take2

Author: macko1

docs/templates/template_reference.md

@@ -461,10 +461,18 @@ they must be of the same length.
 
     -   **arg_name** - argument name, eg. `audit`
 
-    -   **arg_value** - argument value, eg. `'1'`
-
-    -   **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`
-        This parameter is mutually exclusive with **arg_value**.
+    -   **arg_value** - argument value, eg. `'1'`.
+        This parameter is mutually exclusive with **arg_variable** and **arg_minimal_value**.
+
+    -   **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`.
+        This parameter is mutually exclusive with **arg_value** and **arg_minimal_value**.
+
+    -   **arg_minimal_value** - XCCDF variable ID whose value is the minimum
+        acceptable integer for the argument, eg. `'var_audit_backlog_limit'`.
+        When set, the OVAL check captures the numeric value after
+        `arg_name=` and verifies it is greater than or equal to the
+        variable's value at scan time.
+        This parameter is mutually exclusive with **arg_value** and **arg_variable**.
 
 -   Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
 

linux_os/guide/auditing/grub2_audit_backlog_limit_argument/policy/stig/shared.yml

@@ -15,13 +15,17 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:
 
-    $ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit=8192'
+    $ sudo grubby --info=ALL | grep args | grep -v 'audit_backlog_limit'
 
-    If the command returns any outputs, and audit_backlog_limit is less than "8192", this is a finding.
+    If the command returns any output, audit_backlog_limit is not configured for all kernels and this is a finding.
+
+    Verify the audit_backlog_limit value is sufficient with the following command:
+
+    $ sudo grubby --info=ALL | sed -n 's/.*audit_backlog_limit=\([0-9]*\).*/\1/p'
+
+    If the returned value is less than "8192", this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:
 
     $ sudo grubby --update-kernel=ALL --args=audit_backlog_limit=8192
-
-

linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml

@@ -50,4 +50,4 @@ template:
     name: grub2_bootloader_argument
     vars:
         arg_name: audit_backlog_limit
-        arg_variable: var_audit_backlog_limit
+        arg_minimal_value: var_audit_backlog_limit

linux_os/guide/auditing/var_audit_backlog_limit.var

@@ -3,13 +3,14 @@ documentation_complete: true
 title: Audit backlog limit
 
 description: |-
-    Value of the audit_backlog_limit argument in GRUB 2 configuration.
-    The audit_backlog_limit parameter determines how auditd records can
-    be held in the auditd backlog.
+    Minimum value of the audit_backlog_limit kernel parameter in
+    GRUB 2 configuration. This parameter determines how many audit
+    records can be held in the backlog queue before the audit daemon
+    starts processing them.
 
 type: string
 
-operator: equals
+operator: greater than or equal
 
 interactive: true
 

shared/templates/grub2_bootloader_argument/oval.template

@@ -8,6 +8,16 @@ def preprocess(data, lang):
                 "arg_name: {0}\n"
                 "arg_variable: {1}".format(data['arg_value'], data['arg_variable']))
 
+    # arg_minimal_value activates a "greater than or equal" integer comparison
+    # against an XCCDF external variable (e.g. var_audit_backlog_limit).
+    # It replaces the exact-match / regex logic that arg_value and arg_variable
+    # provide, so the three are mutually exclusive.
+    if 'arg_minimal_value' in data and ('arg_value' in data or 'arg_variable' in data):
+        raise RuntimeError(
+                "ERROR: 'arg_minimal_value' is mutually exclusive with "
+                "'arg_value' and 'arg_variable'.\n"
+                "arg_name: {0}".format(data['arg_name']))
+
     if 'arg_variable' in data:
         data["arg_name_value"] = data["arg_name"]
     else:

shared/templates/grub2_bootloader_argument/template.py

@@ -0,0 +1,60 @@
+#!/bin/bash
+{{#-
+  Test: arg_value_below_minimal — expected result: FAIL
+
+  Scenario:
+    The kernel argument (e.g. audit_backlog_limit) is set to a value that is
+    BELOW the required minimum.  The OVAL check uses "greater than or equal",
+    so below-minimum is a failing case.
+
+  What happens:
+    1. The XCCDF variable (e.g. var_audit_backlog_limit) is set to 8192.
+    2. The remediation macro writes ARG_NAME=100 into all GRUB locations
+       (grubby, /etc/default/grub, grub.cfg — depending on the product).
+    3. The OVAL object captures "100" (the digits after ARG_NAME=).
+    4. The OVAL state compares: 100 >= 8192 → false → FAIL.
+
+  Applicability:
+    Only runs for rules that use arg_minimal_value (e.g. audit_backlog_limit).
+    Rules using arg_value or arg_variable skip this test (platform = Not Applicable).
+-#}}
+
+{{#- This test only makes sense for rules using arg_minimal_value.
+     If the rule does NOT use arg_minimal_value (i.e. it uses arg_value or
+     arg_variable instead), emit "platform = Not Applicable" so Automatus
+     skips it.  Otherwise, run on all platforms.
+     ("# platform = ..." is an Automatus directive parsed from the rendered
+     script — bash sees it as a comment, but Automatus uses it to decide
+     whether to run the test.) -#}}
+{{% if not ARG_MINIMAL_VALUE %}}
+# platform = Not Applicable
+{{% else %}}
+# platform = multi_platform_all
+{{% endif %}}
+
+{{#- Ubuntu only needs the grub2 package.
+     All other products also need grubby (used by the remediation macro to
+     write kernel arguments into /boot/loader/entries/*.conf).
+     ("# packages = ..." is an Automatus directive — it installs these
+     packages on the test VM before running the script.) -#}}
+{{%- if 'ubuntu' in product %}}
+# packages = grub2
+{{%- else %}}
+# packages = grub2,grubby
+{{%- endif %}}
+
+{{#- When arg_minimal_value is set, tell Automatus which XCCDF variable to
+     use and what value to assign it.  "# variables = ..." is an Automatus
+     directive that sets the variable before the OVAL scan runs.
+     Here we set the minimum to 8192. -#}}
+{{%- if ARG_MINIMAL_VALUE %}}
+# variables = {{{ ARG_MINIMAL_VALUE }}}=8192
+{{%- endif %}}
+
+{{#- common.sh sets up the GRUB environment for the test (creates necessary
+     files, cleans previous state, etc.). -#}}
+source common.sh
+
+{{#- Write ARG_NAME=100 into all GRUB config locations.
+     Value is below the minimum (100 < 8192) → the check should FAIL. -#}}
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME ~ "=100") }}}

shared/templates/grub2_bootloader_argument/tests/arg_value_below_minimal.fail.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+{{#-
+  Test: arg_value_meets_minimal — expected result: PASS
+
+  Scenario:
+    The kernel argument (e.g. audit_backlog_limit) is set to a value that
+    EQUALS the required minimum.  The OVAL check uses "greater than or equal",
+    so equal-to-minimum is a passing case.
+
+  What happens:
+    1. The XCCDF variable (e.g. var_audit_backlog_limit) is set to 8192.
+    2. The remediation macro writes ARG_NAME=8192 into all GRUB locations
+       (grubby, /etc/default/grub, grub.cfg — depending on the product).
+    3. The OVAL object captures "8192" (the digits after ARG_NAME=).
+    4. The OVAL state compares: 8192 >= 8192 → true → PASS.
+
+  Applicability:
+    Only runs for rules that use arg_minimal_value (e.g. audit_backlog_limit).
+    Rules using arg_value or arg_variable skip this test (platform = Not Applicable).
+-#}}
+
+{{#- This test only makes sense for rules using arg_minimal_value.
+     If the rule does NOT use arg_minimal_value (i.e. it uses arg_value or
+     arg_variable instead), emit "platform = Not Applicable" so Automatus
+     skips it.  Otherwise, run on all platforms.
+     ("# platform = ..." is an Automatus directive parsed from the rendered
+     script — bash sees it as a comment, but Automatus uses it to decide
+     whether to run the test.) -#}}
+{{% if not ARG_MINIMAL_VALUE %}}
+# platform = Not Applicable
+{{% else %}}
+# platform = multi_platform_all
+{{% endif %}}
+
+{{#- Ubuntu only needs the grub2 package.
+     All other products also need grubby (used by the remediation macro to
+     write kernel arguments into /boot/loader/entries/*.conf).
+     ("# packages = ..." is an Automatus directive — it installs these
+     packages on the test VM before running the script.) -#}}
+{{%- if 'ubuntu' in product %}}
+# packages = grub2
+{{%- else %}}
+# packages = grub2,grubby
+{{%- endif %}}
+
+{{#- When arg_minimal_value is set, tell Automatus which XCCDF variable to
+     use and what value to assign it.  "# variables = ..." is an Automatus
+     directive that sets the variable before the OVAL scan runs.
+     Here we set the minimum to 8192. -#}}
+{{%- if ARG_MINIMAL_VALUE %}}
+# variables = {{{ ARG_MINIMAL_VALUE }}}=8192
+{{%- endif %}}
+
+{{#- common.sh sets up the GRUB environment for the test (creates necessary
+     files, cleans previous state, etc.). -#}}
+source common.sh
+
+{{#- Write ARG_NAME=8192 into all GRUB config locations.
+     Value equals the minimum → the check should PASS. -#}}
+{{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME ~ "=8192") }}}