From df348f5074a1356da9345438cf37c313fa76365a Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 30 Nov 2022 10:04:48 +0100
Subject: [PATCH 1/4] Extend Ansible remediation to avoid fatal errors

There are cases where the systems don't have one or more of the grub
files intended to be checked. If this is the case, the former task in
the Ansible playbook would result in a fatal error. Now, the files
existences are firstly ensured before checking their contents.
---
 .../grub2_enable_selinux/ansible/shared.yml   | 41 ++++++++++++++-----
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml
index e9ff094d6f6..4be24a89dfb 100644
--- a/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/ansible/shared.yml
@@ -4,19 +4,40 @@
 # complexity = low
 # disruption = low
 
-- name: Find /etc/grub.d/ files
-  find:
+- name: "{{{ rule_title }}} - Find /etc/grub.d/ files"
+  ansible.builtin.find:
     paths:
       - /etc/grub.d/
-    follow: yes
-  register: grub
+    follow: true
+  register: result_grub_d
 
-
-- name: Ensure SELinux Not Disabled in grub files
-  replace:
+- name: "{{{ rule_title }}} - Ensure SELinux Not Disabled in /etc/grub.d/ files"
+  ansible.builtin.replace:
     dest: "{{ item.path }}"
     regexp: (selinux|enforcing)=0
   with_items:
-    - "{{ grub.files }}"
-    - { path: /etc/grub2.cfg }
-    - { path: /etc/default/grub }
+    - "{{ result_grub_d.files }}"
+
+- name: "{{{ rule_title }}} - Check if /etc/grub2.cfg exists"
+  ansible.builtin.stat:
+    path: /etc/grub2.cfg
+  register: result_grub2_cfg_present
+
+- name: "{{{ rule_title }}} - Check if /etc/default/grub exists"
+  ansible.builtin.stat:
+    path: /etc/default/grub
+  register: result_default_grub_present
+
+- name: "{{{ rule_title }}} - Ensure SELinux Not Disabled in /etc/grub2.cfg"
+  ansible.builtin.replace:
+    dest: "/etc/grub2.cfg"
+    regexp: (selinux|enforcing)=0
+  when:
+    - result_grub2_cfg_present.stat.exists
+
+- name: "{{{ rule_title }}} - Ensure SELinux Not Disabled in /etc/default/grub"
+  ansible.builtin.replace:
+    dest: "/etc/default/grub"
+    regexp: (selinux|enforcing)=0
+  when:
+    - result_default_grub_present.stat.exists

From 5a77bbd4ee66361a8a2565b3351c39e4f0ff8244 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 30 Nov 2022 10:23:14 +0100
Subject: [PATCH 2/4] Ensure style guide alignment in OVAL

---
 .../grub2_enable_selinux/oval/shared.xml      | 54 ++++++++++---------
 1 file changed, 28 insertions(+), 26 deletions(-)

diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml b/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml
index d03c21cf143..bc07a3a30e3 100644
--- a/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml
@@ -1,53 +1,55 @@
 <def-group>
-  <definition class="compliance" id="grub2_enable_selinux" version="1">
+  <definition class="compliance" id="{{{ rule_id }}}" version="2">
     {{{ oval_metadata("
         Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found.
       ") }}}
     <criteria operator="AND">
-      <criterion comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found" test_ref="test_selinux_default_grub" />
-      <criterion comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found" test_ref="test_selinux_grub2_cfg" />
-      <criterion comment="check value selinux|enforcing=0 in /etc/grub.d, fail if found" test_ref="test_selinux_grub_dir" />
+      <criterion test_ref="test_selinux_default_grub"
+        comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found"/>
+      <criterion test_ref="test_selinux_grub2_cfg"
+        comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found"/>
+      <criterion test_ref="test_selinux_grub_dir"
+        comment="check value selinux|enforcing=0 in /etc/grub.d, fail if found"/>
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="none_exist"
-  comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found"
-  id="test_selinux_default_grub" version="1">
-    <ind:object object_ref="object_selinux_default_grub" />
+  <ind:textfilecontent54_test id="test_selinux_default_grub" version="1"
+    check="all" check_existence="none_exist"
+    comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found">
+    <ind:object object_ref="object_selinux_default_grub"/>
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_selinux_default_grub"
-  comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found"
-  version="1">
+
+  <ind:textfilecontent54_object id="object_selinux_default_grub" version="1"
+    comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found">
     <ind:filepath>/etc/default/grub</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$</ind:pattern>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_test check="all" check_existence="none_exist"
-  comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found"
-  id="test_selinux_grub2_cfg" version="1">
-    <ind:object object_ref="object_selinux_grub2_cfg" />
+  <ind:textfilecontent54_test id="test_selinux_grub2_cfg" version="1"
+    check="all" check_existence="none_exist"
+    comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found">
+    <ind:object object_ref="object_selinux_grub2_cfg"/>
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_selinux_grub2_cfg" 
-  comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found"
-  version="1">
+
+  <ind:textfilecontent54_object id="object_selinux_grub2_cfg" version="1"
+    comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found">
     <ind:filepath>/etc/grub2.cfg</ind:filepath>
     <ind:pattern operation="pattern match">^.*(selinux|enforcing)=0.*$</ind:pattern>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_test check="all" check_existence="none_exist"
-  comment="check value selinux|enforcing=0 in /etc/grub.d fail if found"
-  id="test_selinux_grub_dir" version="1">
-    <ind:object object_ref="object_selinux_grub_dir" />
+  <ind:textfilecontent54_test id="test_selinux_grub_dir" version="1"
+    check="all" check_existence="none_exist"
+    comment="check value selinux|enforcing=0 in /etc/grub.d fail if found">
+    <ind:object object_ref="object_selinux_grub_dir"/>
   </ind:textfilecontent54_test>
-  <ind:textfilecontent54_object id="object_selinux_grub_dir"
-  comment="check value selinux|enforcing=0 in /etc/grub.d, fail if found"
-  version="1">
+
+  <ind:textfilecontent54_object id="object_selinux_grub_dir" version="1"
+    comment="check value selinux|enforcing=0 in /etc/grub.d, fail if found">
     <ind:path>/etc/grub.d</ind:path>
     <ind:filename operation="pattern match">^.*$</ind:filename>
     <ind:pattern operation="pattern match">^.*(selinux|enforcing)=0.*$</ind:pattern>
     <ind:instance datatype="int" operation="equals">1</ind:instance>
   </ind:textfilecontent54_object>
-
 </def-group>

From 52d6d3e177bada28ccf59cb3f00be01027313839 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 30 Nov 2022 10:24:34 +0100
Subject: [PATCH 3/4] Improve test scenario scripts in alignment to OVAL

---
 .../tests/selinux_disabled_default_grub.fail.sh             | 5 +++++
 .../tests/selinux_disabled_default_grub_missing.pass.sh     | 5 +++++
 ...disabled.fail.sh => selinux_disabled_everywhere.fail.sh} | 1 -
 .../tests/selinux_disabled_grub_cfg.fail.sh                 | 6 ++++++
 .../tests/selinux_disabled_grub_d.fail.sh                   | 6 ++++++
 .../tests/selinux_enable_similar_line.pass.sh               | 5 +++++
 6 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub.fail.sh
 create mode 100644 linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub_missing.pass.sh
 rename linux_os/guide/system/selinux/grub2_enable_selinux/tests/{selinux_disabled.fail.sh => selinux_disabled_everywhere.fail.sh} (85%)
 create mode 100644 linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_cfg.fail.sh
 create mode 100644 linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_d.fail.sh
 create mode 100644 linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_enable_similar_line.pass.sh

diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub.fail.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub.fail.sh
new file mode 100644
index 00000000000..10762d1ecec
--- /dev/null
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "GRUB_CMDLINE_LINUX=selinux=0 enforcing=0 audit=1" >> /etc/default/grub
+sed -i --follow-symlinks "s/selinux=0//gI" /etc/grub2.cfg /etc/grub.d/*
+sed -i --follow-symlinks "s/enforcing=0//gI" /etc/grub2.cfg /etc/grub.d/*
diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub_missing.pass.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub_missing.pass.sh
new file mode 100644
index 00000000000..95a1b303d76
--- /dev/null
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_default_grub_missing.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+rm -f /etc/default/grub
+sed -i --follow-symlinks "s/selinux=0//gI" /etc/grub2.cfg /etc/grub.d/*
+sed -i --follow-symlinks "s/enforcing=0//gI" /etc/grub2.cfg /etc/grub.d/*
diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled.fail.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_everywhere.fail.sh
similarity index 85%
rename from linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled.fail.sh
rename to linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_everywhere.fail.sh
index 354bfb6d235..adbde1b99cf 100644
--- a/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled.fail.sh
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_everywhere.fail.sh
@@ -4,5 +4,4 @@ echo "GRUB_CMDLINE_LINUX=selinux=0 enforcing=0 audit=1" >> /etc/default/grub
 echo "selinux=0" >> /etc/grub2.cfg
 echo "enforcing=0" >> /etc/grub2.cfg
 echo "selinux=0" > /etc/grub.d/tmp_file
-echo "rubbish=0" >> /etc/grub.d/tmp_file
 echo "enforcing=0" >> /etc/grub.d/tmp_file
diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_cfg.fail.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_cfg.fail.sh
new file mode 100644
index 00000000000..fe91b159136
--- /dev/null
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_cfg.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+echo "selinux=0" >> /etc/grub2.cfg
+echo "enforcing=0" >> /etc/grub2.cfg
+sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub.d/*
+sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub.d/*
diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_d.fail.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_d.fail.sh
new file mode 100644
index 00000000000..0ec62066733
--- /dev/null
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_disabled_grub_d.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+echo "selinux=0" > /etc/grub.d/tmp_file
+echo "enforcing=0" >> /etc/grub.d/tmp_file
+sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg
+sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg
diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_enable_similar_line.pass.sh b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_enable_similar_line.pass.sh
new file mode 100644
index 00000000000..3323cb3a69d
--- /dev/null
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/tests/selinux_enable_similar_line.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "rubbish=0" >> /etc/grub.d/tmp_file
+sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*
+sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/*

From a58de39be79adfed3aae2c11cfd81a252bd6610c Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 30 Nov 2022 14:18:06 +0100
Subject: [PATCH 4/4] Include platform: grub2 for grub2_enable_selinux rule

---
 linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
index 708c6ccd76e..6accc6ec36e 100644
--- a/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/rule.yml
@@ -42,6 +42,8 @@ references:
     nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4
     vmmsrg: SRG-OS-000445-VMM-001780
 
+platform: grub2
+
 ocil_clause: 'SELinux is disabled at boot time'
 
 ocil: |-