From f351ac88794844bbefee2e95c0e9cda4e9e83c64 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Fri, 25 Feb 2022 12:08:03 -0600
Subject: [PATCH 1/5] Make grub2_uefi_password rule compliant for ol8

DISA, in its STIG profile, requires this rule to verify only the
user.cfg file. Also specifies a grub directory for grub2_uefi_boot_path

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../uefi/grub2_uefi_password/oval/shared.xml         | 12 ++++++++++--
 products/ol8/product.yml                             |  1 +
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 8fc73653ad9a..8e1e6e01e6a7 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -3,6 +3,9 @@
     {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
 
     <criteria operator="OR">
+      {{% if product == "ol8" %}}
+      <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+      {{% else %}}
       {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
       <criteria operator="AND">
         <criteria comment="check both files to account for procedure change in documenation" operator="OR">
@@ -11,11 +14,13 @@
         </criteria>
         <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
       </criteria>
+      {{% endif %}}
     </criteria>
   </definition>
 
+  {{% if product != "ol8" %}}
   {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
-
+  
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg." id="test_bootloader_uefi_superuser" version="2">
     <ind:object object_ref="object_bootloader_uefi_superuser" />
   </ind:textfilecontent54_test>
@@ -24,6 +29,7 @@
     <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+  {{% endif %}}
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/efi/EFI/redhat/user.cfg" id="test_grub2_uefi_password_usercfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_usercfg" />
@@ -33,7 +39,8 @@
     <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-
+  
+  {{% if product != "ol8" %}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg" id="test_grub2_uefi_password_grubcfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_grubcfg" />
   </ind:textfilecontent54_test>
@@ -42,4 +49,5 @@
     <ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+  {{% endif %}}
 </def-group>
diff --git a/products/ol8/product.yml b/products/ol8/product.yml
index a6bd6a78df50..01720f2c0509 100644
--- a/products/ol8/product.yml
+++ b/products/ol8/product.yml
@@ -17,6 +17,7 @@ pkg_version: "ad986da3"
 release_key_fingerprint: "76FD3DB13AB67410B89DB10E82562EA9AD986DA3"
 
 dconf_gdm_dir: "local.d"
+grub2_uefi_boot_path: "/boot/efi/EFI/redhat"
 
 oval_feed_url: "https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2"
 

From fbad97a1e6d586a56f605638532d3821d640bc78 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Wed, 26 Jan 2022 16:59:50 -0600
Subject: [PATCH 2/5] Apply grub2_uefi_password changes to rhel8

DISA, in its STIG profile, requires this rule to verify only the
user.cfg file

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../uefi/grub2_uefi_password/oval/shared.xml                | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 8e1e6e01e6a7..2c7043d23d2e 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -3,7 +3,7 @@
     {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
 
     <criteria operator="OR">
-      {{% if product == "ol8" %}}
+      {{% if product in ["ol8", "rhel8"] %}}
       <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
       {{% else %}}
       {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
@@ -18,7 +18,7 @@
     </criteria>
   </definition>
 
-  {{% if product != "ol8" %}}
+  {{% if product not in ["ol8", "rhel8"] %}}
   {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
   
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg." id="test_bootloader_uefi_superuser" version="2">
@@ -40,7 +40,7 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
   
-  {{% if product != "ol8" %}}
+  {{% if product not in ["ol8", "rhel8"] %}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg" id="test_grub2_uefi_password_grubcfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_grubcfg" />
   </ind:textfilecontent54_test>

From 99c83ed1f69dbd347cb1f1f9094d6f520a8641fc Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Fri, 25 Mar 2022 16:19:34 -0600
Subject: [PATCH 3/5] Update grub2_uefi_admin_username to use CPE

This rule's OVAL was designed to pass if grub.cfg was missing,
apparently to allow a scenario were grub is not installed. Remove that
criterion from OVAL so that situation is managed by a CPE and remove
test accordingly

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../uefi/grub2_uefi_admin_username/oval/shared.xml        | 3 ---
 .../uefi/grub2_uefi_admin_username/tests/no-grub.pass.sh  | 8 --------
 2 files changed, 11 deletions(-)
 delete mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/no-grub.pass.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
index a0a76a222a48..be0882581ff8 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
@@ -4,7 +4,6 @@
               "The grub2 boot loader superuser should have a username that is hard to guess.") }}}
 
     <criteria operator="OR">
-      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
       <criterion comment="Superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg and it
             isn't root, admin, administrator nor equal to any system username"
             test_ref="test_bootloader_uefi_superuser_differ_from_other_users"/>
@@ -20,8 +19,6 @@
     <object_component item_field="username" object_ref="object_uefi_user_accounts"/>
   </local_variable>
 
-  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
-
   <ind:textfilecontent54_state id="state_bootloader_uefi_superuser_differ_from_other_users"
           version="1">
     <ind:subexpression datatype="string" operation="not equal" var_check="all"
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/no-grub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/no-grub.pass.sh
deleted file mode 100644
index 84fd3ff7bdeb..000000000000
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/no-grub.pass.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/bash
-
-. $SHARED/grub2.sh
-
-set_grub_uefi_root
-
-rm -f "$GRUB_CFG_ROOT/grub.cfg"
-

From 8d21756fb0755748440f8d05fbe739ae587aa100 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Fri, 25 Mar 2022 16:20:04 -0600
Subject: [PATCH 4/5] Update grub2_uefi_password to use CPE

This rule's OVAL was designed to pass if grub.cfg was missing,
apparently to allow a scenario were grub is not installed. Remove that
criterion from OVAL so that situation is managed by a CPE and remove
test accordingly

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../uefi/grub2_uefi_password/oval/shared.xml               | 5 -----
 .../uefi/grub2_uefi_password/tests/no-grub.pass.sh         | 7 -------
 2 files changed, 12 deletions(-)
 delete mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/no-grub.pass.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 2c7043d23d2e..99b4dbccbb4e 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -6,7 +6,6 @@
       {{% if product in ["ol8", "rhel8"] %}}
       <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
       {{% else %}}
-      {{{ oval_file_absent_criterion(grub2_uefi_boot_path + "/grub.cfg") }}}
       <criteria operator="AND">
         <criteria comment="check both files to account for procedure change in documenation" operator="OR">
           <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
@@ -17,9 +16,6 @@
       {{% endif %}}
     </criteria>
   </definition>
-
-  {{% if product not in ["ol8", "rhel8"] %}}
-  {{{ oval_file_absent(grub2_uefi_boot_path + "/grub.cfg") }}}
   
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg." id="test_bootloader_uefi_superuser" version="2">
     <ind:object object_ref="object_bootloader_uefi_superuser" />
@@ -29,7 +25,6 @@
     <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-  {{% endif %}}
 
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/efi/EFI/redhat/user.cfg" id="test_grub2_uefi_password_usercfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_usercfg" />
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/no-grub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/no-grub.pass.sh
deleted file mode 100644
index c1dbd91d5be1..000000000000
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/no-grub.pass.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-
-. $SHARED/grub2.sh
-
-set_grub_uefi_root
-
-rm -f "$GRUB_CFG_ROOT/grub.cfg"

From 2daeb5b842be1427455d4d960bb102aa408cbef8 Mon Sep 17 00:00:00 2001
From: Edgar Aguilar <edgar.aguilar@oracle.com>
Date: Mon, 18 Apr 2022 10:52:22 -0500
Subject: [PATCH 5/5] Generalize changes in grub2_uefi_password

Make previous changes which were only applicable to ol8 and rhel8,
apply to all products

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
---
 .../uefi/grub2_uefi_password/oval/shared.xml  | 31 +------------------
 1 file changed, 1 insertion(+), 30 deletions(-)

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 99b4dbccbb4e..ab4719894334 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -3,29 +3,10 @@
     {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
 
     <criteria operator="OR">
-      {{% if product in ["ol8", "rhel8"] %}}
       <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
-      {{% else %}}
-      <criteria operator="AND">
-        <criteria comment="check both files to account for procedure change in documenation" operator="OR">
-          <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
-          <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
-        </criteria>
-        <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
-      </criteria>
-      {{% endif %}}
     </criteria>
   </definition>
   
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg." id="test_bootloader_uefi_superuser" version="2">
-    <ind:object object_ref="object_bootloader_uefi_superuser" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
-    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/efi/EFI/redhat/user.cfg" id="test_grub2_uefi_password_usercfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_usercfg" />
   </ind:textfilecontent54_test>
@@ -34,15 +15,5 @@
     <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-  
-  {{% if product not in ["ol8", "rhel8"] %}}
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg" id="test_grub2_uefi_password_grubcfg" version="1">
-    <ind:object object_ref="object_grub2_uefi_password_grubcfg" />
-  </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
-    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
-  </ind:textfilecontent54_object>
-  {{% endif %}}
+
 </def-group>