Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Reorganize zIPL rules #5888

Merged
merged 14 commits into from
Jul 9, 2020
Merged

Reorganize zIPL rules #5888

merged 14 commits into from
Jul 9, 2020

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Jun 26, 2020
edited
Loading

Description:

  • Separate from the zIPL rules what is exclusive to zIPL, which is:
    • Ensure bootmap is up to date (with rule, check and fix)
    • Ensure zIPL is using BLS entries only (with rule and check)
      • IMO, providing automated remediation for this is tricky and risky.
  • With this PR, the zIPL argument rules are much simpler now.

Rationale:

  • Separate common aspects to its own rules

@openshift-ci-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jun 26, 2020
@yuumasato yuumasato mentioned this pull request Jun 26, 2020
Closed
@JAORMX
Copy link
Contributor

JAORMX commented Jul 1, 2020

/test all

@yuumasato yuumasato force-pushed the unload_zipl_rules branch from e222c63 to dc415f0 Compare July 2, 2020 14:19
yuumasato added 8 commits July 3, 2020 18:28
@yuumasato
Add rule to check for zIPL conformance to BLS
8cbec60 
Instead of having each zIPL argument rule check for BLS compliance,
let's split into its own rule.
@yuumasato
zipl_bls_entries_only: Add OVAL and tests
5e3b190
@yuumasato
zipl_bls_entries_only: Add no-remediation warning
05e5b05 
Automated remediation to remove non-BLS boot entries from /etc/zipl.conf
is tricky and can lead to broken entries or removal of all of them.
@yuumasato
Add rule to check hotness of zIPL bootmap
53d811e 
Instead of having each zIPL argument rule check if zIPL bootmap is up to
date, let's split it into its own rule.
@yuumasato
zipl_bootmap_is_up_to_date: Add OVAL check
b9f2738
@yuumasato
zipl_bootmap_is_up_to_date: Add mock tests
97aff87 
These tests mock existence of zIPL files.
@yuumasato
zipl_bootmap_is_up_to_date: Add remediations
180e57b
@yuumasato
Select zIPL specific rules in OSPP profile
9370372
@yuumasato yuumasato force-pushed the unload_zipl_rules branch from dc415f0 to 9370372 Compare July 3, 2020 17:05
yuumasato
yuumasato commented Jul 3, 2020
View reviewed changes
linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml
path: /etc/zipl.conf
register: zipl_conf

# TODO: handle /boot/loader/entries/*.conf
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see an easy way to do this, leaving as a TODO item for the future.

@yuumasato yuumasato marked this pull request as ready for review July 3, 2020 17:11
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 3, 2020
@yuumasato yuumasato mentioned this pull request Jul 3, 2020
Merged
@matejak matejak self-assigned this Jul 8, 2020
vojtapolasek
vojtapolasek requested changes Jul 8, 2020
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for these changes. Please also modify the files pertaining to "stable profile" tests, currently the test is failing. See comments for questions and suggestions.
I ran all tests manually and they work as expected, except for the wrong path in the bash remediation for zipl_bootmap_is_up_to_date. When I fixed it everything was working.

yuumasato added 5 commits July 8, 2020 14:03
@yuumasato
Fix path to zipl binary in Bash remediation
260891e
@yuumasato
zipl_bls_entries_only: there can be leading spaces
46d2b15 
There can be leading spaces before 'image'.
@yuumasato
zipl_bls_entries_only: check file /etc/zipl.conf
0a89ed1 
There is no need to perform pattern match, the check just needs to
examine /etc/zipl.conf file.
@yuumasato
Add CCE identifiers to bootmap and bls only rules
699d5f5 
Add RHEL-8 CCE identifiers for:
- zipl_bls_entries_only
- zipl_bootmap_is_up_to_date
@yuumasato
Incorporate OSPP selection changes to profile test
2ebc3d1 
Update the profile reference file.
@yuumasato
Copy link
Member Author

Note: references to SFRs to be added later.

@yuumasato
Unselect zIPL rules from STIG Profile
33bae25 
The zIPL rules are inherited from OSPP profile
@mildas
Copy link
Contributor

mildas commented Jul 8, 2020

Changes identified:
Rule zipl_bls_entries_only:
 OVAL check is newly added.
Rule zipl_bootmap_is_up_to_date:
 Bash remediation is newly added.
 OVAL check is newly added.
 Ansible remediation newly added.
Profile ospp on rhel8:
 Rule zipl_bootmap_is_up_to_date, zipl_bls_entries_only added to ospp profile.
Profile cui on rhel8:
 CUI profile extends changed OSPP profile.
Profile stig on rhel8:
 Rule !zipl_bls_entries_only, !zipl_bootmap_is_up_to_date added to stig profile.
 STIG profile extends changed OSPP profile.
Profile rhelh-stig on rhel8:
 RHELH-STIG profile extends changed STIG profile.
Profile rhelh-vpp on rhel8:
 RHELH-VPP profile extends changed OSPP profile.
Profile ospp-mls on rhel8:
 OSPP-MLS profile extends changed OSPP profile.
Profile ospp on tests:
 Rule zipl_bootmap_is_up_to_date, zipl_bls_entries_only added to ospp profile.

Recommended tests to execute:
 build_product rhel8
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel8-ds.xml zipl_bls_entries_only
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-rhel8-ds.xml zipl_bootmap_is_up_to_date
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel8-ds.xml zipl_bootmap_is_up_to_date
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml cui
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml ospp-mls
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml rhelh-vpp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml ospp
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml rhelh-stig
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-rhel8-ds.xml stig
 build_product tests
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-tests-ds.xml ospp

@vojtapolasek
Copy link
Collaborator

Please update the STIG stable profile as well.

@yuumasato
Copy link
Member Author

Please update the STIG stable profile as well.

I actually unselected the zIPL rules from the STIG Profile.
33bae25 is going through Jenkins now.

@yuumasato
Copy link
Member Author

/retest

@matejak
Copy link
Member

matejak commented Jul 9, 2020

Thank you for the PR, merging!

@matejak matejak merged commit 15b08f2 into ComplianceAsCode:master Jul 9, 2020
@yuumasato yuumasato deleted the unload_zipl_rules branch July 9, 2020 09:52
@yuumasato
Copy link
Member Author

Thanks for the reviews, :)

@yuumasato yuumasato added this to the 0.1.51 milestone Jul 9, 2020
@vojtapolasek vojtapolasek modified the milestones: 0.1.51, 0.1.52 Jul 9, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@matejak matejak matejak approved these changes

Assignees

@vojtapolasek vojtapolasek

@matejak matejak

Labels
None yet
Projects
None yet
Milestone
0.1.52
Development

Successfully merging this pull request may close these issues.
6 participants
@yuumasato @openshift-ci-robot @JAORMX @mildas @vojtapolasek @matejak