Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled #10919

Merged
merged 3 commits into from
Jul 31, 2023
Merged

Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled #10919

merged 3 commits into from
Jul 31, 2023

Conversation

Xeicker
Copy link
Contributor

@Xeicker Xeicker commented Jul 27, 2023

Description:

  • Introduce secure_boot cpe
  • Introduce kernel_uek cpe
  • Add these cpes in platform of sysctl_kernel_kexec_load_disabled for OL8

Rationale:

  • This is to comply with latest DISA STIG V1R7 applicability text in OL08-00-010372 requirement

Note: For OL 8 systems using the Oracle Unbreakable Enterprise Kernel (UEK) Release 6 or above and with secureboot enabled, this requirement is not applicable.

References

Since the secure_boot CPE could be polemical I share my reasoning to implement it in that way. The efivar is formed by attributes bytes + var value bytes [1] and the secure boot has to have a 1 in last byte for enabled and a 0 for disabled [2]. So the only byte expected to change is the value, this way the hash should be a good indicator of the system having the secureboot enabled

[1] - https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
[2] - https://docs.kernel.org/filesystems/efivarfs.html

Xeicker added 3 commits July 27, 2023 17:08
@Xeicker
Add secureboot platform
a785df8 
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Add kernel_uek platform
ed5e40b 
Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@Xeicker
Update applicability of rule for OL8
9021f78 
Rule sysctl_kernel_kexec_load_disabled covers STIG requirement
OL08-00-010372 which is not applicable if the system is running with
secureboot enabled and with UEK>=6

Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
@openshift-ci
Copy link

openshift-ci bot commented Jul 27, 2023

Hi @Xeicker. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Jul 27, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@codeclimate
Copy link

codeclimate bot commented Jul 28, 2023

Code Climate has analyzed commit 9021f78 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 53.2% (0.0% change).

View more on Code Climate.

@mildas
Copy link
Contributor

mildas commented Jul 28, 2023

/packit retest-failed

1 similar comment
@mildas
Copy link
Contributor

mildas commented Jul 28, 2023

/packit retest-failed

jan-cerny
jan-cerny approved these changes Jul 31, 2023
View reviewed changes
Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have tried to build the content and I have seen the resolved platform file and checked test_kernel_uek and secure_boot_enabled in the generated SCAP source data stream.

@jan-cerny
Copy link
Collaborator

The CI fail on Rawhide is caused by numpy and isn't related to the contents of this PR.

@jan-cerny jan-cerny merged commit ab42bd5 into ComplianceAsCode:master Jul 31, 2023
@jan-cerny jan-cerny added this to the 0.1.70 milestone Jul 31, 2023
@jan-cerny jan-cerny self-assigned this Jul 31, 2023
@Mab879 Mab879 added the Update Rule Issues or pull requests related to Rules updates. label Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
needs-ok-to-test Used by openshift-ci bot. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.70
Development

Successfully merging this pull request may close these issues.
4 participants
@Xeicker @mildas @jan-cerny @Mab879