Merge pull request #14535 from jan-cerny/rhel8_cloud

Support RHEL 8 cloud images in GRUB 2 rules

Author: Mab879

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml

@@ -7,6 +7,15 @@
       <criterion comment="Superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg and it
             isn't root, admin, administrator nor equal to any system username"
             test_ref="test_bootloader_uefi_superuser_differ_from_other_users"/>
+{{% if product in ["rhel8"] %}}
+<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg -->
+      <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg">
+        <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_admin_username_stub" />
+        <criterion comment="Superuser is defined in {{{ grub2_boot_path }}}/grub.cfg and it
+              isn't root, admin, administrator nor equal to any system username"
+              test_ref="test_bootloader_uefi_boot_superuser_differ_from_other_users"/>
+      </criteria>
+{{% endif %}}
     </criteria>
   </definition>
 
@@ -33,10 +42,36 @@
     <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" />
   </ind:textfilecontent54_test>
 
+{{% set superusers_regex = '^[\\s]*set[\\s]+superusers="(?i)\\b(?!(?:root|admin|administrator)\\b)(\\w+)".*\\n[\\s]*export[\\s]+superusers[\\s]*$' %}}
+
   <ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
     <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
-    <ind:pattern operation="pattern match"
-          >^[\s]*set[\s]+superusers="(?i)\b(?!(?:root|admin|administrator)\b)(\w+)".*\n[\s]*export[\s]+superusers[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% if product in ["rhel8"] %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_admin_username_stub" version="1">
+    <ind:object object_ref="object_grub2_uefi_admin_username_stub" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_admin_username_stub" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser
+          is defined in {{{ grub2_boot_path }}}/grub.cfg. Superuser is not
+          equal to other system account nor root, admin, administrator"
+          id="test_bootloader_uefi_boot_superuser_differ_from_other_users" version="1">
+    <ind:object object_ref="object_bootloader_uefi_boot_unique_superuser" />
+    <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_bootloader_uefi_boot_unique_superuser" version="1">
+    <ind:filepath>{{{ grub2_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+{{% endif %}}
+
 </def-group>

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+set_superusers "root"

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+set_superusers "koskic"

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml

@@ -4,9 +4,16 @@
 
     <criteria operator="OR">
       <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+{{% if product in ["rhel8"] %}}
+<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg -->
+      <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg">
+        <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_password_stub" />
+        <criterion comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_boot_usercfg" />
+      </criteria>
+{{% endif %}}
     </criteria>
   </definition>
-  
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" id="test_grub2_uefi_password_usercfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_usercfg" />
   </ind:textfilecontent54_test>
@@ -16,4 +23,24 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+{{% if product in ["rhel8"] %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_password_stub" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_stub" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_stub" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" id="test_grub2_uefi_password_boot_usercfg" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_boot_usercfg" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_boot_usercfg" version="1">
+    <ind:filepath>{{{ grub2_boot_path }}}/user.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
 </def-group>

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cp "/boot/efi/EFI/redhat/user.cfg" "/boot/grub2/user.cfg"
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+rm -rf "/boot/grub2/user.cfg"

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+make_grub_password