Ensure zIPL bootmap is up to date

An XCCDF Rule

Description

Make sure that /boot/bootmap is up to date.
Every time a boot entry or zIPL configuration is changed /boot/bootmap needs to be updated to reflect the changes.
Run zipl command to generate an updated /boot/bootmap.

Rationale

The file /boot/bootmap contains all boot data, keeping it up to date is crucial to boot correct kernel and options.

ID: xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date
Severity: Medium
References: CCE-83486-1
Updated: about 1 year ago

- name: Ensure zIPL bootmap is up to date
  block:

  - name: Obtain stats of /boot/bootmap
    stat:
      path: /boot/bootmap    register: boot_bootmap

  - name: Obtain stats of /etc/zipl.conf
    stat:
      path: /etc/zipl.conf
    register: zipl_conf

  - name: Update zIPL bootmap
    command: /usr/sbin/zipl
    changed_when: true
    when: boot_bootmap.stat.mtime is defined and zipl_conf.stat.mtime is defined and  boot_bootmap.stat.mtime
      < zipl_conf.stat.mtime
  when:
  - ansible_architecture == "s390x"
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-83486-1
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - zipl_bootmap_is_up_to_date

# Remediation is applicable only in certain platforms
if grep -q s390x /proc/sys/kernel/osrelease && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

/usr/sbin/zipl

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure zIPL bootmap is up to date

Description

Rationale

Remediation - Ansible

Remediation - Shell Script