Skip to content

Commit 69c90bf

Browse files
committed
Add operation/datatype support to grub2_bootloader_argument
The grub2_bootloader_argument OVAL template relied on regex pattern matching for all value comparisons, including numeric thresholds like audit_backlog_limit. This meant "8192 >= 8192" was evaluated as a string match, not a numeric comparison — any value containing the expected digits would pass regardless of magnitude. Add operation and datatype parameters to the template so the OVAL state element uses native OVAL comparison (equals, greater than or equal, pattern match) with the correct datatype (string, int). Objects now extract only the argument value via capturing groups instead of matching the entire line. Changes: - oval.template: rewrite objects to extract values, states use operation/datatype attributes, remove local_variable/concat, nousb triggers existence-only checks - template.py: add validation for operation/datatype combinations, require quoted arg_value in rule.yml, require explicit params for arg_variable rules, compute test scenario values - 19 rule.yml files: add operation/datatype parameters - 2 .var files: change type from string to number - bash.template: rename SANITIZED_ARG_NAME to ARG_NAME_UNDERSCORED - tests: fix wrong_variable=wrong to use proper wrong values, add 3 GTE boundary tests, add comments to all ARG_VARIABLE blocks - template_reference.md: document new parameters
1 parent 9ee5408 commit 69c90bf

47 files changed

Lines changed: 780 additions & 398 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

docs/templates/template_reference.md

Lines changed: 55 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -455,18 +455,63 @@ they must be of the same length.
455455
- Languages: Bash, OVAL
456456

457457
#### grub2_bootloader_argument
458-
- Ensures that a kernel command line argument is present in GRUB 2 configuration.
458+
- Ensures that a kernel command line argument is present in GRUB 2 configuration
459+
with the expected value.
459460

460-
- Parameters:
461-
462-
- **arg_name** - argument name, eg. `audit`
463-
464-
- **arg_value** - argument value, eg. `'1'`
465-
466-
- **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`
467-
This parameter is mutually exclusive with **arg_value**.
461+
- Parameters:
468462

469-
- Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
463+
- **arg_name** - kernel argument name, e.g. `audit`, `audit_backlog_limit`, `nousb`.
464+
465+
- **arg_value** - expected value, e.g. `'1'`, `'on'`. Mutually exclusive with
466+
**arg_variable**. Omit for flag-only arguments like `nousb`.
467+
**Must be quoted** in `rule.yml` — YAML auto-parses unquoted scalars
468+
(`8192` becomes int, `on`/`off` become bool), but the template needs a
469+
string to build regexes and config file content. The build will fail with
470+
a clear error if the value is not a string.
471+
472+
- **arg_variable** - XCCDF variable providing the expected value at scan time,
473+
e.g. `var_audit_backlog_limit`. Mutually exclusive with **arg_value**.
474+
When `arg_variable` is used, **operation** and **datatype** are required —
475+
the `.var` file defines the XCCDF variable `type` (string/number) and
476+
`operator` (equals/greater than or equal/...), and the OVAL state must
477+
use matching values. `template.py` cannot read `.var` files, so the rule
478+
author must declare both in `rule.yml` and keep them in sync manually.
479+
480+
- **operation** - OVAL comparison operation applied to the extracted value.
481+
Default: `equals`. Supported values: `equals`, `not equal`, `greater than`,
482+
`less than`, `greater than or equal`, `less than or equal`, `pattern match`.
483+
- `equals` — the extracted value must match the expected value exactly.
484+
Use for arguments with a single known-good value (e.g. `audit=1`,
485+
`pti=on`).
486+
- `pattern match` — the extracted value is matched against the expected
487+
value as a regex. Use when multiple values are acceptable and the
488+
expected value is a pattern (e.g. `slub_debug` on OL8 where the
489+
variable value `P` must appear anywhere inside values like `FZP`).
490+
Replaces the deprecated `is_substring` parameter.
491+
- `greater than or equal` — the extracted value must be numerically
492+
greater than or equal to the expected value. Requires `datatype: int`.
493+
Use for threshold arguments (e.g. `audit_backlog_limit>=8192`).
494+
- Other operations (`not equal`, `greater than`, `less than`,
495+
`less than or equal`) are supported for future use but no current
496+
rule uses them.
497+
498+
- **datatype** - OVAL datatype for the comparison. Default: `string`.
499+
Supported values: `string`, `int`.
500+
- `string` — lexicographic comparison. Use for non-numeric values
501+
(e.g. `on`, `force`, `none`).
502+
- `int` — numeric comparison. Use when the value is a number
503+
(e.g. `audit_backlog_limit=8192`, `audit=1`). Required for numeric
504+
operations like `greater than or equal`.
505+
506+
- Test values: for `arg_value` rules, `template.py` computes `correct_value`
507+
and `wrong_value` based on `operation` and `datatype`. For `arg_variable`
508+
rules, the real value is only known at scan time (from the XCCDF profile),
509+
so `template.py` uses safe dummy values — same approach as the `sysctl`
510+
template. Test scripts for `arg_variable` rules use
511+
`# variables = var_name=value` to tell Automatus what value to set at
512+
runtime.
513+
514+
- Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
470515

471516
#### grub2_bootloader_argument_absent
472517
- Ensures that a kernel command line argument is absent in GRUB 2 configuration.

linux_os/guide/auditing/grub2_audit_argument/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ template:
5757
vars:
5858
arg_name: audit
5959
arg_value: '1'
60+
datatype: int
61+
operation: equals
6062

6163
fixtext: |-
6264
{{{ describe_grub2_argument("audit=1") | indent(4) }}}

linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,5 @@ template:
5252
vars:
5353
arg_name: audit_backlog_limit
5454
arg_variable: var_audit_backlog_limit
55+
datatype: int
56+
operation: greater than or equal

linux_os/guide/auditing/var_audit_backlog_limit.var

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,9 @@ description: |-
77
The audit_backlog_limit parameter determines how auditd records can
88
be held in the auditd backlog.
99

10-
type: string
10+
type: number
1111

12-
operator: equals
12+
operator: greater than or equal
1313

1414
interactive: true
1515

linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,3 +37,5 @@ template:
3737
vars:
3838
arg_name: iommu
3939
arg_value: 'force'
40+
datatype: string
41+
operation: equals

linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,3 +33,5 @@ template:
3333
vars:
3434
arg_name: init_on_alloc
3535
arg_value: '1'
36+
datatype: int
37+
operation: equals

linux_os/guide/system/bootloader-grub2/grub2_init_on_free/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,3 +29,5 @@ template:
2929
vars:
3030
arg_name: init_on_free
3131
arg_value: '1'
32+
datatype: int
33+
operation: equals

linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,5 +52,7 @@ template:
5252
vars:
5353
arg_name: random.trust_cpu
5454
arg_value: 'on'
55+
datatype: string
56+
operation: equals
5557
backends:
5658
oval: "off"

linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,3 +43,5 @@ template:
4343
vars:
4444
arg_name: l1tf
4545
arg_variable: var_l1tf_options
46+
datatype: string
47+
operation: equals

linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,3 +36,5 @@ template:
3636
vars:
3737
arg_name: mce
3838
arg_value: '0'
39+
datatype: int
40+
operation: equals

0 commit comments

Comments
 (0)