Make grub config handler fails on legacy BIOS hosts with /boot on LVM

[platymatt]

Describe the Issue

/usr/sbin/grub2-mkconfig --output=/boot/grub2/grub.cfg command fails on a RHEL 8.8 ec2-instance that is already FIPS enabled with the response: /usr/sbin/grub2-probe: error: failed to get canonical path ofnone'.`

It's possible that this issue is present because the server already is FIPS enabled and present as a kernel boot parameter.

Expected Behavior I expect the make grub2 config handler to succeed or be skipped if not needed.

Actual Behavior

1. The rhel8stig_bootloader_path gets captured in the PRELIM tasks

   amazon-ebs.minimal-de-rhel-8-hvm: TASK [RHEL8-STIG : PRELIM | output bootloader and efi state] *******************
   amazon-ebs.minimal-de-rhel-8-hvm: ok: [default] => {
   amazon-ebs.minimal-de-rhel-8-hvm:     "msg": [
   amazon-ebs.minimal-de-rhel-8-hvm:         "bootloader path set to /boot/grub2/",
   amazon-ebs.minimal-de-rhel-8-hvm:         "legacy boot equals True"
   amazon-ebs.minimal-de-rhel-8-hvm:     ]
   amazon-ebs.minimal-de-rhel-8-hvm: }
   amazon-ebs.minimal-de-rhel-8-hvm:

2. The handler later fails.

   amazon-ebs.minimal-de-rhel-8-hvm: RUNNING HANDLER [RHEL8-STIG : make grub2 config] *******************************
   amazon-ebs.minimal-de-rhel-8-hvm: fatal: [default]: FAILED! => {"changed": true, "cmd": "/usr/sbin/grub2-mkconfig --output=/boot/grub2//grub.cfg", "delta": "0:00:00.012089", "end": "2024-02-20 21:50:49.355068", "msg": "non-zero return code", "rc": 1, "start": "2024-02-20 21:50:49.342979", "stderr": "/usr/sbin/grub2-probe: error: failed to get canonical path of `none'.", "stderr_lines": ["/usr/sbin/grub2-probe: error: failed to get canonical path of `none'."], "stdout": "", "stdout_lines": []}

   Control(s) Affected

This affects controls that notify the handler confirm grub2 user cfg when run on a machine with BIOS and not UEFI.

• HIGH | RHEL-08-010020 | PATCH | fips=1 must be in /etc/default/grub
• MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.

Environment (please complete the following information):

• branch being used: [devel] Commit:

  commit 1640945183014c6a31d9c1d4359fb3d77d542dc8 (HEAD -> devel, origin/devel, origin/HEAD)
  Merge: f845492 52fb839
  Author: uk-bolly <mark.bollyuk@gmail.com>
  Date:   Mon Dec 11 14:05:08 2023 +0000
  
  Merge pull request #238 from ansible-lockdown/pre-commit-ci-update-config
  
  [pre-commit.ci] pre-commit autoupdate

• Ansible Version:

  [python@a501c5dc1d55 work]$ ansible --version
  ansible [core 2.14.10]
  config file = None
  configured module search path = ['/home/python/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/python/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.9.16 (main, Mar  8 2023, 03:23:31) [GCC 8.5.0 20210514 (Red Hat 8.5.0-16)] (/usr/local/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True

• Host Python Version: [3.9.18-1]
• Additional Details: This was run in a Packer Build on a RHEL 8.8 community AMI based on an AMI built from the SPEL repo here so it is already fips enabled.

Base Server File System details:

[root@ip-10-128-104-168 ec2-user]# df -hP
Filesystem                    Size  Used Avail Use% Mounted on
devtmpfs                      311M     0  311M   0% /dev
tmpfs                         366M     0  366M   0% /dev/shm
tmpfs                         366M  468K  365M   1% /run
tmpfs                         366M     0  366M   0% /sys/fs/cgroup
/dev/mapper/RootVG-rootVol    6.0G  2.4G  3.7G  40% /
tmpfs                         366M     0  366M   0% /tmp
/dev/mapper/RootVG-homeVol   1014M   40M  975M   4% /home
/dev/mapper/RootVG-varVol     2.0G  402M  1.6G  20% /var
/dev/mapper/RootVG-logVol     2.0G   64M  2.0G   4% /var/log
/dev/mapper/RootVG-varTmpVol  2.0G   47M  2.0G   3% /var/tmp
/dev/mapper/RootVG-auditVol   5.0G   69M  5.0G   2% /var/log/audit
tmpfs                          74M     0   74M   0% /run/user/1000
[root@ip-10-128-104-168 ec2-user]# lsblk
NAME                 MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1              259:0    0  20G  0 disk
├─nvme0n1p1          259:1    0  15M  0 part
└─nvme0n1p2          259:2    0  20G  0 part
  ├─RootVG-rootVol   253:0    0   6G  0 lvm  /
  ├─RootVG-swapVol   253:1    0   2G  0 lvm  [SWAP]
  ├─RootVG-homeVol   253:2    0   1G  0 lvm  /home
  ├─RootVG-varVol    253:3    0   2G  0 lvm  /var
  ├─RootVG-varTmpVol 253:4    0   2G  0 lvm  /var/tmp
  ├─RootVG-logVol    253:5    0   2G  0 lvm  /var/log
  └─RootVG-auditVol  253:6    0   5G  0 lvm  /var/log/audit
[root@ip-10-128-104-168 ec2-user]# cat /proc/sys/crypto/fips_enabled
1
[root@ip-10-128-104-168 ec2-user]# grub2-editenv list | grep fips
kernelopts=root=/dev/mapper/RootVG-rootVol ro root=/dev/mapper/RootVG-rootVol crashkernel=auto vconsole.keymap=us vconsole.font=latarcyrheb-sun16 console=tty0 console=ttyS0,115200n8 net.ifnames=0 fips=1

Additional Notes

• Playbook in use:

  ---
  - name: Run RHEL8-STIG role on RHEL8 Base
  hosts: "{{ instance_name | default('all') }}"
  become: true
  vars:
  system_is_ec2: true
  # CAT II
  rhel_08_020011: false # must automatically lock account after 3 failed attempts
  rhel_08_020013: false # must automatically lock account after 3 failed attempts in 15 minutes
  rhel_08_020015: false # must automatically lock account until released by admin
  rhel_08_020017: false # must ensure account lockouts persist
  rhel_08_020023: false # must include root when locking accounts
  rhel_08_020210: false # user account pw must be restricted to 60-day lifetime
  rhel_08_020250: false # must implement smart card login for multifactor auth
  rhel_08_020260: false # account identifiers must be disabled after 35 days
  rhel_08_040135: false # fapolicy must be installed
  rhel_08_040370: false # gssproxy must not be installed
  rhel_08_040136: false # fapolicy module must be enabled
  rhel_08_040137: false # fapolicy module must be configured to employ deny-all, permit-by-exception policy
  rhel_08_040110: false # wireless adapters must be disabled
  roles:
  - role: RHEL8-STIG

  Possible Solution

Skip the grub edit if fips is already configured correctly.

[platymatt]

After testing I'm still getting the same error so it may not be an issue with the double //. Still investigating.

    amazon-ebs.minimal-de-rhel-8-hvm: RUNNING HANDLER [RHEL8-STIG : make grub2 config] *******************************
    amazon-ebs.minimal-de-rhel-8-hvm: fatal: [default]: FAILED! => {"changed": true, "cmd": "/usr/sbin/grub2-mkconfig --output=/boot/grub2/grub.cfg", "delta": "0:00:00.012800", "end": "2024-02-21 21:43:08.980175", "msg": "non-zero return code", "rc": 1, "start": "2024-02-21 21:43:08.967375", "stderr": "/usr/sbin/grub2-probe: error: failed to get canonical path of `none'.", "stderr_lines": ["/usr/sbin/grub2-probe: error: failed to get canonical path of `none'."], "stdout": "", "stdout_lines": []}

[platymatt]

Still testing. I have updated the issue as it is not actually an issue with the amount of slashes and instead is a grub issue and could be related to how the instance is already configured.

[platymatt]

The issue is because the /boot partition is an LVM partition the grub tool cannot read the /boot partition causing the grub2-mkconfig command to fail.

When disabling rhel_08_010020 to get around this I get this error:

    amazon-ebs.minimal-de-rhel-8-hvm: TASK [RHEL8-STIG : HIGH | RHEL-08-010020 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=<partition> must be added to the kernel command line.] ***
    amazon-ebs.minimal-de-rhel-8-hvm: fatal: [default]: FAILED! => {"msg": "Error in jmespath.search in json_query filter plugin:\n[?mount=='{{ rhel8stig_boot_part.stdout }}'] | [0]: 'dict object' has no attribute 'stdout'. 'dict object' has no attribute 'stdout'"}

Might need to have a default variable set for the variable rhel8stig_boot_part.stdout or disabling rhel_08_010020 will still fail to complete.

[platymatt]

Closing this as the issue was the partitoned server needed a reboot before being STIG'd