Skip to content

Add arg_minimal_value variable to grub2_bootloader_argument template#14626

Draft
macko1 wants to merge 4 commits into
ComplianceAsCode:masterfrom
macko1:fix_13923
Draft

Add arg_minimal_value variable to grub2_bootloader_argument template#14626
macko1 wants to merge 4 commits into
ComplianceAsCode:masterfrom
macko1:fix_13923

Conversation

@macko1
Copy link
Copy Markdown
Collaborator

@macko1 macko1 commented Apr 7, 2026
edited
Loading

Description:

  • Add an operation parameter to the grub2_bootloader_argument
    template so rules can use numeric comparisons (currently only
    "greater than or equal" is supported)
  • Update grub2_audit_backlog_limit_argument rule to use the
    new operation parameter.
  • Update test scenarios to be more modular by passing custom testing values with template.py instead of embedding the hardcoded values in the test itself.
  • Added tests for "greater than or equal" scenarios.
  • Document the new parameter in template_reference.md.

Rationale:

Review Hints:

  • Review commits in order: template.py first (preprocessing), then
    oval.template + tests (the OVAL plumbing), then rule.yml + docs.
  • Build and test with:
./build_product rhel9 --datastream-only
  • Test with automatus.py - this needs to be run in a VM, not a container.
    Using multiple parallel VMs is recommended (--slice automatus argument).
./automatus.py rule --libvirt qemu:///session <vm> --datastream ../build/ssg-rhel9-ds.xml grub2_audit_backlog_limit_argument
  • The oval.template has extensive inline comments explaining the
    numeric branching — the header TOC (lines 1–72) is a good
    starting point.
  • The RHEL8 entries_numeric test+object (section 4a) is the
    trickiest part — it exists because the wide-capture object must
    stay for $kernelopts detection.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 7, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 7, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 7, 2026

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@macko1 macko1 force-pushed the fix_13923 branch 2 times, most recently from 5d68582 to 117ce41 Compare April 8, 2026 12:30
@macko1 macko1 changed the title DRAFT: take2 DRAFT: #13923 Apr 8, 2026
@macko1 macko1 force-pushed the fix_13923 branch 2 times, most recently from d72131a to 315103b Compare April 8, 2026 22:04
@vojtapolasek vojtapolasek self-assigned this Apr 9, 2026
@macko1 macko1 changed the title DRAFT: #13923 Add arg_minimal_value variable to grub2_bootloader_argument template Apr 9, 2026
@vojtapolasek
Copy link
Copy Markdown
Collaborator

vojtapolasek commented Apr 9, 2026

Hello @macko1 and thank you.
I have two remarks. First is technical, could you please split the PR into multiple commits? For example, one for documentation, one modifying tests... it makes reviewing easier.
Then I have a remark regarding the main purpose of the PR. As I understand it, your PR makes it possible to define the Grub2 value in three ways:

  • arg_value - checks equality of the value against hardcoded value
  • arg_variable - checks equality with a value represented by an XCCDF variable
  • newly defined arg_minimal_value - checks if the value is greater or equal to a hardcoded value
    If I understand it correctly, then I think this is not an optimal implementation.
    Because what if in the future you would like to check if a value is greater or equal to something defined with XCCDF variable? It would require another round of reimplementation.
    I think it would be better to add a different parameter, which would signify the operation between the checked value and the hardcoded / variable provided value. In this way, we could check for equality, greater than, lesser than... whatever is supported.
    I had only a quick glance into templates, but it seems we already support this for example in the accounts_password template or pam_options template. Do you think this concept could be used in this case as well?

@macko1 macko1 force-pushed the fix_13923 branch 4 times, most recently from 13a4ebc to 15dbbd2 Compare April 16, 2026 22:24
@macko1
Copy link
Copy Markdown
Collaborator Author

macko1 commented Apr 16, 2026

@vojtapolasek you were right, thanks for pointing this out. I've re-implemented the check, and made it extensible - "greater than or equal" can be extended with more OVAL operations in the future, when needed.

I have divided the changes into several commits, as you have asked, I hope this will make it more readable.

PR description updated.

Thanks for a review!

@macko1 macko1 force-pushed the fix_13923 branch 3 times, most recently from 9d97f56 to 869101f Compare May 5, 2026 14:59
Mab879
Mab879 requested changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should new tests for the rule in the referenced issue to ensure it is fixed and stays fixed.

Comment thread shared/templates/grub2_bootloader_argument/oval.template Outdated
| (+ grub.d drop-in on Ubuntu)
+-- GRUB_DISABLE_RECOVERY=true

DATA FLOW (current -- will change in the rewrite):
Copy link
Copy Markdown
Member

@Mab879 Mab879 May 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What rewrite?

@Mab879 Mab879 added this to the 0.1.81 milestone May 5, 2026
Mab879
Mab879 reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looking good. I don't see any issue with. Saving approval until out of draft.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs.
--- oval:ssg-grub2_enable_iommu_force:def:1
+++ oval:ssg-grub2_enable_iommu_force:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_iommu_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_iommu_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_iommu_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_iommu_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_iommu_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_iommu_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_iommu_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_iommu_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument:tst:1
+criterion oval:ssg-test_grub2_iommu_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument_default:tst:1
+criterion oval:ssg-test_grub2_iommu_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_init_on_free' differs.
--- oval:ssg-grub2_init_on_free:def:1
+++ oval:ssg-grub2_init_on_free:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_init_on_free_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_init_on_free_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_init_on_free_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_init_on_free_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_init_on_free_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_init_on_free_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_init_on_free_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument:tst:1
+criterion oval:ssg-test_grub2_init_on_free_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument_default:tst:1
+criterion oval:ssg-test_grub2_init_on_free_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument' differs.
--- oval:ssg-grub2_l1tf_argument:def:1
+++ oval:ssg-grub2_l1tf_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_l1tf_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_l1tf_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_l1tf_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_l1tf_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_l1tf_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_l1tf_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_l1tf_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument:tst:1
+criterion oval:ssg-test_grub2_l1tf_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument_default:tst:1
+criterion oval:ssg-test_grub2_l1tf_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument' differs.
--- oval:ssg-grub2_mce_argument:def:1
+++ oval:ssg-grub2_mce_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_mce_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_mce_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_mce_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_mce_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_mce_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_mce_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_mce_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_mce_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument:tst:1
+criterion oval:ssg-test_grub2_mce_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument_default:tst:1
+criterion oval:ssg-test_grub2_mce_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs.
--- oval:ssg-grub2_pti_argument:def:1
+++ oval:ssg-grub2_pti_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_pti_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_pti_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_pti_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_pti_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_pti_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_pti_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_pti_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_pti_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument:tst:1
+criterion oval:ssg-test_grub2_pti_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument_default:tst:1
+criterion oval:ssg-test_grub2_pti_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument' differs.
--- oval:ssg-grub2_rng_core_default_quality_argument:def:1
+++ oval:ssg-grub2_rng_core_default_quality_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_rng_core_default_quality_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_default:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument' differs.
--- oval:ssg-grub2_slab_nomerge_argument:def:1
+++ oval:ssg-grub2_slab_nomerge_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_slab_nomerge_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_slab_nomerge_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument_default:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument' differs.
--- oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
+++ oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_default:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument' differs.
--- oval:ssg-grub2_spectre_v2_argument:def:1
+++ oval:ssg-grub2_spectre_v2_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_spectre_v2_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_spectre_v2_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument_default:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- oval:ssg-grub2_vsyscall_argument:def:1
+++ oval:ssg-grub2_vsyscall_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_vsyscall_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_vsyscall_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_vsyscall_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_vsyscall_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_vsyscall_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_vsyscall_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_vsyscall_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument:tst:1
+criterion oval:ssg-test_grub2_vsyscall_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument_default:tst:1
+criterion oval:ssg-test_grub2_vsyscall_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument' differs.
--- oval:ssg-grub2_ipv6_disable_argument:def:1
+++ oval:ssg-grub2_ipv6_disable_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_ipv6_disable_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_ipv6_disable_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument_default:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_nousb_argument' differs.
--- oval:ssg-grub2_nousb_argument:def:1
+++ oval:ssg-grub2_nousb_argument:def:1
@@ -1,15 +1,15 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_nousb_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_nousb_bls_entries_coverage:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_nousb_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_nousb_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_nousb_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_nousb_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_nousb_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument:tst:1
+criterion oval:ssg-test_grub2_nousb_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument_default:tst:1
+criterion oval:ssg-test_grub2_nousb_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' differs.
--- oval:ssg-grub2_page_poison_argument:def:1
+++ oval:ssg-grub2_page_poison_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_page_poison_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_page_poison_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_page_poison_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_page_poison_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_page_poison_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_page_poison_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_page_poison_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument:tst:1
+criterion oval:ssg-test_grub2_page_poison_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument_default:tst:1
+criterion oval:ssg-test_grub2_page_poison_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' differs.
--- oval:ssg-grub2_slub_debug_argument:def:1
+++ oval:ssg-grub2_slub_debug_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_slub_debug_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_slub_debug_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_slub_debug_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_slub_debug_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_slub_debug_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_slub_debug_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_slub_debug_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument:tst:1
+criterion oval:ssg-test_grub2_slub_debug_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument_default:tst:1
+criterion oval:ssg-test_grub2_slub_debug_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' differs.
--- oval:ssg-grub2_audit_argument:def:1
+++ oval:ssg-grub2_audit_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_audit_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_audit_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_audit_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_audit_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument:tst:1
+criterion oval:ssg-test_grub2_audit_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument_default:tst:1
+criterion oval:ssg-test_grub2_audit_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' differs.
--- oval:ssg-grub2_audit_backlog_limit_argument:def:1
+++ oval:ssg-grub2_audit_backlog_limit_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_audit_backlog_limit_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

@macko1
Add operation/datatype support to grub2_bootloader_argument
e1fe7b8 
The grub2_bootloader_argument OVAL template relied on regex pattern
matching for all value comparisons, including numeric thresholds like
audit_backlog_limit.  This meant "8192 >= 8192" was evaluated as a
string match, not a numeric comparison — any value containing the
expected digits would pass regardless of magnitude.

Add operation and datatype parameters to the template so the OVAL
state element uses native OVAL comparison (equals, greater than or
equal, pattern match) with the correct datatype (string, int).
Objects now extract only the argument value via capturing groups
instead of matching the entire line.

Changes:
- oval.template: rewrite objects to extract values, states use
  operation/datatype attributes, remove local_variable/concat,
  nousb triggers existence-only checks
- template.py: add validation for operation/datatype combinations,
  require quoted arg_value in rule.yml, require explicit params
  for arg_variable rules, compute test scenario values
- 19 rule.yml files: add operation/datatype parameters
- 2 .var files: change type from string to number
- bash.template: rename SANITIZED_ARG_NAME to ARG_NAME_UNDERSCORED
- tests: fix wrong_variable=wrong to use proper wrong values,
  add 3 GTE boundary tests, add comments to all ARG_VARIABLE blocks
- template_reference.md: document new parameters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 requested changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka will be requested when the pull request is marked ready for review matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek will be requested when the pull request is marked ready for review vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny will be requested when the pull request is marked ready for review jan-cerny is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

xccdf_org.ssgproject.content_rule_audit_backlog_limit resets backlog limit even if set to valid value

3 participants

@macko1 @vojtapolasek @Mab879