Add operation and datatype support to grub2_bootloader_argument template

docs/templates/template_reference.md

@@ -455,18 +455,48 @@ they must be of the same length.
 -   Languages: Bash, OVAL
 
 #### grub2_bootloader_argument
--   Ensures that a kernel command line argument is present in GRUB 2 configuration.
+- Ensures that a kernel command line argument is present in GRUB 2 configuration. For example `nousb` or `audit_backlog_limit=8192`.
 
--   Parameters:
-
-    -   **arg_name** - argument name, eg. `audit`
-
-    -   **arg_value** - argument value, eg. `'1'`
-
-    -   **arg_variable** - the variable used as the value for the argument, eg. `'var_slub_debug_options'`
-        This parameter is mutually exclusive with **arg_value**.
+- Parameters:
 
--   Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
+    - **arg_name** (required) - kernel argument name, e.g. `audit`, `audit_backlog_limit`, `nousb`.
+
+    - **arg_value** (optional) value of the kernel argument, e.g. `'1'`, `'on'`.
+        - Mutually exclusive with **arg_variable**.
+        - **Must be quoted** in `rule.yml` — YAML auto-parses unquoted scalars
+          (`8192` becomes int, `on`/`off` become bool), but the template needs a
+          string to build regexes and config file content. The build will fail with
+          a clear error if the value is not a string.
+
+    - **arg_variable** (optional) - XCCDF variable defined in a `.var` file,
+      e.g. `var_audit_backlog_limit`.
+        - Mutually exclusive with **arg_value**.
+        - If used,  **operation** and **datatype** has to be set to match the `.var` file's `type` and `operator` variables.
+
+    - **operation** - OVAL comparison operation applied to the extracted value.
+      Default: `equals`. Supported values:
+        - `equals` — exact match. Works with `string` or `int`.
+          Use for arguments with a single known-good value (e.g. `audit=1`,
+          `pti=on`).
+        - `pattern match` — regex match. Works with `string` only.
+          Use when multiple values are acceptable (e.g. `slub_debug` on OL8
+          where `P` must appear anywhere inside values like `FZP`).
+          Replaces the deprecated `is_substring` parameter.
+        - `greater than or equal` — numeric comparison. Works with `int` only.
+          Use for threshold arguments (e.g. `audit_backlog_limit>=8192`).
+        - Other operations (`not equal`, `greater than`, `less than`,
+          `less than or equal`) are validated but have no test coverage.
+          Adding a rule with these operations requires adding test scenarios and updating `template.py` to support them.
+
+    - **datatype** - OVAL datatype for the comparison. Default: `string`.
+      Supported values: `string`, `int`.
+        - `string` — lexicographic comparison. Use for non-numeric values
+          (e.g. `on`, `force`, `none`).
+        - `int` — numeric comparison. Use when the value is a number
+          (e.g. `audit_backlog_limit=8192`, `audit=1`). Required for numeric
+          operations like `greater than or equal`.
+
+- Languages: Ansible, Bash, OVAL, Blueprint, Kickstart
 
 #### grub2_bootloader_argument_absent
 -   Ensures that a kernel command line argument is absent in GRUB 2 configuration.

linux_os/guide/auditing/grub2_audit_argument/rule.yml

@@ -57,6 +57,8 @@ template:
     vars:
         arg_name: audit
         arg_value: '1'
+        datatype: int
+        operation: equals
 
 fixtext: |-
     {{{ describe_grub2_argument("audit=1") | indent(4) }}}

linux_os/guide/auditing/grub2_audit_backlog_limit_argument/rule.yml

@@ -52,3 +52,5 @@ template:
     vars:
         arg_name: audit_backlog_limit
         arg_variable: var_audit_backlog_limit
+        datatype: int
+        operation: greater than or equal

linux_os/guide/auditing/var_audit_backlog_limit.var

@@ -7,9 +7,9 @@ description: |-
     The audit_backlog_limit parameter determines how auditd records can
     be held in the auditd backlog.
 
-type: string
+type: number
 
-operator: equals
+operator: greater than or equal
 
 interactive: true
 

linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/rule.yml

@@ -37,3 +37,5 @@ template:
     vars:
         arg_name: iommu
         arg_value: 'force'
+        datatype: string
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml

@@ -33,3 +33,5 @@ template:
     vars:
         arg_name: init_on_alloc
         arg_value: '1'
+        datatype: int
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_init_on_free/rule.yml

@@ -29,3 +29,5 @@ template:
     vars:
         arg_name: init_on_free
         arg_value: '1'
+        datatype: int
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml

@@ -52,5 +52,7 @@ template:
     vars:
         arg_name: random.trust_cpu
         arg_value: 'on'
+        datatype: string
+        operation: equals
     backends:
         oval: "off"

linux_os/guide/system/bootloader-grub2/grub2_l1tf_argument/rule.yml

@@ -43,3 +43,5 @@ template:
     vars:
         arg_name: l1tf
         arg_variable: var_l1tf_options
+        datatype: string
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_mce_argument/rule.yml

@@ -36,3 +36,5 @@ template:
     vars:
         arg_name: mce
         arg_value: '0'
+        datatype: int
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_mds_argument/rule.yml

@@ -53,3 +53,5 @@ template:
     vars:
         arg_name: mds
         arg_variable: var_mds_options
+        datatype: string
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml

@@ -39,3 +39,5 @@ template:
     vars:
         arg_name: page_alloc.shuffle
         arg_value: '1'
+        datatype: int
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml

@@ -38,6 +38,8 @@ template:
     vars:
         arg_name: pti
         arg_value: 'on'
+        datatype: string
+        operation: equals
 
 fixtext: |-
     {{{ describe_grub2_argument("pti=on") | indent(4) }}}

linux_os/guide/system/bootloader-grub2/grub2_rng_core_default_quality_argument/rule.yml

@@ -44,3 +44,5 @@ template:
     vars:
         arg_name: rng_core.default_quality
         arg_variable: var_rng_core_default_quality
+        datatype: int
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_slab_nomerge_argument/rule.yml

@@ -42,3 +42,5 @@ template:
     vars:
         arg_name: slab_nomerge
         arg_value: 'yes'
+        datatype: string
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_spec_store_bypass_disable_argument/rule.yml

@@ -46,3 +46,5 @@ template:
     vars:
         arg_name: spec_store_bypass_disable
         arg_variable: var_spec_store_bypass_disable_options
+        datatype: string
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_spectre_v2_argument/rule.yml

@@ -39,3 +39,5 @@ template:
     vars:
         arg_name: spectre_v2
         arg_value: on
+        datatype: string
+        operation: equals

linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml

@@ -38,6 +38,8 @@ template:
     vars:
         arg_name: vsyscall
         arg_value: none
+        datatype: string
+        operation: equals
 
 fixtext: |-
     {{{ describe_grub2_argument("vsyscall=none") | indent(4) }}}

linux_os/guide/system/bootloader-grub2/var_rng_core_default_quality.var

@@ -8,7 +8,7 @@ description: |-
 
 interactive: true
 
-type: string
+type: number
 
 operator: equals
 

linux_os/guide/system/network/network-ipv6/disabling_ipv6/grub2_ipv6_disable_argument/rule.yml

@@ -38,3 +38,5 @@ template:
     vars:
         arg_name: ipv6.disable
         arg_value: '1'
+        datatype: int
+        operation: equals

linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml

@@ -40,6 +40,8 @@ template:
     vars:
         arg_name: page_poison
         arg_value: '1'
+        datatype: int
+        operation: equals
 
 fixtext: |-
     {{{ describe_grub2_argument("page_poison=1") | indent(4) }}}

linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml

@@ -40,7 +40,9 @@ template:
     vars:
         arg_name: slub_debug
         arg_variable: var_slub_debug_options
-        is_substring@ol8: "true"
+        datatype: string
+        operation: equals
+        operation@ol8: "pattern match"
 
 fixtext: |-
     {{{ describe_grub2_argument("slub_debug=" ~ xccdf_value("var_slub_debug_options")) | indent(4) }}}

shared/templates/grub2_bootloader_argument/bash.template

@@ -14,7 +14,7 @@ if {{{ bash_bootc_build() }}} ; then
     if grep -q -E "{{{ ARG_NAME }}}" "$KARGS_DIR/*.toml" ; then
         sed -i -E "s/^(\s*kargs\s*=\s*\[.*)\"{{{ ARG_NAME }}}=[^\"]*\"(.*]\s*)/\1\"{{{ ARG_NAME_VALUE }}}\"\2/" "$KARGS_DIR/*.toml"
     else
-        echo "kargs = [\"{{{ ARG_NAME_VALUE }}}\"]" >> "$KARGS_DIR/10-{{{ SANITIZED_ARG_NAME }}}.toml"
+        echo "kargs = [\"{{{ ARG_NAME_VALUE }}}\"]" >> "$KARGS_DIR/10-{{{ ARG_NAME_UNDERSCORED }}}.toml"
     fi
 else
 {{{ grub2_bootloader_argument_remediation(ARG_NAME, ARG_NAME_VALUE) | indent(4) }}}