Merge pull request #12144 from jan-cerny/kickstarts

Introduce new remediation type Kickstart

cmake/SSGCommon.cmake

@@ -688,7 +688,7 @@ macro(ssg_build_product PRODUCT)
     add_custom_target(${PRODUCT}-content)
 
     if(NOT DEFINED PRODUCT_REMEDIATION_LANGUAGES)
-        set(PRODUCT_REMEDIATION_LANGUAGES "bash;ansible;puppet;anaconda;ignition;kubernetes;blueprint")
+        set(PRODUCT_REMEDIATION_LANGUAGES "bash;ansible;puppet;anaconda;ignition;kubernetes;blueprint;kickstart")
     endif()
     # Define variables for each language to facilitate assesment of specific remediation languages
     foreach(LANGUAGE ${PRODUCT_REMEDIATION_LANGUAGES})

docs/manual/developer/06_contributing_with_content.md

@@ -516,6 +516,8 @@ then contain the following subdirectories:
 
 - `blueprint` - for OSBuild blueprint content, ending in `.toml`
 
+- `kickstart` - For Kickstart remediation content, ending in `.cfg`
+
 In each of these subdirectories, a file named `shared.ext` will apply to
 all products and be included in all builds, but `{{{ product }}}.ext`
 will only get included in the build for `{{{ product }}}` (e.g.,

docs/templates/template_reference.md

@@ -409,7 +409,7 @@ they must be of the same length.
     -   **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`
         This parameter is mutually exclusive with **arg_value**.
 
--   Languages: Ansible, Bash, OVAL, Blueprint
+-   Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
 
 #### grub2_bootloader_argument_absent
 -   Ensures that a kernel command line argument is absent in GRUB 2 configuration.
@@ -488,7 +488,7 @@ The only way to remediate is to recompile and reinstall the kernel, so no remedi
 
     -   **min_size** - the minimum recommended partition size, in bytes
 
--   Languages: Anaconda, OVAL, Blueprint
+-   Languages: Anaconda, OVAL, Blueprint, Kickstart
 
 #### mount_option
 -   Checks if a given partition is mounted with a specific option such
@@ -568,7 +568,7 @@ The only way to remediate is to recompile and reinstall the kernel, so no remedi
         state uses operation "greater than or equal" to compare the
         collected package version with the version in the OVAL state.
 
--   Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Blueprint
+-   Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Blueprint, Kickstart
 
 #### package_removed
 -   Checks if the given package is not installed.
@@ -577,7 +577,7 @@ The only way to remediate is to recompile and reinstall the kernel, so no remedi
 
     -   **pkgname** - name of the RPM or DEB package, eg. `tmux`
 
--   Languages: Anaconda, Ansible, Bash, OVAL, Puppet
+-   Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Kickstart
 
 #### key_value_pair_in_file
 Checks if a given key and value are configured in a file.
@@ -704,7 +704,7 @@ When the remediation is applied duplicate occurrences of `key` are removed.
         If **daemonname** is not specified it means the name of the
         daemon is the same as the name of service.
 
--   Languages: Ansible, Bash, OVAL, Puppet, Ignition, Kubernetes, Blueprint
+-   Languages: Ansible, Bash, OVAL, Puppet, Ignition, Kubernetes, Blueprint, Kickstart
 
 #### service_enabled
 -   Checks if a system service is enabled. Uses either systemd or SysV
@@ -723,7 +723,7 @@ When the remediation is applied duplicate occurrences of `key` are removed.
         If **daemonname** is not specified it means the name of the
         daemon is the same as the name of service.
 
--   Languages: Ansible, Bash, OVAL, Puppet, Blueprint
+-   Languages: Ansible, Bash, OVAL, Puppet, Blueprint, Kickstart
 
 #### shell_lineinfile
 -   Checks shell variable assignments in files. Remediations will paste

linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml

@@ -31,3 +31,5 @@ template:
     vars:
         mountpoint: /boot
         min_size: 1073741824
+    backends:
+        kickstart: "off"

linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml

@@ -49,3 +49,4 @@ template:
     backends:
         blueprint: 'off'
         anaconda: 'off'
+        kickstart: 'off'

linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml

@@ -56,5 +56,5 @@ template:
     name: mount
     vars:
         mountpoint: /var/log
-        min_size: 5368709120
+        min_size: 1073741824
 {{% endif %}}

linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml

@@ -59,3 +59,4 @@ template:
         anaconda: "off"
         puppet: "off"
         blueprint: "off"
+        kickstart: "off"

shared/templates/grub2_bootloader_argument/kickstart.template

@@ -0,0 +1,11 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = true
+# strategy = restrict
+# complexity = medium
+# disruption = low
+
+{{%- if ARG_VARIABLE %}}
+{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(kickstart-populate " ~ ARG_VARIABLE ~ ")" -%}}
+{{%- endif %}}
+
+bootloader {{{ ARG_NAME_VALUE }}}

shared/templates/grub2_bootloader_argument/template.yml

@@ -3,3 +3,4 @@ supported_languages:
   - bash
   - oval
   - blueprint
+  - kickstart

shared/templates/mount/kickstart.template

@@ -0,0 +1,3 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+
+logvol {{{ MOUNTPOINT }}} {{{ MIN_SIZE_MB }}}

shared/templates/mount/template.py

@@ -3,4 +3,7 @@
 
 def preprocess(data, lang):
     data["pointid"] = ssg.utils.escape_id(data["mountpoint"])
+    if "min_size" in data and lang == "kickstart":
+        data["min_size_mb"] = int(int(data["min_size"]) / 1024 / 1024)
+        data["name"] = data["mountpoint"].replace("/", "")
     return data

shared/templates/mount/template.yml

@@ -2,3 +2,4 @@ supported_languages:
   - anaconda
   - oval
   - blueprint
+  - kickstart

shared/templates/package_installed/kickstart.template

@@ -0,0 +1,7 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+package install {{{ PKGNAME }}}

shared/templates/package_installed/template.yml

@@ -5,3 +5,4 @@ supported_languages:
   - oval
   - puppet
   - blueprint
+  - kickstart

shared/templates/package_removed/kickstart.template

@@ -0,0 +1,7 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+package remove {{{ PKGNAME }}}

shared/templates/package_removed/template.yml

@@ -4,3 +4,4 @@ supported_languages:
   - bash
   - oval
   - puppet
+  - kickstart

shared/templates/service_disabled/kickstart.template

@@ -0,0 +1,7 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+service disable {{{ DAEMONNAME }}}

shared/templates/service_disabled/template.yml

@@ -6,3 +6,4 @@ supported_languages:
   - oval
   - puppet
   - blueprint
+  - kickstart

shared/templates/service_enabled/kickstart.template

@@ -0,0 +1,7 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = disable
+# complexity = low
+# disruption = low
+
+service enable {{{ DAEMONNAME }}}

shared/templates/service_enabled/template.yml

@@ -4,3 +4,4 @@ supported_languages:
   - oval
   - puppet
   - blueprint
+  - kickstart

ssg/build_remediations.py

@@ -25,7 +25,8 @@
     'puppet': '.pp',
     'ignition': '.yml',
     'kubernetes': '.yml',
-    'blueprint': '.toml'
+    'blueprint': '.toml',
+    'kickstart': '.cfg'
 }
 
 
@@ -458,6 +459,15 @@ def __init__(self, file_path):
             file_path, "blueprint")
 
 
+class KickstartRemediation(Remediation):
+    """
+    This provides class for Kickstart remediations
+    """
+    def __init__(self, file_path):
+        super(KickstartRemediation, self).__init__(
+            file_path, "kickstart")
+
+
 REMEDIATION_TO_CLASS = {
     'anaconda': AnacondaRemediation,
     'ansible': AnsibleRemediation,
@@ -466,6 +476,7 @@ def __init__(self, file_path):
     'ignition': IgnitionRemediation,
     'kubernetes': KubernetesRemediation,
     'blueprint': BlueprintRemediation,
+    'kickstart': KickstartRemediation,
 }
 
 
@@ -603,7 +614,8 @@ def expand_xccdf_subs(fix, remediation_type):
 
     elif remediation_type == "bash":
         pattern = r'\(bash-populate\s*(\S+)\)'
-
+    elif remediation_type == "kickstart":
+        pattern = r'\(kickstart-populate\s*(\S+)\)'
     else:
         sys.stderr.write("Unknown remediation type '%s'\n" % (remediation_type))
         sys.exit(1)

ssg/constants.py

@@ -88,6 +88,7 @@
 blueprint_system = "urn:redhat:osbuild:blueprint"
 puppet_system = "urn:xccdf:fix:script:puppet"
 anaconda_system = "urn:redhat:anaconda:pre"
+kickstart_system = "urn:xccdf:fix:script:kickstart"
 cce_uri = "https://ncp.nist.gov/cce"
 stig_ns = "https://public.cyber.mil/stigs/srg-stig-tools/"
 ccn_ns = "https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html"
@@ -154,6 +155,7 @@
     "blueprint": blueprint_system,
     "puppet": puppet_system,
     "anaconda": anaconda_system,
+    "kickstart": kickstart_system,
 }
 
 for prefix, url_part in OVAL_SUB_NS.items():

ssg/templates.py

@@ -30,7 +30,8 @@
     "kubernetes": TemplatingLang("kubernetes", ".yml",  TemplateType.REMEDIATION, "kubernetes"),
     "oval": TemplatingLang("oval", ".xml",              TemplateType.CHECK,       "oval"),
     "puppet": TemplatingLang("puppet", ".pp",           TemplateType.REMEDIATION, "puppet"),
-    "sce-bash": TemplatingLang("sce-bash", ".sh",       TemplateType.CHECK,       "sce")
+    "sce-bash": TemplatingLang("sce-bash", ".sh",       TemplateType.CHECK,       "sce"),
+    "kickstart": TemplatingLang("kickstart", ".cfg",    TemplateType.REMEDIATION, "kickstart")
 }
 
 PREPROCESSING_FILE_NAME = "template.py"