search

ansible-lockdown / RHEL8-STIG

Ansible role for Red Hat 8 STIG Baseline
https://ansible-lockdown.readthedocs.io
MIT License
99 stars 58 forks source link

rhel8stig_boot_part incorrect #298

Open mikefrompsu opened 3 months ago

mikefrompsu commented 3 months ago

Describe the Issue The value registered for rhel8stig_boot_part in tasks/prelim.yml is incorrect which renders the system unable to boot.

Expected Behavior The UUID captured and added to the GRUB_CMDLINE_LINUX line in /etc/default/grub or skip if value is already correct

Actual Behavior "boot=UUID=boot_disk" is added to GRUB_CMDLINE_LINUX line in /etc/default/grub

Control(s) Affected RHEL-08-010020 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line."

Environment (please complete the following information):

Additional Notes line 109 in tasks/prelim.yml grabs the the third column using lsblk, but the third column is the label not the UUID of the boot partition [root@rhel8_host~]# lsblk -f NAME FSTYPE LABEL UUID MOUNTPOINT nvme0n1 ├─nvme0n1p1 ├─nvme0n1p2 vfat UEFI_DISK 5874-..... /boot/efi ├─nvme0n1p3 xfs boot_disk 842172a6-.... /boot

Possible Solution Line 109 in tasks/prelim.yml ansible.builtin.shell: lsblk -f | grep -E "{{ rhel8stig_boot_part.stdout }}$" | awk '{ print $4 }'

uk-bolly commented 3 weeks ago

hi @mikefrompsu

Thank you for raising this issue, working through. Investigating this further we can see why this is occuring, not all systems have a label assigned so the third field giving us the uuid. Hoping to get a solution for this into the release for v1r14.

uk-bolly