Change rhcos4/moderate kernel argument checks to use coreos check#6131
Change rhcos4/moderate kernel argument checks to use coreos check#6131JAORMX merged 2 commits intoComplianceAsCode:masterfrom
Conversation
JAORMX
changed the title
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
Pull-request updated, HEAD is now aad47f0 |
JAORMX
force-pushed
the
rhcos-kernel-args
branch
from
373aabf to
aad47f0
Compare
|
@openscap-ci test this please |
|
Pull-request updated, HEAD is now 51be1ae |
JAORMX
force-pushed
the
rhcos-kernel-args
branch
from
aad47f0 to
51be1ae
Compare
|
Pull-request updated, HEAD is now 8bf09e5 |
JAORMX
force-pushed
the
rhcos-kernel-args
branch
from
51be1ae to
8bf09e5
Compare
|
Pull-request updated, HEAD is now 2d0e3b3 |
JAORMX
force-pushed
the
rhcos-kernel-args
branch
from
8bf09e5 to
2d0e3b3
Compare
JAORMX
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
| identifiers: | ||
| cce@rhel7: CCE-82158-7 | ||
| cce@rhel8: CCE-80944-2 | ||
| cce@rhcos4: CCE-82673-5 |
There was a problem hiding this comment.
CCE-82673-5 went from rule grub2_page_poison_argument to coreos_page_poison_kernel_argument.
The configuration checked/remediated is almost the same, the difference is that coreos_page_poison_kernel_argument checks only the last boot entry.
I'm not sure if this CEE migration is okay, maybe @redhatrises has thoughts on it.
There was a problem hiding this comment.
I am okay with this until we actually deliver something. Ultimately, I think that creating duplicate rules for something that is subtly unique is not a great. This is something to figure out in a separate PR.
| <unix:file_object id="object_coreos_{{{ SANITIZED_ARG_NAME }}}_entry_2_does_not_exists" | ||
| version="1"> | ||
| <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-*\.conf</unix:filepath> | ||
| <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*\.conf</unix:filepath> |
|
Pull-request updated, HEAD is now 86978b9 |
JAORMX
force-pushed
the
rhcos-kernel-args
branch
from
2d0e3b3 to
86978b9
Compare
|
Pull-request updated, HEAD is now 00ad321 |
JAORMX
force-pushed
the
rhcos-kernel-args
branch
from
86978b9 to
00ad321
Compare
|
/retest |
1 similar comment
|
/retest |
|
This is blocked on #6100 |
A recent commit [1] introduced an enhanced check for kernel arguments that works in CoreOS. This commit takes them into use in rhcos4's moderate & ncp profiles. The needed checks were created with appropriate text. [1] ComplianceAsCode#6088
This replaces the explicit MachineConfigs for templates.
|
Pull-request updated, HEAD is now 8427166 |
JAORMX
force-pushed
the
rhcos-kernel-args
branch
from
00ad321 to
8427166
Compare
|
/test e2e-aws-rhcos4-e8 |
jhrozek
left a comment
jhrozek
left a comment
There was a problem hiding this comment.
Looks quite good, I was a bit confused about the tests, otherwise lgtm
| ocil: |- | ||
| Inspect the form of all the BLS (Boot Loader Specification) entries | ||
| ('options' line) in <tt>/boot/loader/entries/*.conf</tt>. If they include | ||
| <tt>audit=1</tt>, then auditing is enabled at boot time. |
There was a problem hiding this comment.
Should the rule talk about enabling audit?
There was a problem hiding this comment.
Pointing out that the admin should inspect the kernel command line for audit=1 seems a bit redundant, because it's not the point of this rule. But the ocil rule is not super important for coreos rules and the backlog parameter is mentioned next, so it's OK.
|
OK, so really the only thing I found is the description at |
|
/test e2e-aws-rhcos4-e8 |
1 similar comment
|
/test e2e-aws-rhcos4-e8 |
6 participants
A recent commit [1] introduced an enhanced check for kernel arguments
that works in CoreOS. This commit takes them into use in rhcos4's
moderate profile. The needed checks were created with appropriate text.
[1] #6088