Hi All, First I'm jumping in the deep end with this - I've only just discovered the ComplianceAsCode/content repo and whilst loving the design and flexibility, as a newbie it is very daunting to ingest how all the rules are generated and interact, but it is very logical as I start to understand it more.
I'm currently looking at the linux rule grub2_audit_argument which uses shared/templates/template_OVAL_grub2_bootloader_argument to create the OVAL definitions. The problem is the template hardcodes the grub path to /boot/grub2/grub.cfg, but with UEFI, just like the rule documentation warns, it will be /boot/efi/EFI/redhat/grub.cfg or /boot/efi/EFI/fedora/grub.cfg. So the rule describes what should be checked and which files to audit for both BIOS and UEFI versions, but the actual criteria check only supports the BIOS/default path. So I was curious what the approach would be for adding support to this. I see other OVAL tests that use a shared OVAL check to test (extend) if the system is UEFI or not, and pass those that aren't - and will then have a counterpart rule just for UEFI, so both rules can exist and be checked. As the grub2_audit_argument rule is using a template, the template isn't UEFI aware, and doesn't create two rules for both UEFI and non-UEFI that could use the shared extended OVAL check for UEFI. There are conditionals in the template for RHEL or others, to determine what content should be checked, but I can't see how you could use a conditional for UEFI path or not. If I create two rules that use the same template and pass in different arguments (e.g. UEFI or not), then the test names duplicate and the build complains. These are just the things I've thought about uplifting from my limited experience. What would be right way of adding in that path support for UEFI based systems? I'm also surprised others wouldn't notice/report this, so perhaps I'm misunderstanding something. Thanks! Andy. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
