' | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ _RULE_ID }}}" version="2"> | ||
| <metadata> | ||
| <title>Ensure that the most recent (default) CoreOS boot loader entry is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title> | ||
| {{{- oval_affected(products) }}} | ||
| <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if the second version does not exists).</description> | ||
| </metadata> | ||
| <criteria operator="OR"> | ||
| <criteria operator="AND"> | ||
| <criterion test_ref="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_options" | ||
| comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/ostree-2-*.conf (if it does exists)" /> | ||
| </criteria> | ||
| <criteria operator="AND"> | ||
| <criterion test_ref="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_1_options" | ||
| comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/ostree-1-*.conf" /> | ||
| <criterion test_ref="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_does_not_exists" | ||
| comment="Check if /boot/loader/entries/ostree-2-*.conf is not present" /> | ||
| </criteria> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <ind:textfilecontent54_test id="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_options" | ||
| comment="check for kernel option {{{ ARG_NAME_VALUE }}} in /boot/loader/entries/ostree-2-*.conf" | ||
| check="all" check_existence="all_exist" version="1"> | ||
| <ind:object object_ref="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_options" /> | ||
| <ind:state state_ref="state_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_option" /> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object id="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_options" | ||
| version="1"> | ||
| <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-*\.conf$</ind:filepath> | ||
| <ind:pattern operation="pattern match">^options (.*)$</ind:pattern> | ||
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <ind:textfilecontent54_state id="state_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_option" | ||
| version="1"> | ||
| <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression> | ||
| </ind:textfilecontent54_state> | ||
|
|
||
| <ind:textfilecontent54_test id="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_1_options" | ||
| comment="check for kernel option {{{ ARG_NAME_VALUE }}} in /boot/loader/entries/ostree-1-*.conf" | ||
| check="all" check_existence="all_exist" version="1"> | ||
| <ind:object object_ref="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_1_options" /> | ||
| <ind:state state_ref="state_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_1_option" /> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object id="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_1_options" | ||
| version="1"> | ||
| <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-*\.conf$</ind:filepath> | ||
| <ind:pattern operation="pattern match">^options (.*)$</ind:pattern> | ||
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
|
|
||
| <ind:textfilecontent54_state id="state_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_1_option" | ||
| version="1"> | ||
| <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$</ind:subexpression> | ||
| </ind:textfilecontent54_state> | ||
|
|
||
| <unix:file_test id="test_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_does_not_exists" check="all" check_existence="none_exist" | ||
| comment="Check if /boot/loader/entries/ostree-2-*.conf is not present" | ||
| version="1"> | ||
| <unix:object object_ref="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_does_not_exists" /> | ||
| </unix:file_test> | ||
|
|
||
| <unix:file_object id="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_does_not_exists" | ||
| version="1"> | ||
| <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-*\.conf</unix:filepath> | ||
| </unix:file_object> | ||
|
|
||
| </def-group> | ||
|
Contributor
There was a problem hiding this comment. For completeness; what about checking /proc/cmdline as well? That would ensure that the current configuration is compliant.
Member
Author
There was a problem hiding this comment. I'm still not sure if it should be a part of this check. Other bootloader-related rules don't have the runtime counterpart (because runtime check might be different even when bootloaders are the same). While this is not really applicable to this particular hackish rule, it would definitely be a problem for generic BLS-compatible check
Member
Author
There was a problem hiding this comment. I would suggest creating a
Contributor
There was a problem hiding this comment. Right; however, this is already a coreos specificy check. So maybe in this case it would make sense to add the proc/cmdline check here.
Collaborator
There was a problem hiding this comment. btw contrary to applying remediations on RHEL, applying a MachineConfig remediation through MachineConfigOperator always reboots the nodes, so when you apply this remediation, the machines in the cluster would automatically reboot into the approved config and at that point the |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This whole criteria is here to check the case when there wasn't a kernel update yet, thus entry 2 doesn't exist yet, right?
I would add a comment to the
criteria, I was a bit confused a first, why ensure that entry 2 doesn't exist.Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I continued working on these rules in #6100, let's move there.