Ensure zIPL bootmap is up to date

An XCCDF Rule

Description

Make sure that /boot/bootmap is up to date.
Every time a boot entry or zIPL configuration is changed /boot/bootmap needs to be updated to reflect the changes.
Run zipl command to generate an updated /boot/bootmap.

Rationale

The file /boot/bootmap contains all boot data, keeping it up to date is crucial to boot correct kernel and options.

ID: xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date
Severity: Medium
References: CCE-83486-1
Updated: over 1 year ago

Remediation Templates

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
/usr/sbin/zipl

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Ensure zIPL bootmap is up to date
  block:
  - name: Obtain stats of /boot/bootmap
    stat:
      path: /boot/bootmap
    register: boot_bootmap
  - name: Obtain stats of /etc/zipl.conf
    stat:
      path: /etc/zipl.conf
    register: zipl_conf

  - name: Obtain stats of /boot/loader/entries
    stat:
      path: /boot/loader/entries
    register: boot_loader_entries

  - name: Update zIPL bootmap
    command: /usr/sbin/zipl
    changed_when: true
    when:
    - boot_bootmap.stat.mtime is defined
    - zipl_conf.stat.mtime is defined
    - boot_loader_entries.stat.mtime is defined
    - boot_bootmap.stat.mtime < zipl_conf.stat.mtime or boot_bootmap.stat.mtime <
      boot_loader_entries.stat.mtime
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83486-1
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - zipl_bootmap_is_up_to_date

Ensure zIPL bootmap is up to date

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet