search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.17k stars 690 forks source link

RHEL 7 - grub2_*_argument rules fail after kickstart installation #8301

Closed mildas closed 2 years ago

mildas commented 2 years ago

Description of problem:

All grub2 argument rules fail after kickstart installations. The most affected profile is OSPP as it has the biggest portion of grub2 argument rules:

xccdf_org.ssgproject.content_rule_grub2_audit_argument - fail
xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument - fail
xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument - fail
xccdf_org.ssgproject.content_rule_grub2_page_poison_argument - fail
xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument - fail

SCAP Security Guide Version:

4bca873

Operating System Version:

RHEL 7.9

Steps to Reproduce:

  1. Install machine using kickstart, e.g. using OSPP profile
  2. Scan machine: oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report xccdf_org.ssgproject.content_profile_ospp.html ssg-rhel7-ds.xml

Actual Results:

grub2 rules fail

Expected Results:

All grub2 rules passes

Additional Information/Debugging Steps:

Example of OVAL results - grub2_slub_debug_argument

check kernel command line parameters for slub_debug=P in /boot/grub2/grub.cfg for all kernels  failed because of these items:

Path | Content -- | -- /boot/grub2/grub.cfg | linux16 /vmlinuz-3.10.0-1160.el7.x86_64 root=/dev/mapper/VolGroup-LogVol06 ro rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1 audit=1 audit_backlog_limit=8192 vsyscall=none page_poison=1 slub_debug=P LANG=en_US.UTF-8 /boot/grub2/grub.cfg | linux16 /vmlinuz-0-rescue-83aca812e23e49d99eba9c2c4abdda01 root=/dev/mapper/VolGroup-LogVol06 ro rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1 audit=1 audit_backlog_limit=8192 vsyscall=none page_poison=1 slub_debug=P

check kernel command line parameters for slub_debug=P in /boot/efi/EFI/redhat/grub.cfg for all kernels  failed because these items were missing:

Object oval:ssg-object_grub2_slub_debug_argument_grub_cfg_uefi:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance -- | -- | -- /boot/efi/EFI/redhat/grub.cfg | ^.*/vmlinuz.*(root=.*)$ | 1

check for slub_debug=P in /etc/default/grub via GRUB_CMDLINE_LINUX  failed because of these items:

Path | Content -- | -- /etc/default/grub | GRUB_CMDLINE_LINUX="rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1"

check for slub_debug=P in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  failed because these items were missing:

Object oval:ssg-object_grub2_slub_debug_argument_default:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance -- | -- | -- /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1

See the OVAL result, it's basically the same for all grub2 parameter rules. Notice the check kernel command line parameters for page_poison=1 in /boot/grub2/grub.cfg for all kernels fail - result is fail, but the line has the parameter configured:

/boot/grub2/grub.cfg - linux16 /vmlinuz-3.10.0-1160.el7.x86_64 root=/dev/mapper/VolGroup-LogVol06 ro rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1 audit=1 audit_backlog_limit=8192 vsyscall=none page_poison=1 slub_debug=P LANG=en_US.UTF-8

/boot/grub2/grub.cfg - linux16 /vmlinuz-0-rescue-83aca812e23e49d99eba9c2c4abdda01 root=/dev/mapper/VolGroup-LogVol06 ro rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1 audit=1 audit_backlog_limit=8192 vsyscall=none page_poison=1 slub_debug=P

Bash remediation uses grubby (taken from HTML report):

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then

grubby --update-kernel=ALL --args=page_poison=1

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
lenox-joseph commented 2 years ago

Is this detect and remediate in the Anaconda environment?

I've been running DISA STIG (which has some GRUB rules in it) and remediating during firstboot and I don't think I've run into issues post-remediation.

mildas commented 2 years ago

@lenox-joseph It fails during remediations but also after next boot when the parameters should already be applied.

It doesn't occur RHEL 7.9 STIG because there are no grub2 argument rules. Only these grub2 rules are there: grub2_admin_username, grub2_password, grub2_uefi_admin_username, grub2_uefi_password, grub2_enable_fips_mode, and grub2_no_removeable_media.

yuumasato commented 2 years ago

@lenox-joseph This bug was introduced in https://github.com/ComplianceAsCode/content/pull/8180 and is not yet part of any release. So, unless you are using not yet released bits, you should not be facing this issue.