Skip to content

Add operation and datatype support to grub2_bootloader_argument template#14626

Open
macko1 wants to merge 6 commits into
ComplianceAsCode:masterfrom
macko1:fix_13923
Open

Add operation and datatype support to grub2_bootloader_argument template#14626
macko1 wants to merge 6 commits into
ComplianceAsCode:masterfrom
macko1:fix_13923

Conversation

@macko1
Copy link
Copy Markdown
Collaborator

@macko1 macko1 commented Apr 7, 2026
edited
Loading

Description:

  • Add operation and datatype parameters to the
    grub2_bootloader_argument template so rules can use numeric
    comparisons (e.g. "greater than or equal") and typed matching
    instead of exact string regex.
  • Objects now extract only the argument value via capturing groups.
    States compare using OVAL-native operation and datatype.
  • template.py validates operation/datatype combinations at build
    time, requires quoted arg_value, requires explicit params for
    arg_variable rules. Follows the sysctl template pattern.
  • Update grub2_audit_backlog_limit_argument to use
    "greater than or equal" + int.
  • Update grub2_slub_debug_argument@ol8 to use "pattern match"
    (replaces deprecated is_substring).
  • All other 17 rules set to "equals" + "string" (explicit).
  • Update test scenarios to be more modular — pass custom testing
    values via template.py instead of hardcoding in the scripts.
  • 3 new tests for >= (value at threshold, above, below).
  • Fix existing template automatus test scripts: use the actual
    argument name with a wrong value instead of replacing the
    entire argument with garbage.
  • Document new parameters in template_reference.md.

Rationale:

Review Hints:

  • Review commits in order: template.py first (preprocessing), then
    oval.template (the OVAL plumbing), then rule YAMLs, tests, docs.
  • Build and inspect representative OVALs:
$ ./build_product --datastream-only
  • rhel9 / grub2_audit_backlog_limit_argument — variable + int + >= + bootc
  • rhel9 / grub2_audit_argument — literal + int + equals + bootc
  • rhel9 / grub2_nousb_argument — no value, existence-only (no state)
  • rhel8 / grub2_audit_backlog_limit_argument — variable + int + >= + $kernelopts
  • ol8 / grub2_slub_debug_argument — variable + string + pattern match
  • ubuntu2404 / grub2_pti_argument — literal + string + equals + grub.d
  • rhel9 / grub2_ipv6_disable_argument — literal + int + equals + dot in name
  • State must have correct operation/datatype, no <local_variable>
    or <concat>.
  • Test with automatus.py — needs a VM, not a container. Using multiple
    parallel VMs is recommended (--slice argument):
$ ./tests/automatus.py template
--libvirt qemu:///session
--datastream ./build/ssg-rhel9-ds.xml
grub2_bootloader_argument
  • The oval.template has extensive inline comments — the header
    documentation is a good starting point.
  • The RHEL 8 presence+value split is the trickiest part — it exists
    because the wide-capture object must stay for $kernelopts detection.
  • Local VM testing: RHEL 9 202/202, RHEL 8 239/240 (one pre-existing
    grub2_ipv6_disable_argument failure).
  • CI failures are all pre-existing — see comment below.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 7, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 7, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 7, 2026

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

@macko1 macko1 force-pushed the fix_13923 branch 2 times, most recently from 5d68582 to 117ce41 Compare April 8, 2026 12:30
@macko1 macko1 changed the title DRAFT: take2 DRAFT: #13923 Apr 8, 2026
@macko1 macko1 force-pushed the fix_13923 branch 2 times, most recently from d72131a to 315103b Compare April 8, 2026 22:04
@vojtapolasek vojtapolasek self-assigned this Apr 9, 2026
@macko1 macko1 changed the title DRAFT: #13923 Add arg_minimal_value variable to grub2_bootloader_argument template Apr 9, 2026
@vojtapolasek
Copy link
Copy Markdown
Collaborator

vojtapolasek commented Apr 9, 2026

Hello @macko1 and thank you.
I have two remarks. First is technical, could you please split the PR into multiple commits? For example, one for documentation, one modifying tests... it makes reviewing easier.
Then I have a remark regarding the main purpose of the PR. As I understand it, your PR makes it possible to define the Grub2 value in three ways:

  • arg_value - checks equality of the value against hardcoded value
  • arg_variable - checks equality with a value represented by an XCCDF variable
  • newly defined arg_minimal_value - checks if the value is greater or equal to a hardcoded value
    If I understand it correctly, then I think this is not an optimal implementation.
    Because what if in the future you would like to check if a value is greater or equal to something defined with XCCDF variable? It would require another round of reimplementation.
    I think it would be better to add a different parameter, which would signify the operation between the checked value and the hardcoded / variable provided value. In this way, we could check for equality, greater than, lesser than... whatever is supported.
    I had only a quick glance into templates, but it seems we already support this for example in the accounts_password template or pam_options template. Do you think this concept could be used in this case as well?

@macko1 macko1 force-pushed the fix_13923 branch 4 times, most recently from 13a4ebc to 15dbbd2 Compare April 16, 2026 22:24
@macko1
Copy link
Copy Markdown
Collaborator Author

macko1 commented Apr 16, 2026

@vojtapolasek you were right, thanks for pointing this out. I've re-implemented the check, and made it extensible - "greater than or equal" can be extended with more OVAL operations in the future, when needed.

I have divided the changes into several commits, as you have asked, I hope this will make it more readable.

PR description updated.

Thanks for a review!

@macko1 macko1 force-pushed the fix_13923 branch 3 times, most recently from 9d97f56 to 869101f Compare May 5, 2026 14:59
Mab879
Mab879 requested changes May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should new tests for the rule in the referenced issue to ensure it is fixed and stays fixed.

Comment thread shared/templates/grub2_bootloader_argument/oval.template Outdated
| (+ grub.d drop-in on Ubuntu)
+-- GRUB_DISABLE_RECOVERY=true

DATA FLOW (current -- will change in the rewrite):
Copy link
Copy Markdown
Member

@Mab879 Mab879 May 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What rewrite?

@Mab879 Mab879 added this to the 0.1.81 milestone May 5, 2026
Mab879
Mab879 reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looking good. I don't see any issue with. Saving approval until out of draft.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs.
--- oval:ssg-grub2_enable_iommu_force:def:1
+++ oval:ssg-grub2_enable_iommu_force:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_iommu_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_iommu_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_iommu_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_iommu_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_iommu_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_iommu_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_iommu_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_iommu_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument:tst:1
+criterion oval:ssg-test_grub2_iommu_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument_default:tst:1
+criterion oval:ssg-test_grub2_iommu_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_init_on_free' differs.
--- oval:ssg-grub2_init_on_free:def:1
+++ oval:ssg-grub2_init_on_free:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_init_on_free_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_init_on_free_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_init_on_free_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_init_on_free_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_init_on_free_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_init_on_free_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_init_on_free_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument:tst:1
+criterion oval:ssg-test_grub2_init_on_free_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument_default:tst:1
+criterion oval:ssg-test_grub2_init_on_free_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument' differs.
--- oval:ssg-grub2_l1tf_argument:def:1
+++ oval:ssg-grub2_l1tf_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_l1tf_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_l1tf_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_l1tf_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_l1tf_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_l1tf_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_l1tf_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_l1tf_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument:tst:1
+criterion oval:ssg-test_grub2_l1tf_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument_default:tst:1
+criterion oval:ssg-test_grub2_l1tf_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument' differs.
--- oval:ssg-grub2_mce_argument:def:1
+++ oval:ssg-grub2_mce_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_mce_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_mce_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_mce_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_mce_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_mce_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_mce_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_mce_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_mce_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument:tst:1
+criterion oval:ssg-test_grub2_mce_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument_default:tst:1
+criterion oval:ssg-test_grub2_mce_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs.
--- oval:ssg-grub2_pti_argument:def:1
+++ oval:ssg-grub2_pti_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_pti_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_pti_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_pti_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_pti_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_pti_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_pti_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_pti_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_pti_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument:tst:1
+criterion oval:ssg-test_grub2_pti_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument_default:tst:1
+criterion oval:ssg-test_grub2_pti_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument' differs.
--- oval:ssg-grub2_rng_core_default_quality_argument:def:1
+++ oval:ssg-grub2_rng_core_default_quality_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_rng_core_default_quality_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_default:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument' differs.
--- oval:ssg-grub2_slab_nomerge_argument:def:1
+++ oval:ssg-grub2_slab_nomerge_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_slab_nomerge_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_slab_nomerge_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument_default:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument' differs.
--- oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
+++ oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_default:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument' differs.
--- oval:ssg-grub2_spectre_v2_argument:def:1
+++ oval:ssg-grub2_spectre_v2_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_spectre_v2_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_spectre_v2_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument_default:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- oval:ssg-grub2_vsyscall_argument:def:1
+++ oval:ssg-grub2_vsyscall_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_vsyscall_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_vsyscall_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_vsyscall_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_vsyscall_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_vsyscall_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_vsyscall_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_vsyscall_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument:tst:1
+criterion oval:ssg-test_grub2_vsyscall_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument_default:tst:1
+criterion oval:ssg-test_grub2_vsyscall_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument' differs.
--- oval:ssg-grub2_ipv6_disable_argument:def:1
+++ oval:ssg-grub2_ipv6_disable_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_ipv6_disable_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_ipv6_disable_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument_default:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_nousb_argument' differs.
--- oval:ssg-grub2_nousb_argument:def:1
+++ oval:ssg-grub2_nousb_argument:def:1
@@ -1,15 +1,15 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_nousb_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_nousb_bls_entries_coverage:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_nousb_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_nousb_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_nousb_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_nousb_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_nousb_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument:tst:1
+criterion oval:ssg-test_grub2_nousb_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument_default:tst:1
+criterion oval:ssg-test_grub2_nousb_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' differs.
--- oval:ssg-grub2_page_poison_argument:def:1
+++ oval:ssg-grub2_page_poison_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_page_poison_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_page_poison_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_page_poison_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_page_poison_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_page_poison_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_page_poison_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_page_poison_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument:tst:1
+criterion oval:ssg-test_grub2_page_poison_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument_default:tst:1
+criterion oval:ssg-test_grub2_page_poison_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' differs.
--- oval:ssg-grub2_slub_debug_argument:def:1
+++ oval:ssg-grub2_slub_debug_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_slub_debug_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_slub_debug_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_slub_debug_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_slub_debug_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_slub_debug_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_slub_debug_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_slub_debug_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument:tst:1
+criterion oval:ssg-test_grub2_slub_debug_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument_default:tst:1
+criterion oval:ssg-test_grub2_slub_debug_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' differs.
--- oval:ssg-grub2_audit_argument:def:1
+++ oval:ssg-grub2_audit_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_audit_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_audit_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_audit_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_audit_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument:tst:1
+criterion oval:ssg-test_grub2_audit_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument_default:tst:1
+criterion oval:ssg-test_grub2_audit_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' differs.
--- oval:ssg-grub2_audit_backlog_limit_argument:def:1
+++ oval:ssg-grub2_audit_backlog_limit_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_audit_backlog_limit_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

macko1 added 3 commits May 14, 2026 12:39
@macko1
Revert changes and only refactor grub_bootloader_argument OVAL template
8afac26
@macko1
Add operation and datatype support to template.py
cdff9b3 
The grub2_bootloader_argument template could only do exact string
matching — no numeric comparisons.  Follow the sysctl template
pattern and add operation and datatype parameters.

 - Compute test scenario values (pass/fail/boundary) per operation
 - Validate operation/datatype combinations at build time
 - Require explicit operation/datatype for arg_variable rules
 - Require arg_value to be a quoted string in rule.yml
 - Remove deprecated is_substring parameter
 - Rename sanitized_arg_name to arg_name_underscored
 - Update bash.template accordingly
@macko1
Rewrite OVAL template to use operation and datatype
5e526c2 
Separate value extraction (object regex) from value comparison
(state operation/datatype).  The old template captured entire lines
and validated with regex — now objects capture only the value and
states compare it directly.

 - Objects extract only the argument value via capturing groups
 - States compare using OVAL-native operation and datatype
 - RHEL 8: split presence and value checks for entries that
   delegate to $kernelopts in grubenv
 - Fix RHEL 8 $kernelopts detection (check="all" -> "at least one")
 - Escape dots in bootc patterns (ipv6.disable)
 - nousb (flag-only args): check presence only, skip value comparison
 - bootc: reuse the same comparison state as other GRUB locations
 - Update header documentation to match new architecture
macko1 added 3 commits May 14, 2026 12:39
@macko1
Set operation and datatype on all rule YAMLs
57701cf 
 - grub2_audit_backlog_limit_argument: "greater than or equal" + int
 - grub2_slub_debug_argument@ol8: "pattern match" replaces is_substring
 - All other 17 rules: "equals" + "string" (explicit)
 - var_audit_backlog_limit.var: type number, operator >=
 - var_rng_core_default_quality.var: type number
@macko1
Add boundary tests and fix test value handling
2ac0bbb 
 - 3 new tests for >= (value at threshold, above, below)
 - Fix wrong-value tests: use the actual argument name with a wrong
   value instead of replacing the entire argument with garbage
 - Add section comments to all grub2_bootloader_argument test scripts
 - Simplify Jinja conditionals in >= and pattern-match tests
 - Clean up template.py test value computation
@macko1
Document new template parameters in reference
fa546ad 
 - Document operation parameter (equals, pattern match, >=)
 - Document datatype parameter (string, int)
 - Note which datatypes each operation supports
 - Mark unused operations as not yet implemented
 - Note that arg_variable rules must set operation/datatype to
   match the .var file
@macko1 macko1 changed the title Add arg_minimal_value variable to grub2_bootloader_argument template Add operation and datatype support to grub2_bootloader_argument template May 14, 2026
@macko1
Copy link
Copy Markdown
Collaborator Author

macko1 commented May 14, 2026

Fix submitted. Description updated, too.

The template now extracts just the value from GRUB configs and compares
it with proper OVAL operations — so audit_backlog_limit=16384 finally
passes a >= 8192 check instead of failing on exact string match.

19 rules updated, 24 test scripts, docs updated.

CI failures are all pre-existing on master, none from this PR:

  • grub2_ipv6_disable_argument — grub2-mkconfig can't run on
    container overlay (RHEL 9, SLE 15, CS9)
  • Debian 12, RHEL 8 UBI — grubby/grub2-common not in container repos
  • Ubuntu 24.04 — grub2_audit_argument recovery_disabled setup fails
  • CS9/CS10 Testing Farm — unrelated rules (rsyslog_files_permissions)
  • oscap-ssh download — probably a transient GitHub HTTP 429

Ready for review, @Mab879 could I ask you for one, please? Or @vojtapolasek ?

@macko1 macko1 marked this pull request as ready for review May 14, 2026 10:57
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label May 14, 2026
@macko1 macko1 requested a review from Mab879 May 14, 2026 10:57
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 14, 2026

@macko1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance fa546ad link true /test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance fa546ad link true /test e2e-aws-openshift-platform-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

xccdf_org.ssgproject.content_rule_audit_backlog_limit resets backlog limit even if set to valid value

3 participants

@macko1 @vojtapolasek @Mab879