Fix grub2_bootloader_argument to accept variables defining minimal values

Author: macko1

docs/templates/template_reference.md

@@ -461,13 +461,68 @@ they must be of the same length.
 
     -   **arg_name** - argument name, eg. `audit`
 
-    -   **arg_value** - argument value, eg. `'1'`
-
-    -   **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`
-        This parameter is mutually exclusive with **arg_value**.
+    -   **arg_value** - argument value, eg. `'1'`.
+        This parameter is mutually exclusive with **arg_variable** and **arg_minimal_value**.
+
+    -   **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`.
+        This parameter is mutually exclusive with **arg_value** and **arg_minimal_value**.
+
+    -   **arg_minimal_value** - XCCDF variable ID whose value is the minimum
+        acceptable integer for the argument, eg. `'var_audit_backlog_limit'`.
+        When set, the OVAL check captures the numeric value after
+        `arg_name=` and verifies it is greater than or equal to the
+        variable's value at scan time.
+        This parameter is mutually exclusive with **arg_value** and **arg_variable**.
+
+    The three value modes control how `template.py` builds the
+    `ARG_NAME_VALUE` string that all templates use:
+
+    -   **arg_value** — the value is a literal, known at build time.
+        `ARG_NAME_VALUE` is set to `"arg_name=arg_value"` (e.g.
+        `"audit=1"`).  All templates use it directly.
+
+    -   **arg_variable** — the value is an XCCDF variable name, resolved
+        at scan/remediation time.  `ARG_NAME_VALUE` is set to the bare
+        argument name (e.g. `"slub_debug"`), because the actual value is
+        unknown at build time.  Each remediation template overrides
+        `ARG_NAME_VALUE` with the runtime variable (e.g. Bash produces
+        `slub_debug=$var_slub_debug_options`).  OVAL does an exact
+        string match against the variable's value.
+
+    -   **arg_minimal_value** — same as **arg_variable** for
+        remediations: the value is an XCCDF variable name, and
+        `ARG_NAME_VALUE` is the bare argument name (e.g.
+        `"audit_backlog_limit"`).  The difference is in OVAL: instead
+        of an exact string match, the check captures the numeric value
+        and compares it as an integer `>=` the variable's value.  For
+        example, `audit_backlog_limit=16384` passes when the variable
+        is `8192`.
 
 -   Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
 
+-   Examples:
+
+        # Hardcoded value — OVAL checks for exact "audit=1"
+        template:
+            name: grub2_bootloader_argument
+            vars:
+                arg_name: audit
+                arg_value: "1"
+
+        # XCCDF variable, exact match — OVAL checks for "slub_debug=<var value>"
+        template:
+            name: grub2_bootloader_argument
+            vars:
+                arg_name: slub_debug
+                arg_variable: var_slub_debug_options
+
+        # XCCDF variable, minimum value — OVAL checks integer >= <var value>
+        template:
+            name: grub2_bootloader_argument
+            vars:
+                arg_name: audit_backlog_limit
+                arg_minimal_value: var_audit_backlog_limit
+
 #### grub2_bootloader_argument_absent
 -   Ensures that a kernel command line argument is absent in GRUB 2 configuration.
     The template can also remove arguments with a value assigned, eg. audit=1

linux_os/guide/auditing/grub2_audit_backlog_limit_argument/policy/stig/shared.yml

@@ -15,13 +15,17 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:
 
-    $ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+    $ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit'
 
-    If the command returns any outputs, and audit_backlog_limit is less than "8192", this is a finding.
+    If the command produces output, at least one kernel entry is missing "audit_backlog_limit" parameter. This is a finding.
+
+    Verify the audit_backlog_limit is set to a value of at least 8192 with the following command:
+
+    $ sudo grubby --info=ALL | sed -n 's/.*audit_backlog_limit=\([0-9]*\).*/\1/p'
+
+    If the returned value is less than "8192", this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:
 
     $ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192
-
-

linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml

@@ -50,4 +50,4 @@ template:
     name: grub2_bootloader_argument
     vars:
         arg_name: audit_backlog_limit
-        arg_variable: var_audit_backlog_limit
+        arg_minimal_value: var_audit_backlog_limit

linux_os/guide/auditing/var_audit_backlog_limit.var

@@ -3,13 +3,16 @@ documentation_complete: true
 title: Audit backlog limit
 
 description: |-
-    Value of the audit_backlog_limit argument in GRUB 2 configuration.
-    The audit_backlog_limit parameter determines how auditd records can
-    be held in the auditd backlog.
+    Minimum value of the audit_backlog_limit kernel parameter.
+    This parameter sets the maximum number of outstanding audit
+    records the kernel buffers while the audit daemon is not yet
+    running or cannot keep up. If the backlog exceeds this limit,
+    the kernel takes action based on the audit failure flag
+    (silently drop, warn and drop, or panic).
 
-type: string
+type: number
 
-operator: equals
+operator: greater than or equal
 
 interactive: true
 

shared/templates/grub2_bootloader_argument/ansible.template

@@ -3,9 +3,12 @@
 # strategy = restrict
 # complexity = medium
 # disruption = low
-
-{{% if ARG_VARIABLE %}}
-{{{ ansible_instantiate_variables(ARG_VARIABLE) }}}
-{{% set ARG_NAME_VALUE = ARG_NAME ~ "={{ " ~ ARG_VARIABLE ~ " }}" %}}
+{{#- Override ARG_NAME_VALUE when the rule uses an XCCDF variable. Safe as template.py fails if both are set. -#}}
+{{% set _var = ARG_MINIMAL_VALUE or ARG_VARIABLE %}}
+{{% if _var %}}
+{{{ ansible_instantiate_variables(_var) }}}
+{{% set ARG_NAME_VALUE = ARG_NAME ~ "={{ " ~ _var ~ " }}" %}}
 {{% endif %}}
-{{{ ansible_grub2_bootloader_argument(ARG_NAME, ARG_NAME_VALUE, ARG_VARIABLE) }}}
+
+{{#- Generate Ansible tasks to update GRUB config files #}}
+{{{- ansible_grub2_bootloader_argument(ARG_NAME, ARG_NAME_VALUE, ARG_VARIABLE) }}}

shared/templates/grub2_bootloader_argument/bash.template

@@ -4,9 +4,11 @@
    Product-specific categorization should be synced across all template content types
 -#}}
 
-{{%- if ARG_VARIABLE %}}
-{{{- bash_instantiate_variables(ARG_VARIABLE) }}}
-{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=$" ~ ARG_VARIABLE %}}
+{{#- Override ARG_NAME_VALUE when the rule uses an XCCDF variable. Safe as template.py fails if both are set. -#}}
+{{%- set _var = ARG_MINIMAL_VALUE or ARG_VARIABLE %}}
+{{%- if _var %}}
+{{{- bash_instantiate_variables(_var) }}}
+{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=$" ~ _var %}}
 {{% endif %}}
 
 if {{{ bash_bootc_build() }}} ; then

shared/templates/grub2_bootloader_argument/blueprint.template

@@ -1,6 +1,8 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_almalinux
-{{%- if ARG_VARIABLE %}}
-{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(blueprint-populate " ~ ARG_VARIABLE ~ ")" -%}}
+{{#- Override ARG_NAME_VALUE when the rule uses an XCCDF variable. Safe as template.py fails if both are set. -#}}
+{{%- set _var = ARG_MINIMAL_VALUE or ARG_VARIABLE %}}
+{{%- if _var %}}
+{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(blueprint-populate " ~ _var ~ ")" -%}}
 {{%- endif %}}
 [customizations.kernel]
 append = "{{{ ARG_NAME_VALUE }}}"

shared/templates/grub2_bootloader_argument/kickstart.template

@@ -4,8 +4,10 @@
 # complexity = medium
 # disruption = low
 
-{{%- if ARG_VARIABLE %}}
-{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(kickstart-populate " ~ ARG_VARIABLE ~ ")" -%}}
+{{#- Override ARG_NAME_VALUE when the rule uses an XCCDF variable. Safe as template.py fails if both are set. -#}}
+{{%- set _var = ARG_MINIMAL_VALUE or ARG_VARIABLE %}}
+{{%- if _var %}}
+{{%- set ARG_NAME_VALUE = ARG_NAME ~ "=(kickstart-populate " ~ _var ~ ")" -%}}
 {{%- endif %}}
 
 bootloader {{{ ARG_NAME_VALUE }}}