Improve template macros for grub command line #10989
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Cover the case where default grub file has the GRUB_CMDLINE_LINUX line but it is commented or the case where no such line exists
teacup-on-rockingchair
added
Ansible
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
@teacup-on-rockingchair It would be great to add a test scenario that would test this situation. |
jan-cerny
requested changes
Aug 16, 2023
| @@ -0,0 +1,5 @@ | |||
| #!/bin/bas | |||
| @@ -0,0 +1,5 @@ | |||
| #!/bin/bas | |||
| #!/bin/bas | ||
| # platform = Red Hat Enterprise Linux 7,sle12,sle15 | ||
|
|
||
| # Removes kernel command line in /etc/default/grub |
There was a problem hiding this comment.
It doesn't exactly remove it, instead, it comments it out.
| @@ -0,0 +1,5 @@ | |||
| #!/bin/bas | |||
| # platform = Red Hat Enterprise Linux 7,sle12,sle15 | |||
There was a problem hiding this comment.
You can't use the short IDs, you should use full names:
# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,SUSE Linux Enterprise 12,SUSE Linux Enterprise 15
There was a problem hiding this comment.
used a multi_platform_sle instead , anyways that was the idea
| @@ -0,0 +1,5 @@ | |||
| #!/bin/bas | |||
| # platform = Red Hat Enterprise Linux 7,sle12,sle15 | |||
There was a problem hiding this comment.
You can't use the short IDs, you should use full names
teacup-on-rockingchair
force-pushed
the
improve_grub2_bootloader_argument_macros
branch
from
7e47f53 to
2634ce2
Compare
teacup-on-rockingchair
force-pushed
the
improve_grub2_bootloader_argument_macros
branch
from
2634ce2 to
a2d4a97
Compare
|
Code Climate has analyzed commit a2d4a97 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 53.3% (0.0% change). View more on Code Climate. |
jan-cerny
approved these changes
Aug 21, 2023
There was a problem hiding this comment.
When the tests are executed on a virtual machine backend, they're OK:
[jcerny@fedora scap-security-guide{pr/10989}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 --datastream build/ssg-rhel7-ds.xml grub2_ipv6_disable_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-21-0946/test_suite.log
WARNING - Script arg_not_there_grubenv.fail.sh is not applicable on given platform
WARNING - Script wrong_value_entries.fail.sh is not applicable on given platform
WARNING - Script wrong_value.fail.sh is not applicable on given platform
WARNING - Script invalid_rescue.pass.sh is not applicable on given platform
WARNING - Script arg_not_there_rhel8.fail.sh is not applicable on given platform
WARNING - Script correct_grubenv.pass.sh is not applicable on given platform
WARNING - Script wrong_value_rhel8.fail.sh is not applicable on given platform
WARNING - Script arg_not_there_rhel9.fail.sh is not applicable on given platform
WARNING - Script wrong_value_rhel9.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
INFO - Script arg_not_there_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script arg_not_there_rhel7.fail.sh using profile (all) OK
INFO - Script correct_grubby.pass.sh using profile (all) OK
INFO - Script correct_recovery_disabled.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script wrong_value_rhel7.fail.sh using profile (all) OK
INFO - Script cmd_line_commented_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script cmd_line_not_there_etcdefaultgrub.fail.sh using profile (all) OK
[jcerny@fedora scap-security-guide{pr/10989}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 --remediate-using ansible --datastream build/ssg-rhel7-ds.xml grub2_ipv6_disable_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-08-21-0957/test_suite.log
WARNING - Script arg_not_there_grubenv.fail.sh is not applicable on given platform
WARNING - Script invalid_rescue.pass.sh is not applicable on given platform
WARNING - Script wrong_value_entries.fail.sh is not applicable on given platform
WARNING - Script wrong_value.fail.sh is not applicable on given platform
WARNING - Script arg_not_there_rhel8.fail.sh is not applicable on given platform
WARNING - Script correct_grubenv.pass.sh is not applicable on given platform
WARNING - Script wrong_value_rhel8.fail.sh is not applicable on given platform
WARNING - Script arg_not_there_rhel9.fail.sh is not applicable on given platform
WARNING - Script wrong_value_rhel9.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument
INFO - Script arg_not_there_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script arg_not_there_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script arg_not_there_rhel7.fail.sh using profile (all) OK
INFO - Script correct_grubby.pass.sh using profile (all) OK
INFO - Script correct_recovery_disabled.pass.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh using profile (all) OK
INFO - Script wrong_value_rhel7.fail.sh using profile (all) OK
INFO - Script cmd_line_commented_etcdefaultgrub.fail.sh using profile (all) OK
INFO - Script cmd_line_not_there_etcdefaultgrub.fail.sh using profile (all) OK
|
The CI fail on Rawhide is caused by missing dnf, the fail of testing farm on c8s is tracked in #10978, both fails aren't caused by the changes in this pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
/etc/default/grubfile revealed some minor issues with current remediationsRationale: