Merge pull request #14330 from teacup-on-rockingchair/sle16_grub2_uefi_pass

SLE16 fix for grub2_uefi_pass

Author: teacup-on-rockingchair

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/sle.xml

@@ -0,0 +1,28 @@
+<def-group>
+  <definition class="compliance" id="grub2_uefi_password" version="1">
+    {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
+
+    <criteria operator="AND">
+      <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_grub2_uefi_password_grubcfg" />
+      <criterion comment="make sure a superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" test_ref="test_bootloader_uefi_superuser"/>
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" id="test_bootloader_uefi_superuser" version="2">
+    <ind:object object_ref="object_bootloader_uefi_superuser" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_bootloader_uefi_superuser" version="2">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg" id="test_grub2_uefi_password_grubcfg" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_grubcfg" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_grubcfg" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml

@@ -9,14 +9,14 @@ description: |-
     <br /><br />
     Since plaintext passwords are a security risk, generate a hash for the password
     by running the following command:
-    {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
+    {{% if "sle" in product or "slmicro" in product or product in ["ubuntu2204", "ubuntu2404"] %}}
     <pre># grub2-mkpasswd-pbkdf2</pre>
     {{% else %}}
     <pre># grub2-setpassword</pre>
     {{% endif %}}
     When prompted, enter the password that was selected.
     <br /><br />
-    {{% if product in ["sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
+    {{% if "sle" in product or "slmicro" in product or product in ["ubuntu2204", "ubuntu2404"] %}}
     Using the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt>
     file with the following content:
     <pre>set superusers="boot"
@@ -27,7 +27,7 @@ description: |-
     Once the superuser password has been added,
     update the
     <tt>grub.cfg</tt> file by running:
-    {{%- if "rhel" in product %}}
+    {{%- if "rhel" in product or "sle" in product or "slmicro" in product %}}
     <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
     {{%- else %}}
     <pre>{{{ grub_command("update") }}}</pre>
@@ -108,7 +108,7 @@ fixtext: |-
 
     Then, update the grub.cfg file by running:
 
-    {{%- if "rhel" in product %}}
+    {{%- if "rhel" in product or product in ["sle12", "sle15", "sle16", "slmicro5", "slmicro6"] %}}
     <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
     {{%- else %}}
     <pre>{{{ grub_command("update") }}}</pre>