Add operation and datatype support to grub2_bootloader_argument template by macko1 · Pull Request #14626 · ComplianceAsCode/content

macko1 · 2026-04-07T18:09:30Z

Description:

Add operation and datatype parameters to the
grub2_bootloader_argument template so rules can use numeric
comparisons (e.g. "greater than or equal") and typed matching
instead of exact string regex.
Objects now extract only the argument value via capturing groups.
States compare using OVAL-native operation and datatype.
template.py validates operation/datatype combinations at build
time, requires quoted arg_value, requires explicit params for
arg_variable rules. Follows the sysctl template pattern.
Update grub2_audit_backlog_limit_argument to use
"greater than or equal" + int.
Update grub2_slub_debug_argument@ol8 to use "pattern match"
(replaces deprecated is_substring).
All other 17 rules set to "equals" + "string" (explicit).
Update test scenarios to be more modular — pass custom testing
values via template.py instead of hardcoding in the scripts.
3 new tests for >= (value at threshold, above, below).
Fix existing template automatus test scripts: use the actual
argument name with a wrong value instead of replacing the
entire argument with garbage.
Document new parameters in template_reference.md.

Rationale:

A system with audit_backlog_limit=16384 would FAIL the check even
though 16384 exceeds the required threshold of 8192 — the old
template used exact string matching for all comparisons.
Implements the operation + datatype approach suggested in the
original PR review (orthogonal to arg_value/arg_variable).
Fixes xccdf_org.ssgproject.content_rule_audit_backlog_limit resets backlog limit even if set to valid value #13923

Review Hints:

Review commits in order: template.py first (preprocessing), then
oval.template (the OVAL plumbing), then rule YAMLs, tests, docs.
Build and inspect representative OVALs:

$ ./build_product --datastream-only

rhel9 / grub2_audit_backlog_limit_argument — variable + int + >= + bootc
rhel9 / grub2_audit_argument — literal + int + equals + bootc
rhel9 / grub2_nousb_argument — no value, existence-only (no state)
rhel8 / grub2_audit_backlog_limit_argument — variable + int + >= + $kernelopts
ol8 / grub2_slub_debug_argument — variable + string + pattern match
ubuntu2404 / grub2_pti_argument — literal + string + equals + grub.d
rhel9 / grub2_ipv6_disable_argument — literal + int + equals + dot in name
State must have correct operation/datatype, no <local_variable>
or <concat>.
Test with automatus.py — needs a VM, not a container. Using multiple
parallel VMs is recommended (--slice argument):

$ ./tests/automatus.py template
--libvirt qemu:///session
--datastream ./build/ssg-rhel9-ds.xml
grub2_bootloader_argument

The oval.template has extensive inline comments — the header
documentation is a good starting point.
The RHEL 8 presence+value split is the trickiest part — it exists
because the wide-capture object must stay for $kernelopts detection.
Local VM testing: RHEL 9 202/202, RHEL 8 239/240 (one pre-existing
grub2_ipv6_disable_argument failure).
CI failures are all pre-existing — see comment below.

openshift-ci · 2026-04-07T18:09:40Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

github-actions · 2026-04-07T18:13:20Z

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

vojtapolasek · 2026-04-09T09:16:16Z

Hello @macko1 and thank you.
I have two remarks. First is technical, could you please split the PR into multiple commits? For example, one for documentation, one modifying tests... it makes reviewing easier.
Then I have a remark regarding the main purpose of the PR. As I understand it, your PR makes it possible to define the Grub2 value in three ways:

arg_value - checks equality of the value against hardcoded value
arg_variable - checks equality with a value represented by an XCCDF variable
newly defined arg_minimal_value - checks if the value is greater or equal to a hardcoded value
If I understand it correctly, then I think this is not an optimal implementation.
Because what if in the future you would like to check if a value is greater or equal to something defined with XCCDF variable? It would require another round of reimplementation.
I think it would be better to add a different parameter, which would signify the operation between the checked value and the hardcoded / variable provided value. In this way, we could check for equality, greater than, lesser than... whatever is supported.
I had only a quick glance into templates, but it seems we already support this for example in the accounts_password template or pam_options template. Do you think this concept could be used in this case as well?

macko1 · 2026-04-16T22:36:57Z

@vojtapolasek you were right, thanks for pointing this out. I've re-implemented the check, and made it extensible - "greater than or equal" can be extended with more OVAL operations in the future, when needed.

I have divided the changes into several commits, as you have asked, I hope this will make it more readable.

PR description updated.

Thanks for a review!

Mab879

We should new tests for the rule in the referenced issue to ensure it is fixed and stays fixed.

Mab879

This looking good. I don't see any issue with. Saving approval until out of draft.

github-actions · 2026-05-13T10:17:46Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force' differs.
--- oval:ssg-grub2_enable_iommu_force:def:1
+++ oval:ssg-grub2_enable_iommu_force:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_iommu_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_iommu_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_iommu_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_iommu_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_iommu_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_iommu_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_iommu_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_iommu_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument:tst:1
+criterion oval:ssg-test_grub2_iommu_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_iommu_argument_default:tst:1
+criterion oval:ssg-test_grub2_iommu_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_init_on_free' differs.
--- oval:ssg-grub2_init_on_free:def:1
+++ oval:ssg-grub2_init_on_free:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_init_on_free_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_init_on_free_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_init_on_free_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_init_on_free_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_init_on_free_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_init_on_free_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_init_on_free_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument:tst:1
+criterion oval:ssg-test_grub2_init_on_free_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_init_on_free_argument_default:tst:1
+criterion oval:ssg-test_grub2_init_on_free_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_l1tf_argument' differs.
--- oval:ssg-grub2_l1tf_argument:def:1
+++ oval:ssg-grub2_l1tf_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_l1tf_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_l1tf_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_l1tf_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_l1tf_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_l1tf_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_l1tf_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_l1tf_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument:tst:1
+criterion oval:ssg-test_grub2_l1tf_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_l1tf_argument_default:tst:1
+criterion oval:ssg-test_grub2_l1tf_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_mce_argument' differs.
--- oval:ssg-grub2_mce_argument:def:1
+++ oval:ssg-grub2_mce_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_mce_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_mce_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_mce_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_mce_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_mce_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_mce_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_mce_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_mce_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument:tst:1
+criterion oval:ssg-test_grub2_mce_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_mce_argument_default:tst:1
+criterion oval:ssg-test_grub2_mce_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument' differs.
--- oval:ssg-grub2_pti_argument:def:1
+++ oval:ssg-grub2_pti_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_pti_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_pti_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_pti_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_pti_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_pti_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_pti_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_pti_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_pti_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument:tst:1
+criterion oval:ssg-test_grub2_pti_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_pti_argument_default:tst:1
+criterion oval:ssg-test_grub2_pti_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument' differs.
--- oval:ssg-grub2_rng_core_default_quality_argument:def:1
+++ oval:ssg-grub2_rng_core_default_quality_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_rng_core_default_quality_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_rng_core_default_quality_argument_default:tst:1
+criterion oval:ssg-test_grub2_rng_core_default_quality_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument' differs.
--- oval:ssg-grub2_slab_nomerge_argument:def:1
+++ oval:ssg-grub2_slab_nomerge_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_slab_nomerge_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_slab_nomerge_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_slab_nomerge_argument_default:tst:1
+criterion oval:ssg-test_grub2_slab_nomerge_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument' differs.
--- oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
+++ oval:ssg-grub2_spec_store_bypass_disable_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_spec_store_bypass_disable_argument_default:tst:1
+criterion oval:ssg-test_grub2_spec_store_bypass_disable_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument' differs.
--- oval:ssg-grub2_spectre_v2_argument:def:1
+++ oval:ssg-grub2_spectre_v2_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_spectre_v2_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_spectre_v2_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_spectre_v2_argument_default:tst:1
+criterion oval:ssg-test_grub2_spectre_v2_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument' differs.
--- oval:ssg-grub2_vsyscall_argument:def:1
+++ oval:ssg-grub2_vsyscall_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_vsyscall_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_vsyscall_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_vsyscall_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_vsyscall_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_vsyscall_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_vsyscall_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_vsyscall_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument:tst:1
+criterion oval:ssg-test_grub2_vsyscall_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_vsyscall_argument_default:tst:1
+criterion oval:ssg-test_grub2_vsyscall_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument' differs.
--- oval:ssg-grub2_ipv6_disable_argument:def:1
+++ oval:ssg-grub2_ipv6_disable_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_ipv6_disable_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_ipv6_disable_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_ipv6_disable_argument_default:tst:1
+criterion oval:ssg-test_grub2_ipv6_disable_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_nousb_argument' differs.
--- oval:ssg-grub2_nousb_argument:def:1
+++ oval:ssg-grub2_nousb_argument:def:1
@@ -1,15 +1,15 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_nousb_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_nousb_bls_entries_coverage:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_nousb_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_nousb_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_nousb_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_nousb_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_nousb_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument:tst:1
+criterion oval:ssg-test_grub2_nousb_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_nousb_argument_default:tst:1
+criterion oval:ssg-test_grub2_nousb_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_page_poison_argument' differs.
--- oval:ssg-grub2_page_poison_argument:def:1
+++ oval:ssg-grub2_page_poison_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_page_poison_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_page_poison_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_page_poison_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_page_poison_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_page_poison_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_page_poison_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_page_poison_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument:tst:1
+criterion oval:ssg-test_grub2_page_poison_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_page_poison_argument_default:tst:1
+criterion oval:ssg-test_grub2_page_poison_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument' differs.
--- oval:ssg-grub2_slub_debug_argument:def:1
+++ oval:ssg-grub2_slub_debug_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_slub_debug_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_slub_debug_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_slub_debug_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_slub_debug_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_slub_debug_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_slub_debug_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_slub_debug_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument:tst:1
+criterion oval:ssg-test_grub2_slub_debug_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_slub_debug_argument_default:tst:1
+criterion oval:ssg-test_grub2_slub_debug_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_argument' differs.
--- oval:ssg-grub2_audit_argument:def:1
+++ oval:ssg-grub2_audit_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_audit_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_audit_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_audit_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_audit_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument:tst:1
+criterion oval:ssg-test_grub2_audit_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_audit_argument_default:tst:1
+criterion oval:ssg-test_grub2_audit_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

OVAL for rule 'xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument' differs.
--- oval:ssg-grub2_audit_backlog_limit_argument:def:1
+++ oval:ssg-grub2_audit_backlog_limit_argument:def:1
@@ -1,15 +1,16 @@
 criteria OR
 criteria AND
-criterion oval:ssg-test_grub2_audit_backlog_limit_entries_expanded_or_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_bls_entries_coverage:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_bls_entries_value:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_at_least_one_entry_referenced:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_kernelopts_in_any_boot_loader_entry:tst:1
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env_uefi:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_in_grubenv:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_in_grubenv_uefi:tst:1
 criteria OR
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_grub_cmdline_linux:tst:1
 criteria AND
 criteria OR
-criterion oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1
+criterion oval:ssg-test_grub2_audit_backlog_limit_grub_cmdline_linux_default:tst:1
 extend_definition oval:ssg-bootloader_disable_recovery_set_to_true:def:1

The grub2_bootloader_argument template could only do exact string matching — no numeric comparisons. Follow the sysctl template pattern and add operation and datatype parameters. - Compute test scenario values (pass/fail/boundary) per operation - Validate operation/datatype combinations at build time - Require explicit operation/datatype for arg_variable rules - Require arg_value to be a quoted string in rule.yml - Remove deprecated is_substring parameter - Rename sanitized_arg_name to arg_name_underscored - Update bash.template accordingly

Separate value extraction (object regex) from value comparison (state operation/datatype). The old template captured entire lines and validated with regex — now objects capture only the value and states compare it directly. - Objects extract only the argument value via capturing groups - States compare using OVAL-native operation and datatype - RHEL 8: split presence and value checks for entries that delegate to $kernelopts in grubenv - Fix RHEL 8 $kernelopts detection (check="all" -> "at least one") - Escape dots in bootc patterns (ipv6.disable) - nousb (flag-only args): check presence only, skip value comparison - bootc: reuse the same comparison state as other GRUB locations - Update header documentation to match new architecture

- grub2_audit_backlog_limit_argument: "greater than or equal" + int - grub2_slub_debug_argument@ol8: "pattern match" replaces is_substring - All other 17 rules: "equals" + "string" (explicit) - var_audit_backlog_limit.var: type number, operator >= - var_rng_core_default_quality.var: type number

- 3 new tests for >= (value at threshold, above, below) - Fix wrong-value tests: use the actual argument name with a wrong value instead of replacing the entire argument with garbage - Add section comments to all grub2_bootloader_argument test scripts - Simplify Jinja conditionals in >= and pattern-match tests - Clean up template.py test value computation

- Document operation parameter (equals, pattern match, >=) - Document datatype parameter (string, int) - Note which datatypes each operation supports - Mark unused operations as not yet implemented - Note that arg_variable rules must set operation/datatype to match the .var file

macko1 · 2026-05-14T10:57:21Z

Fix submitted. Description updated, too.

The template now extracts just the value from GRUB configs and compares
it with proper OVAL operations — so audit_backlog_limit=16384 finally
passes a >= 8192 check instead of failing on exact string match.

19 rules updated, 24 test scripts, docs updated.

CI failures are all pre-existing on master, none from this PR:

grub2_ipv6_disable_argument — grub2-mkconfig can't run on
container overlay (RHEL 9, SLE 15, CS9)
Debian 12, RHEL 8 UBI — grubby/grub2-common not in container repos
Ubuntu 24.04 — grub2_audit_argument recovery_disabled setup fails
CS9/CS10 Testing Farm — unrelated rules (rsyslog_files_permissions)
oscap-ssh download — probably a transient GitHub HTTP 429

Ready for review, @Mab879 could I ask you for one, please? Or @vojtapolasek ?

vojtapolasek · 2026-05-26T13:01:00Z

+      Only relevant when `BLS` entries use `$kernelopts` on their `options` line
+      instead of listing kernel args directly.
+
+  `$kernelopts`  (RHEL 8 / OL8 only, `/boot/loader/entries/*.conf` only)


I think this whole paragraph is redundant. It is already described around line 80 of this file.

Yes, after reading it several times, I agree.

vojtapolasek · 2026-05-27T08:42:47Z

-                "arg_name: {0}\n"
-                "arg_variable: {1}".format(data['arg_value'], data['arg_variable']))
+            f"The template must not set both 'arg_value' and 'arg_variable'.\n"
+            f"arg_name: {arg_value}\n"


There is a mismatch, you write arg_name, but you print out arg_value.

Good catch. Fixing.

vojtapolasek · 2026-05-27T08:44:02Z

+        `$kernelopts` expansion, but does not survive regeneration.
+      `/boot/loader/entries/*.conf` `options` line (BLS) or `/boot/grub2/grub.cfg`
+        `linux /vmlinuz...` line (legacy) is what the kernel actually boots with.
+      `/usr/lib/bootc/kargs.d/*.toml` (in RHEL Image mode (ootc)) replaces everything above.


Suggested change

`/usr/lib/bootc/kargs.d/*.toml` (in RHEL Image mode (ootc)) replaces everything above.

`/usr/lib/bootc/kargs.d/*.toml` (in RHEL Image mode (bootc)) replaces everything above.

vojtapolasek

It looks very good. You dedicated a lots of time to this and I think it really improves the experience.
I have just few small things.
following rules have the arg_value still unquoted:

grub2_spectre_v2_argument
grub2_vsyscall_argument

You did not add the variable handling into this test scenario of the grub2_argument template: correct_value_etcdefault_dir.pass.sh
Is that intentional?

The first and third commit modify heavily the OVAL template documentation... honestly, I am not sure if this does not bring some confusion.
Do you think you could somehow merge these documentation modifications so that the documentation is not rewritten twice?

vojtapolasek · 2026-05-27T10:16:13Z

-        else:
-            data["arg_name_value"] = data["arg_name"]
+        if "operation" not in data:
+            data["operation"] = "equals"


Small concern here... I do not like that this function mainly checks content of the data dict, but it also modifies them. And then reads them again, it seems. Can at least the part which modifies the dictionary be extracted into a separate function? Just a suggestion. I think it would make the code cleaner.

I have, hopefully, improved the readability of template.py. PTAL.

macko1 · 2026-05-27T18:14:05Z

It looks very good. You dedicated a lots of time to this and I think it really improves the experience. I have just few small things. following rules have the arg_value still unquoted:
* grub2_spectre_v2_argument

* grub2_vsyscall_argument

Thanks, and I really appreciate your help with this!

Actually you found a bug, as this should be caught by the check in template.py. YAML booleans are, in our project, not parsed as Python booleans, but as strings, and we don't enforce quoting of strings, to avoid refactoring the existing rules that use arg_value. Fixed.

You did not add the variable handling into this test scenario of the grub2_argument template: correct_value_etcdefault_dir.pass.sh Is that intentional?

No, this is an oversight, thanks for pointing it out.

The first and third commit modify heavily the OVAL template documentation... honestly, I am not sure if this does not bring some confusion. Do you think you could somehow merge these documentation modifications so that the documentation is not rewritten twice?

I can do proper atomic commits when the review is finished, so not to make the review even more complicated.

I have also updated the documentation and slightly polished the template.py to address your concerns (and mine as it wasn't that readable).

openshift-ci · 2026-05-27T20:06:12Z

@macko1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.19-images	`45e5078`	link	true	`/test 4.19-images`
ci/prow/e2e-aws-openshift-node-compliance	`45e5078`	link	true	`/test e2e-aws-openshift-node-compliance`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci Bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Apr 7, 2026

macko1 force-pushed the fix_13923 branch 2 times, most recently from 5d68582 to 117ce41 Compare April 8, 2026 12:30

macko1 changed the title ~~DRAFT: take2~~ DRAFT: #13923 Apr 8, 2026

macko1 force-pushed the fix_13923 branch 2 times, most recently from d72131a to 315103b Compare April 8, 2026 22:04

vojtapolasek self-assigned this Apr 9, 2026

macko1 changed the title ~~DRAFT: #13923~~ Add arg_minimal_value variable to grub2_bootloader_argument template Apr 9, 2026

macko1 force-pushed the fix_13923 branch 4 times, most recently from 13a4ebc to 15dbbd2 Compare April 16, 2026 22:24

macko1 force-pushed the fix_13923 branch from 15dbbd2 to c50c632 Compare May 5, 2026 14:28

macko1 unassigned vojtapolasek May 5, 2026

macko1 force-pushed the fix_13923 branch 3 times, most recently from 9d97f56 to 869101f Compare May 5, 2026 14:59

Mab879 requested changes May 5, 2026

View reviewed changes

Comment thread shared/templates/grub2_bootloader_argument/oval.template Outdated

Mab879 added this to the 0.1.81 milestone May 5, 2026

Mab879 reviewed May 6, 2026

View reviewed changes

macko1 force-pushed the fix_13923 branch from 8df1575 to 69c90bf Compare May 13, 2026 10:13

macko1 force-pushed the fix_13923 branch from 69c90bf to e1fe7b8 Compare May 13, 2026 12:19

macko1 added 3 commits May 14, 2026 12:39

Revert changes and only refactor grub_bootloader_argument OVAL template

8afac26

macko1 added 3 commits May 14, 2026 12:39

macko1 force-pushed the fix_13923 branch from b4fc433 to fa546ad Compare May 14, 2026 10:39

macko1 changed the title ~~Add arg_minimal_value variable to grub2_bootloader_argument template~~ Add operation and datatype support to grub2_bootloader_argument template May 14, 2026

macko1 marked this pull request as ready for review May 14, 2026 10:57

macko1 requested review from jan-cerny, matusmarhefka and vojtapolasek as code owners May 14, 2026 10:57

openshift-ci Bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label May 14, 2026

macko1 requested a review from Mab879 May 14, 2026 10:57

macko1 modified the milestones: 0.1.81, 0.1.82 May 19, 2026

vojtapolasek reviewed May 27, 2026

View reviewed changes

vojtapolasek requested changes May 27, 2026

View reviewed changes

vojtapolasek reviewed May 27, 2026

View reviewed changes

macko1 added 3 commits May 27, 2026 20:12

Update documentation for grub2_bootloader_argument template

384723e

Quote arg_value in grub2_bootloader_argument templated rules

7fd9c81

Fix arg_variable handling in correct_value_etcdefault_dir.pass.sh

45e5078

macko1 requested review from ggbecker and marcusburghardt as code owners May 27, 2026 18:13

macko1 requested a review from vojtapolasek May 27, 2026 18:14

	`/usr/lib/bootc/kargs.d/*.toml` (in RHEL Image mode (ootc)) replaces everything above.
	`/usr/lib/bootc/kargs.d/*.toml` (in RHEL Image mode (bootc)) replaces everything above.

Conversation

macko1 commented Apr 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description:

Rationale:

Review Hints:

Uh oh!

openshift-ci Bot commented Apr 7, 2026

Uh oh!

github-actions Bot commented Apr 7, 2026

Uh oh!

vojtapolasek commented Apr 9, 2026

Uh oh!

macko1 commented Apr 16, 2026

Uh oh!

Mab879 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Mab879 left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented May 13, 2026

Uh oh!

macko1 commented May 14, 2026

Uh oh!

vojtapolasek May 26, 2026

Choose a reason for hiding this comment

Uh oh!

macko1 May 27, 2026

Choose a reason for hiding this comment

Uh oh!

vojtapolasek May 27, 2026

Choose a reason for hiding this comment

Uh oh!

macko1 May 27, 2026

Choose a reason for hiding this comment

Uh oh!

vojtapolasek May 27, 2026

Choose a reason for hiding this comment

Uh oh!

vojtapolasek left a comment

Choose a reason for hiding this comment

Uh oh!

vojtapolasek May 27, 2026

Choose a reason for hiding this comment

Uh oh!

macko1 May 27, 2026

Choose a reason for hiding this comment

Uh oh!

macko1 commented May 27, 2026

Uh oh!

openshift-ci Bot commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

macko1 commented Apr 7, 2026 •

edited

Loading