Change rhcos4/moderate kernel argument checks to use coreos check #6131

JAORMX · 2020-09-30T06:31:53Z

A recent commit [1] introduced an enhanced check for kernel arguments
that works in CoreOS. This commit takes them into use in rhcos4's
moderate profile. The needed checks were created with appropriate text.

[1] #6088

JAORMX · 2020-09-30T07:45:45Z

Pull-request updated, HEAD is now aad47f0

ggbecker · 2020-09-30T09:46:20Z

@openscap-ci test this please

JAORMX · 2020-09-30T11:11:00Z

Pull-request updated, HEAD is now 51be1ae

JAORMX · 2020-09-30T11:58:11Z

Pull-request updated, HEAD is now 8bf09e5

JAORMX · 2020-09-30T11:58:26Z

Pull-request updated, HEAD is now 2d0e3b3

yuumasato

In general LGTM.

shared/templates/template_KUBERNETES_coreos_kernel_option

yuumasato · 2020-09-30T12:29:38Z

linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml

 identifiers:
    cce@rhel7: CCE-82158-7
    cce@rhel8: CCE-80944-2
-    cce@rhcos4: CCE-82673-5


CCE-82673-5 went from rule grub2_page_poison_argument to coreos_page_poison_kernel_argument.
The configuration checked/remediated is almost the same, the difference is that coreos_page_poison_kernel_argument checks only the last boot entry.

I'm not sure if this CEE migration is okay, maybe @redhatrises has thoughts on it.

I am okay with this until we actually deliver something. Ultimately, I think that creating duplicate rules for something that is subtly unique is not a great. This is something to figure out in a separate PR.

yuumasato · 2020-09-30T12:30:21Z

shared/templates/template_OVAL_coreos_kernel_option

  <unix:file_object id="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_does_not_exists"
  version="1">
-    <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-*\.conf</unix:filepath>
+    <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*\.conf</unix:filepath>


JAORMX · 2020-09-30T12:46:56Z

Pull-request updated, HEAD is now 86978b9

JAORMX · 2020-10-01T12:45:38Z

Pull-request updated, HEAD is now 00ad321

JAORMX · 2020-10-01T20:29:47Z

/retest

JAORMX · 2020-10-02T02:47:46Z

/retest

JAORMX · 2020-10-06T05:28:13Z

This is blocked on #6100

A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate & ncp profiles. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088

This replaces the explicit MachineConfigs for templates.

JAORMX · 2020-10-06T11:08:06Z

Pull-request updated, HEAD is now 8427166

JAORMX · 2020-10-06T12:37:52Z

/test e2e-aws-rhcos4-e8

jhrozek

Looks quite good, I was a bit confused about the tests, otherwise lgtm

jhrozek · 2020-10-06T12:43:35Z

linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml

+ocil: |-
+    Inspect the form of all the BLS (Boot Loader Specification) entries
+    ('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include
+    <tt>audit=1</tt>, then auditing is enabled at boot time.


Should the rule talk about enabling audit?

What do you mean?

Pointing out that the admin should inspect the kernel command line for audit=1 seems a bit redundant, because it's not the point of this rule. But the ocil rule is not super important for coreos rules and the backlog parameter is mentioned next, so it's OK.

...uide/system/auditing/coreos_audit_backlog_limit_kernel_argument/tests/correct_grubby.pass.sh

...ide/system/auditing/coreos_audit_backlog_limit_kernel_argument/tests/correct_grubenv.pass.sh

...auditing/coreos_audit_backlog_limit_kernel_argument/tests/wrong_value_etcdefaultgrub.fail.sh

...e/system/auditing/coreos_audit_backlog_limit_kernel_argument/tests/wrong_value_rhel8.fail.sh

linux_os/guide/system/auditing/coreos_audit_option/rule.yml

jhrozek · 2020-10-06T12:51:57Z

OK, so really the only thing I found is the description at linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml

JAORMX · 2020-10-06T14:21:03Z

/test e2e-aws-rhcos4-e8

JAORMX · 2020-10-07T05:31:46Z

/test e2e-aws-rhcos4-e8

jhrozek

/lgtm

JAORMX changed the title ~~Change rhcos4/moderate kernel argument checks to use coreos check~~ WIP: Change rhcos4/moderate kernel argument checks to use coreos check Sep 30, 2020

openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 30, 2020

JAORMX force-pushed the rhcos-kernel-args branch from 373aabf to aad47f0 Compare September 30, 2020 07:45

JAORMX force-pushed the rhcos-kernel-args branch from aad47f0 to 51be1ae Compare September 30, 2020 11:11

JAORMX force-pushed the rhcos-kernel-args branch from 51be1ae to 8bf09e5 Compare September 30, 2020 11:58

JAORMX force-pushed the rhcos-kernel-args branch from 8bf09e5 to 2d0e3b3 Compare September 30, 2020 11:58

JAORMX changed the title ~~WIP: Change rhcos4/moderate kernel argument checks to use coreos check~~ Change rhcos4/moderate kernel argument checks to use coreos check Sep 30, 2020

openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Sep 30, 2020

JAORMX requested review from evgenyz and yuumasato September 30, 2020 11:58

yuumasato requested changes Sep 30, 2020

View reviewed changes

JAORMX force-pushed the rhcos-kernel-args branch from 2d0e3b3 to 86978b9 Compare September 30, 2020 12:46

JAORMX force-pushed the rhcos-kernel-args branch from 86978b9 to 00ad321 Compare October 1, 2020 12:45

JAORMX requested a review from yuumasato October 5, 2020 06:12

JAORMX added 2 commits October 6, 2020 14:00

kube: Replace explicit kernel argument remediations for template

8427166

This replaces the explicit MachineConfigs for templates.

JAORMX force-pushed the rhcos-kernel-args branch from 00ad321 to 8427166 Compare October 6, 2020 11:08

jhrozek reviewed Oct 6, 2020

View reviewed changes

jhrozek approved these changes Oct 7, 2020

View reviewed changes

JAORMX merged commit e8e24fc into ComplianceAsCode:master Oct 7, 2020

yuumasato added this to the 0.1.53 milestone Oct 27, 2020

Change rhcos4/moderate kernel argument checks to use coreos check #6131

Change rhcos4/moderate kernel argument checks to use coreos check #6131

Uh oh!

Conversation

JAORMX commented Sep 30, 2020

Uh oh!

JAORMX commented Sep 30, 2020

Uh oh!

ggbecker commented Sep 30, 2020

Uh oh!

JAORMX commented Sep 30, 2020

Uh oh!

JAORMX commented Sep 30, 2020

Uh oh!

JAORMX commented Sep 30, 2020

Uh oh!

yuumasato left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

yuumasato Sep 30, 2020

Choose a reason for hiding this comment

Uh oh!

redhatrises Oct 6, 2020

Choose a reason for hiding this comment

Uh oh!

yuumasato Sep 30, 2020

Choose a reason for hiding this comment

Uh oh!

JAORMX commented Sep 30, 2020

Uh oh!

JAORMX commented Oct 1, 2020

Uh oh!

JAORMX commented Oct 1, 2020

Uh oh!

JAORMX commented Oct 2, 2020

Uh oh!

JAORMX commented Oct 6, 2020

Uh oh!

JAORMX commented Oct 6, 2020

Uh oh!

JAORMX commented Oct 6, 2020

Uh oh!

jhrozek left a comment

Choose a reason for hiding this comment

Uh oh!

jhrozek Oct 6, 2020

Choose a reason for hiding this comment

Uh oh!

JAORMX Oct 6, 2020

Choose a reason for hiding this comment

Uh oh!

jhrozek Oct 7, 2020

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jhrozek commented Oct 6, 2020

Uh oh!

JAORMX commented Oct 6, 2020

Uh oh!

JAORMX commented Oct 7, 2020

Uh oh!

jhrozek left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants