Closed mildas closed 2 years ago
Is this detect and remediate in the Anaconda environment?
I've been running DISA STIG (which has some GRUB rules in it) and remediating during firstboot and I don't think I've run into issues post-remediation.
@lenox-joseph It fails during remediations but also after next boot when the parameters should already be applied.
It doesn't occur RHEL 7.9 STIG because there are no grub2 argument rules. Only these grub2 rules are there: grub2_admin_username
, grub2_password
, grub2_uefi_admin_username
, grub2_uefi_password
, grub2_enable_fips_mode
, and grub2_no_removeable_media
.
@lenox-joseph This bug was introduced in https://github.com/ComplianceAsCode/content/pull/8180 and is not yet part of any release. So, unless you are using not yet released bits, you should not be facing this issue.
Description of problem:
All grub2 argument rules fail after kickstart installations. The most affected profile is OSPP as it has the biggest portion of grub2 argument rules:
SCAP Security Guide Version:
4bca873
Operating System Version:
RHEL 7.9
Steps to Reproduce:
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_ospp --report xccdf_org.ssgproject.content_profile_ospp.html ssg-rhel7-ds.xml
Actual Results:
grub2 rules fail
Expected Results:
All grub2 rules passes
Additional Information/Debugging Steps:
Example of OVAL results - grub2_slub_debug_argument
check kernel command line parameters for slub_debug=P in /boot/grub2/grub.cfg for all kernels failed because of these items:
Path | Content -- | -- /boot/grub2/grub.cfg | linux16 /vmlinuz-3.10.0-1160.el7.x86_64 root=/dev/mapper/VolGroup-LogVol06 ro rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1 audit=1 audit_backlog_limit=8192 vsyscall=none page_poison=1 slub_debug=P LANG=en_US.UTF-8 /boot/grub2/grub.cfg | linux16 /vmlinuz-0-rescue-83aca812e23e49d99eba9c2c4abdda01 root=/dev/mapper/VolGroup-LogVol06 ro rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1 audit=1 audit_backlog_limit=8192 vsyscall=none page_poison=1 slub_debug=Pcheck kernel command line parameters for slub_debug=P in /boot/efi/EFI/redhat/grub.cfg for all kernels failed because these items were missing:
Object oval:ssg-object_grub2_slub_debug_argument_grub_cfg_uefi:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance -- | -- | -- /boot/efi/EFI/redhat/grub.cfg | ^.*/vmlinuz.*(root=.*)$ | 1check for slub_debug=P in /etc/default/grub via GRUB_CMDLINE_LINUX failed because of these items:
Path | Content -- | -- /etc/default/grub | GRUB_CMDLINE_LINUX="rhgb quiet rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap console=ttyS0 rd.shell=0 fips=1 boot=UUID=078b3f81-e34b-497f-8f11-db5e65a956b1"check for slub_debug=P in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT failed because these items were missing:
Object oval:ssg-object_grub2_slub_debug_argument_default:obj:1 of type textfilecontent54_object
Filepath | Pattern | Instance -- | -- | -- /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1See the OVAL result, it's basically the same for all grub2 parameter rules. Notice the
check kernel command line parameters for page_poison=1 in /boot/grub2/grub.cfg for all kernels
fail - result is fail, but the line has the parameter configured:Bash remediation uses
grubby
(taken from HTML report):