diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index 66844faaccf0..1dd739390370 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -1572,6 +1572,13 @@ audit_rules_usergroup_modification::
** *path* - path that should be part of the audit rule as a value of `-w` argument, eg. `/etc/group`.
* Languages: Ansible, Bash, OVAL
+bls_bootloader_option::
+* Checks kernel command line arguments in BLS-compatible (Boot Loader Specification) boot loader configuration.
+* Parameters:
+** *arg_name* - argument name, eg. `audit`
+** *arg_value* - argument value, eg. `'1'`
+* Languages: OVAL
+
file_groupowner::
* Check group that owns the given file.
* Parameters:
diff --git a/linux_os/guide/system/auditing/bls_audit_option/kubernetes/shared.yml b/linux_os/guide/system/auditing/bls_audit_option/kubernetes/shared.yml
new file mode 100644
index 000000000000..331d624e0e7f
--- /dev/null
+++ b/linux_os/guide/system/auditing/bls_audit_option/kubernetes/shared.yml
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ocp,multi_platform_rhcos
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+ kernelArguments:
+ - audit=1
diff --git a/linux_os/guide/system/auditing/bls_audit_option/rule.yml b/linux_os/guide/system/auditing/bls_audit_option/rule.yml
new file mode 100644
index 000000000000..4c34721729b3
--- /dev/null
+++ b/linux_os/guide/system/auditing/bls_audit_option/rule.yml
@@ -0,0 +1,54 @@
+documentation_complete: true
+
+prodtype: rhcos4
+
+title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon'
+
+description: |-
+ To ensure all processes can be audited, even those which start
+ prior to the audit daemon, add the argument audit=1 to all
+ BLS (Boot Loader Specification) entries ('options' line) for the Linux
+ operating system in /boot/loader/entries/*.conf.
+
+rationale: |-
+ Each process on the system carries an "auditable" flag which indicates whether
+ its activities can be audited. Although auditd takes care of enabling
+ this for all processes which launch after it does, adding the kernel argument
+ ensures it is set for every process during boot.
+
+severity: medium
+
+identifiers:
+ cce@ocp4: 83550-4
+
+references:
+ cis@rhel8: 4.1.1.3
+ cjis: 5.4.1.1
+ cui: 3.3.1
+ disa: 1464,130
+ hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b)
+ nist: AC-17(1),AU-14(1),AU-10,CM-6(a),IR-5(1)
+ nist-csf: DE.AE-3,DE.AE-5,ID.SC-4,PR.AC-3,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
+ vmmsrg: SRG-OS-000254-VMM-000880
+ pcidss: Req-10.3
+ isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 7.1,SR 7.6'
+ isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
+ cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.02,DSS05.03,DSS05.04,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
+ iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
+ cis-csc: 1,11,12,13,14,15,16,19,3,4,5,6,7,8
+ srg: SRG-OS-000254-GPOS-00095
+
+ocil_clause: 'auditing is not enabled at boot time'
+
+ocil: |-
+ Inspect the form of BLS (Boot Loader Specification) options lines for the Linux operating system
+ in /boot/loader/entries/*.conf. If they include audit=1, then auditing
+ is enabled at boot time.
+ # grep 'options.*audit=1.*' /boot/loader/entires/*.conf
+
+
+template:
+ name: bls_entries_option
+ vars:
+ arg_name: audit
+ arg_value: '1'
diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile
index a094a58772ad..b0bd78ba5e88 100644
--- a/rhcos4/profiles/moderate.profile
+++ b/rhcos4/profiles/moderate.profile
@@ -548,7 +548,7 @@ selections:
# AU-3
- package_audit_installed
- - grub2_audit_argument
+ - bls_audit_option
- grub2_audit_backlog_limit_argument
#- grub2_slub_debug_argument
- grub2_page_poison_argument
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index e060d2fb1ceb..287c21cfeef7 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -198,7 +198,6 @@ CCE-83546-2
CCE-83547-0
CCE-83548-8
CCE-83549-6
-CCE-83550-4
CCE-83551-2
CCE-83552-0
CCE-83553-8
diff --git a/shared/templates/template_OVAL_bls_entries_option b/shared/templates/template_OVAL_bls_entries_option
new file mode 100644
index 000000000000..7a64337b1f13
--- /dev/null
+++ b/shared/templates/template_OVAL_bls_entries_option
@@ -0,0 +1,32 @@
+
+
+
+ Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}
+ {{{- oval_affected(products) }}}
+ Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.
+
+
+
+
+
+
+
+
+
+
+
+
+ ^/boot/loader/entries/.*\.conf$
+ ^options (.*)$
+ 1
+
+
+
+ ^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$
+
+
diff --git a/ssg/templates.py b/ssg/templates.py
index 7f2d209a392a..847023d775bf 100644
--- a/ssg/templates.py
+++ b/ssg/templates.py
@@ -365,6 +365,17 @@ def yamlfile_value(data, lang):
return data
+@template(["oval"])
+def bls_entries_option(data, lang):
+ data["arg_name_value"] = data["arg_name"] + "=" + data["arg_value"]
+ if lang == "oval":
+ # escape dot, this is used in oval regex
+ data["escaped_arg_name_value"] = data["arg_name_value"].replace(".", "\\.")
+ # replace . with _, this is used in test / object / state ids
+ data["sanitized_arg_name"] = data["arg_name"].replace(".", "_")
+ return data
+
+
class Builder(object):
"""
Class for building all templated content for a given product.