From 008e162e4bf3d7faa89b051346eeae397c2c6a31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 10 Jul 2024 07:57:20 +0200 Subject: [PATCH 1/8] Introduce new remediation type: Kickstart This will enable us to add special remediation content to our rules. It will be used by OpenSCAP to generate RHEL kickstarts from our built data streams. These kickstarts will be used as a lightweight alternative to OSCAP Anaconda Addon. --- cmake/SSGCommon.cmake | 2 +- .../developer/06_contributing_with_content.md | 2 ++ ssg/build_remediations.py | 14 ++++++++++++-- ssg/constants.py | 2 ++ ssg/templates.py | 3 ++- 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake index d865745d5c5..512903f279d 100644 --- a/cmake/SSGCommon.cmake +++ b/cmake/SSGCommon.cmake @@ -688,7 +688,7 @@ macro(ssg_build_product PRODUCT) add_custom_target(${PRODUCT}-content) if(NOT DEFINED PRODUCT_REMEDIATION_LANGUAGES) - set(PRODUCT_REMEDIATION_LANGUAGES "bash;ansible;puppet;anaconda;ignition;kubernetes;blueprint") + set(PRODUCT_REMEDIATION_LANGUAGES "bash;ansible;puppet;anaconda;ignition;kubernetes;blueprint;kickstart") endif() # Define variables for each language to facilitate assesment of specific remediation languages foreach(LANGUAGE ${PRODUCT_REMEDIATION_LANGUAGES}) diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md index d3096eb14e6..d4d3555ca35 100644 --- a/docs/manual/developer/06_contributing_with_content.md +++ b/docs/manual/developer/06_contributing_with_content.md @@ -516,6 +516,8 @@ then contain the following subdirectories: - `blueprint` - for OSBuild blueprint content, ending in `.toml` +- `kickstart` - For Kickstart remediation content, ending in `.cfg` + In each of these subdirectories, a file named `shared.ext` will apply to all products and be included in all builds, but `{{{ product }}}.ext` will only get included in the build for `{{{ product }}}` (e.g., diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py index 106e70736fa..cce88323bfa 100644 --- a/ssg/build_remediations.py +++ b/ssg/build_remediations.py @@ -25,7 +25,8 @@ 'puppet': '.pp', 'ignition': '.yml', 'kubernetes': '.yml', - 'blueprint': '.toml' + 'blueprint': '.toml', + 'kickstart': '.cfg' } @@ -457,6 +458,13 @@ def __init__(self, file_path): super(BlueprintRemediation, self).__init__( file_path, "blueprint") +class KickstartRemediation(Remediation): + """ + This provides class for Kickstart remediations + """ + def __init__(self, file_path): + super(KickstartRemediation, self).__init__( + file_path, "kickstart") REMEDIATION_TO_CLASS = { 'anaconda': AnacondaRemediation, @@ -466,6 +474,7 @@ def __init__(self, file_path): 'ignition': IgnitionRemediation, 'kubernetes': KubernetesRemediation, 'blueprint': BlueprintRemediation, + 'kickstart': KickstartRemediation, } @@ -603,7 +612,8 @@ def expand_xccdf_subs(fix, remediation_type): elif remediation_type == "bash": pattern = r'\(bash-populate\s*(\S+)\)' - + elif remediation_type == "kickstart": + pattern = r'\(kickstart-populate\s*(\S+)\)' else: sys.stderr.write("Unknown remediation type '%s'\n" % (remediation_type)) sys.exit(1) diff --git a/ssg/constants.py b/ssg/constants.py index d8731b51b6c..e7f6be91c42 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -88,6 +88,7 @@ blueprint_system = "urn:redhat:osbuild:blueprint" puppet_system = "urn:xccdf:fix:script:puppet" anaconda_system = "urn:redhat:anaconda:pre" +kickstart_system = "urn:xccdf:fix:script:kickstart" cce_uri = "https://ncp.nist.gov/cce" stig_ns = "https://public.cyber.mil/stigs/srg-stig-tools/" ccn_ns = "https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html" @@ -154,6 +155,7 @@ "blueprint": blueprint_system, "puppet": puppet_system, "anaconda": anaconda_system, + "kickstart": kickstart_system, } for prefix, url_part in OVAL_SUB_NS.items(): diff --git a/ssg/templates.py b/ssg/templates.py index 1a938e3a67a..1f520c683f4 100644 --- a/ssg/templates.py +++ b/ssg/templates.py @@ -30,7 +30,8 @@ "kubernetes": TemplatingLang("kubernetes", ".yml", TemplateType.REMEDIATION, "kubernetes"), "oval": TemplatingLang("oval", ".xml", TemplateType.CHECK, "oval"), "puppet": TemplatingLang("puppet", ".pp", TemplateType.REMEDIATION, "puppet"), - "sce-bash": TemplatingLang("sce-bash", ".sh", TemplateType.CHECK, "sce") + "sce-bash": TemplatingLang("sce-bash", ".sh", TemplateType.CHECK, "sce"), + "kickstart": TemplatingLang("kickstart", ".cfg", TemplateType.REMEDIATION, "kickstart") } PREPROCESSING_FILE_NAME = "template.py" From b7e84631fe7c67eabd27b9f53ebeafc8dd21759d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 10 Jul 2024 08:03:56 +0200 Subject: [PATCH 2/8] Add Kickstart remediation for templated rules This commit will add a Kickstart remediation for these templates: - package_installed - package_removed - service_enabled - service_disabled --- docs/templates/template_reference.md | 8 ++++---- .../package_mcafeetp_installed/rule.yml | 1 + shared/templates/package_installed/kickstart.template | 7 +++++++ shared/templates/package_installed/template.yml | 1 + shared/templates/package_removed/kickstart.template | 7 +++++++ shared/templates/package_removed/template.yml | 1 + shared/templates/service_disabled/kickstart.template | 7 +++++++ shared/templates/service_disabled/template.yml | 1 + shared/templates/service_enabled/kickstart.template | 7 +++++++ shared/templates/service_enabled/template.yml | 1 + 10 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 shared/templates/package_installed/kickstart.template create mode 100644 shared/templates/package_removed/kickstart.template create mode 100644 shared/templates/service_disabled/kickstart.template create mode 100644 shared/templates/service_enabled/kickstart.template diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index f4a3163f8a4..3e561e5bed6 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -568,7 +568,7 @@ The only way to remediate is to recompile and reinstall the kernel, so no remedi state uses operation "greater than or equal" to compare the collected package version with the version in the OVAL state. -- Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Blueprint +- Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Blueprint, Kickstart #### package_removed - Checks if the given package is not installed. @@ -577,7 +577,7 @@ The only way to remediate is to recompile and reinstall the kernel, so no remedi - **pkgname** - name of the RPM or DEB package, eg. `tmux` -- Languages: Anaconda, Ansible, Bash, OVAL, Puppet +- Languages: Anaconda, Ansible, Bash, OVAL, Puppet, Kickstart #### key_value_pair_in_file Checks if a given key and value are configured in a file. @@ -704,7 +704,7 @@ When the remediation is applied duplicate occurrences of `key` are removed. If **daemonname** is not specified it means the name of the daemon is the same as the name of service. -- Languages: Ansible, Bash, OVAL, Puppet, Ignition, Kubernetes, Blueprint +- Languages: Ansible, Bash, OVAL, Puppet, Ignition, Kubernetes, Blueprint, Kickstart #### service_enabled - Checks if a system service is enabled. Uses either systemd or SysV @@ -723,7 +723,7 @@ When the remediation is applied duplicate occurrences of `key` are removed. If **daemonname** is not specified it means the name of the daemon is the same as the name of service. -- Languages: Ansible, Bash, OVAL, Puppet, Blueprint +- Languages: Ansible, Bash, OVAL, Puppet, Blueprint, Kickstart #### shell_lineinfile - Checks shell variable assignments in files. Remediations will paste diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml index 32d5d95479f..4702328d4fa 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml @@ -60,3 +60,4 @@ template: anaconda: "off" puppet: "off" blueprint: "off" + kickstart: "off" diff --git a/shared/templates/package_installed/kickstart.template b/shared/templates/package_installed/kickstart.template new file mode 100644 index 00000000000..be0fc1de835 --- /dev/null +++ b/shared/templates/package_installed/kickstart.template @@ -0,0 +1,7 @@ +# platform = multi_platform_rhel,multi_platform_fedora +# reboot = false +# strategy = enable +# complexity = low +# disruption = low + +package install {{{ PKGNAME }}} diff --git a/shared/templates/package_installed/template.yml b/shared/templates/package_installed/template.yml index 35a987a52da..3d81d611cca 100644 --- a/shared/templates/package_installed/template.yml +++ b/shared/templates/package_installed/template.yml @@ -5,3 +5,4 @@ supported_languages: - oval - puppet - blueprint + - kickstart diff --git a/shared/templates/package_removed/kickstart.template b/shared/templates/package_removed/kickstart.template new file mode 100644 index 00000000000..486ebbbdc04 --- /dev/null +++ b/shared/templates/package_removed/kickstart.template @@ -0,0 +1,7 @@ +# platform = multi_platform_rhel,multi_platform_fedora +# reboot = false +# strategy = disable +# complexity = low +# disruption = low + +package remove {{{ PKGNAME }}} diff --git a/shared/templates/package_removed/template.yml b/shared/templates/package_removed/template.yml index f0e6c795fef..7d7b50a93e1 100644 --- a/shared/templates/package_removed/template.yml +++ b/shared/templates/package_removed/template.yml @@ -4,3 +4,4 @@ supported_languages: - bash - oval - puppet + - kickstart diff --git a/shared/templates/service_disabled/kickstart.template b/shared/templates/service_disabled/kickstart.template new file mode 100644 index 00000000000..d1e39ae2907 --- /dev/null +++ b/shared/templates/service_disabled/kickstart.template @@ -0,0 +1,7 @@ +# platform = multi_platform_rhel,multi_platform_fedora +# reboot = false +# strategy = disable +# complexity = low +# disruption = low + +service disable {{{ DAEMONNAME }}} diff --git a/shared/templates/service_disabled/template.yml b/shared/templates/service_disabled/template.yml index 5df2dc54bf6..799afb2961b 100644 --- a/shared/templates/service_disabled/template.yml +++ b/shared/templates/service_disabled/template.yml @@ -6,3 +6,4 @@ supported_languages: - oval - puppet - blueprint + - kickstart diff --git a/shared/templates/service_enabled/kickstart.template b/shared/templates/service_enabled/kickstart.template new file mode 100644 index 00000000000..451af774ae9 --- /dev/null +++ b/shared/templates/service_enabled/kickstart.template @@ -0,0 +1,7 @@ +# platform = multi_platform_rhel,multi_platform_fedora +# reboot = false +# strategy = disable +# complexity = low +# disruption = low + +service enable {{{ DAEMONNAME }}} diff --git a/shared/templates/service_enabled/template.yml b/shared/templates/service_enabled/template.yml index 228f9885f70..53084c33753 100644 --- a/shared/templates/service_enabled/template.yml +++ b/shared/templates/service_enabled/template.yml @@ -4,3 +4,4 @@ supported_languages: - oval - puppet - blueprint + - kickstart From 931fc63ed5148d2662185300e527f1ef593acca3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 12 Jul 2024 15:30:00 +0200 Subject: [PATCH 3/8] Add Kickstart remediation to 'mount' template --- docs/templates/template_reference.md | 2 +- .../software/disk_partitioning/partition_for_dev_shm/rule.yml | 1 + .../software/disk_partitioning/partition_for_var_log/rule.yml | 2 +- shared/templates/mount/kickstart.template | 3 +++ shared/templates/mount/template.py | 3 +++ shared/templates/mount/template.yml | 1 + 6 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 shared/templates/mount/kickstart.template diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index 3e561e5bed6..84bddc96600 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -488,7 +488,7 @@ The only way to remediate is to recompile and reinstall the kernel, so no remedi - **min_size** - the minimum recommended partition size, in bytes -- Languages: Anaconda, OVAL, Blueprint +- Languages: Anaconda, OVAL, Blueprint, Kickstart #### mount_option - Checks if a given partition is mounted with a specific option such diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml index 406304b07dd..102d2df72c7 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_dev_shm/rule.yml @@ -49,3 +49,4 @@ template: backends: blueprint: 'off' anaconda: 'off' + kickstart: 'off' diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml index e52a765b4c9..93a76085a3a 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml @@ -56,5 +56,5 @@ template: name: mount vars: mountpoint: /var/log - min_size: 5368709120 + min_size: 1073741824 {{% endif %}} diff --git a/shared/templates/mount/kickstart.template b/shared/templates/mount/kickstart.template new file mode 100644 index 00000000000..2241f3f6c80 --- /dev/null +++ b/shared/templates/mount/kickstart.template @@ -0,0 +1,3 @@ +# platform = multi_platform_rhel,multi_platform_fedora + +logvol {{{ MOUNTPOINT }}} --fstype=xfs --name={{{ NAME }}} --vgname=VolGroup --size={{{ MIN_SIZE_MB }}} \ No newline at end of file diff --git a/shared/templates/mount/template.py b/shared/templates/mount/template.py index ad9d027b4a1..04f4a8fb10c 100644 --- a/shared/templates/mount/template.py +++ b/shared/templates/mount/template.py @@ -3,4 +3,7 @@ def preprocess(data, lang): data["pointid"] = ssg.utils.escape_id(data["mountpoint"]) + if "min_size" in data and lang == "kickstart": + data["min_size_mb"] = int(int(data["min_size"]) / 1024 / 1024) + data["name"] = data["mountpoint"].replace("/", "") return data diff --git a/shared/templates/mount/template.yml b/shared/templates/mount/template.yml index c0c7f6fddd3..ee9da98378a 100644 --- a/shared/templates/mount/template.yml +++ b/shared/templates/mount/template.yml @@ -2,3 +2,4 @@ supported_languages: - anaconda - oval - blueprint + - kickstart From 2f8d4c9da4d4dfe563f075594499aff5da81efe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 12 Jul 2024 16:26:50 +0200 Subject: [PATCH 4/8] Add newline --- shared/templates/mount/kickstart.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/mount/kickstart.template b/shared/templates/mount/kickstart.template index 2241f3f6c80..a3f39de2894 100644 --- a/shared/templates/mount/kickstart.template +++ b/shared/templates/mount/kickstart.template @@ -1,3 +1,3 @@ # platform = multi_platform_rhel,multi_platform_fedora -logvol {{{ MOUNTPOINT }}} --fstype=xfs --name={{{ NAME }}} --vgname=VolGroup --size={{{ MIN_SIZE_MB }}} \ No newline at end of file +logvol {{{ MOUNTPOINT }}} --fstype=xfs --name={{{ NAME }}} --vgname=VolGroup --size={{{ MIN_SIZE_MB }}} From 7bb2d08f79a25357a0431559c9eeb3a2fdc68663 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 18 Jul 2024 15:39:58 +0200 Subject: [PATCH 5/8] Simplify the mount kickstart template --- shared/templates/mount/kickstart.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/mount/kickstart.template b/shared/templates/mount/kickstart.template index a3f39de2894..fc2bdebd747 100644 --- a/shared/templates/mount/kickstart.template +++ b/shared/templates/mount/kickstart.template @@ -1,3 +1,3 @@ # platform = multi_platform_rhel,multi_platform_fedora -logvol {{{ MOUNTPOINT }}} --fstype=xfs --name={{{ NAME }}} --vgname=VolGroup --size={{{ MIN_SIZE_MB }}} +logvol {{{ MOUNTPOINT }}} {{{ MIN_SIZE_MB }}} From 49261d698cbd6e635b4b7a7af09764ca65fbbc21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 18 Jul 2024 16:49:36 +0200 Subject: [PATCH 6/8] Add Kickstart remediation to 'grub2_bootloader_argument' template --- docs/templates/template_reference.md | 2 +- .../grub2_bootloader_argument/kickstart.template | 11 +++++++++++ .../templates/grub2_bootloader_argument/template.yml | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 shared/templates/grub2_bootloader_argument/kickstart.template diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index 84bddc96600..911aa609d4c 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -409,7 +409,7 @@ they must be of the same length. - **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'` This parameter is mutually exclusive with **arg_value**. -- Languages: Ansible, Bash, OVAL, Blueprint +- Languages: Ansible, Bash, OVAL, Blueprint, Kickstart #### grub2_bootloader_argument_absent - Ensures that a kernel command line argument is absent in GRUB 2 configuration. diff --git a/shared/templates/grub2_bootloader_argument/kickstart.template b/shared/templates/grub2_bootloader_argument/kickstart.template new file mode 100644 index 00000000000..c5051bcf776 --- /dev/null +++ b/shared/templates/grub2_bootloader_argument/kickstart.template @@ -0,0 +1,11 @@ +# platform = multi_platform_rhel,multi_platform_fedora +# reboot = true +# strategy = restrict +# complexity = medium +# disruption = low + +{{%- if ARG_VARIABLE %}} +{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(kickstart-populate " ~ ARG_VARIABLE ~ ")" -%}} +{{%- endif %}} + +bootloader {{{ ARG_NAME_VALUE }}} diff --git a/shared/templates/grub2_bootloader_argument/template.yml b/shared/templates/grub2_bootloader_argument/template.yml index 3477f16ff5b..461ae265f80 100644 --- a/shared/templates/grub2_bootloader_argument/template.yml +++ b/shared/templates/grub2_bootloader_argument/template.yml @@ -3,3 +3,4 @@ supported_languages: - bash - oval - blueprint + - kickstart From a518d1dc82c7fb81af1fd9c29f22eb9fb6764163 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 19 Jul 2024 10:09:30 +0200 Subject: [PATCH 7/8] Resolve Code Climate problems --- ssg/build_remediations.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py index cce88323bfa..9af015565d9 100644 --- a/ssg/build_remediations.py +++ b/ssg/build_remediations.py @@ -458,6 +458,7 @@ def __init__(self, file_path): super(BlueprintRemediation, self).__init__( file_path, "blueprint") + class KickstartRemediation(Remediation): """ This provides class for Kickstart remediations @@ -466,6 +467,7 @@ def __init__(self, file_path): super(KickstartRemediation, self).__init__( file_path, "kickstart") + REMEDIATION_TO_CLASS = { 'anaconda': AnacondaRemediation, 'ansible': AnsibleRemediation, From 13c8a39fffa8fb59266b0a432656e8ea44985860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 29 Jul 2024 09:48:41 +0200 Subject: [PATCH 8/8] Disable Kickstart remediation in partition_for_boot In rule partition_for_boot the kickstart remediation conflicts with `bootprot --kickstart` command which we use in the generated kickstart by default. This causes problems in some profiles for example RHEL 8 ANSSI where this conflict breaks the installation. We can disable this remediation for this rule because the creation of the partition is handled by the `bootprot --kickstart` command. --- .../software/disk_partitioning/partition_for_boot/rule.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml index f2e0feb48de..5028a75142d 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_boot/rule.yml @@ -31,3 +31,5 @@ template: vars: mountpoint: /boot min_size: 1073741824 + backends: + kickstart: "off"