Reorganize zIPL rules#5888
Conversation
|
Skipping CI for Draft Pull Request. |
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
/test all |
yuumasato
force-pushed
the
unload_zipl_rules
branch
from
e222c63 to
dc415f0
Compare
Instead of having each zIPL argument rule check for BLS compliance, let's split into its own rule.
Automated remediation to remove non-BLS boot entries from /etc/zipl.conf is tricky and can lead to broken entries or removal of all of them.
Instead of having each zIPL argument rule check if zIPL bootmap is up to date, let's split it into its own rule.
These tests mock existence of zIPL files.
yuumasato
force-pushed
the
unload_zipl_rules
branch
from
dc415f0 to
9370372
Compare
| path: /etc/zipl.conf | ||
| register: zipl_conf | ||
|
|
||
| # TODO: handle /boot/loader/entries/*.conf |
There was a problem hiding this comment.
I don't see an easy way to do this, leaving as a TODO item for the future.
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
Thank you for these changes. Please also modify the files pertaining to "stable profile" tests, currently the test is failing. See comments for questions and suggestions.
I ran all tests manually and they work as expected, except for the wrong path in the bash remediation for zipl_bootmap_is_up_to_date. When I fixed it everything was working.
There can be leading spaces before 'image'.
There is no need to perform pattern match, the check just needs to examine /etc/zipl.conf file.
Add RHEL-8 CCE identifiers for: - zipl_bls_entries_only - zipl_bootmap_is_up_to_date
Update the profile reference file.
|
Note: references to SFRs to be added later. |
The zIPL rules are inherited from OSPP profile
|
Changes identified: Recommended tests to execute: |
|
Please update the STIG stable profile as well. |
I actually unselected the zIPL rules from the STIG Profile. |
|
/retest |
|
Thank you for the PR, merging! |
|
Thanks for the reviews, :) |
6 participants
Description:
Rationale: