enhance the grub2_argument template to cover more use cases

[vojtapolasek]

Description:

• modify the OVAL check so that it better covers use cases possible in RHEL 8.
• The biggest change is that the check now accepts options both directly in /boot/loader/entries/*.conf files together with options in /boot/grub2/grubenv referenced with the $kernelopts variable.
• Test scenarios were also updated to verify this new case.

Rationale:

• this fixes the issue https://issues.redhat.com/browse/RHEL-53365

Review Hints:

• probably test all rules templated with grub2_argument

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12375
This image was built from commit: c3b668f

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12375

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12375 make deploy-local

[jan-cerny]

For the rule grub2_audit_argument the test scenarios arg_not_in_entries.fail.sh and wrong_value_entries.fail.sh fail on RHEL 8. It passes on RHEL 9. However, I'm surprised that these test scenarios pass for other rules that use the same template eg. grub2_spectre_v2_argument.

Can you take a look into this problem?

See the Automatus output:

jcerny@fedora:~/work/git/scap-security-guide (pr/12375)$ python3 tests/automatus.py rule --datastream build/ssg-rhel8-ds.xml  --libvirt qemu:///system ssgts_rhel8 grub2_audit_argument
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2024-09-13-1346/test_suite.log
WARNING - Script correct_value_etcdefault_dir.pass.sh is not applicable on given platform
WARNING - Script invalid_rescue.pass.sh is not applicable on given platform
WARNING - Script correct_value_substring_right.pass.sh is not applicable on given platform
WARNING - Script correct_value_substring_left.pass.sh is not applicable on given platform
WARNING - Script correct_value_noupdate.fail.sh is not applicable on given platform
WARNING - Script arg_not_in_etcdefaultgrub_recovery_disabled.fail.sh is not applicable on given platform
WARNING - Script correct_value_etcdefault_dir_noupdate.fail.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault_dir.fail.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefault.fail.sh is not applicable on given platform
WARNING - Script correct_recovery_disabled.pass.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefaultgrub.fail.sh is not applicable on given platform
WARNING - Script wrong_value_etcdefaultgrub_recovery_disabled.fail.sh is not applicable on given platform
WARNING - Script arg_not_there_grub_cfg.fail.sh is not applicable on given platform
WARNING - Script double_value_ol7.fail.sh is not applicable on given platform
WARNING - Script wrong_value_ol7.fail.sh is not applicable on given platform
INFO - xccdf_org.ssgproject.content_rule_grub2_audit_argument
INFO - Script correct_value_mix_entries_and_grubenv.pass.sh using profile (all) OK
INFO - Script arg_not_in_etcdefaultgrub.fail.sh using profile (all) OK
ERROR - Script wrong_value_entries.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'.
INFO - Script arg_not_in_grubenv_and_not_referenced.pass.sh using profile (all) OK
INFO - Script correct_value_grubenv_only.pass.sh using profile (all) OK
ERROR - Script arg_not_in_entries.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument'.
INFO - Script arg_not_in_grubenv_but_referenced.fail.sh using profile (all) OK
INFO - Script wrong_value_grubenv.fail.sh using profile (all) OK
INFO - Script correct_value_remediated.pass.sh using profile (all) OK
INFO - Script double_value_rhel8.fail.sh using profile (all) OK

[jan-cerny]

This test scenario is only for Oracle Linux 7. Have you tested your change on OL 7? Would it make sense to extend the scenario to other operating systems?

[vojtapolasek]

I think i resolved it in the latest force push. I made most of such tests which were moved from the grub2_audit_argument applicable to all platforms because checking of /etc/default/grub is relevant for all products.

[jan-cerny]

it probably should be removed instead of having it commented out

[vojtapolasek]

Fixed in the latest commit.

[codeclimate]

Code Climate has analyzed commit c3b668f and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.5% (0.0% change).

View more on Code Climate.

[vojtapolasek]

@jan-cerny I refactored tests. I rewrote the common.sh script so that it prepares a clean environment in any case. Other scenarios can be therefore simpler.