What were you trying to do that didn't work?

The rule grub2_audit_argument incorrectly expects that kernel command-line arguments in /boot/loader/entries/*conf files are only defined through $kernelopts variable. This is not the case as kernel command-line arguments can also be explicitly listed in these configuration files without using the $kernelopts variable.

Also when one runs grubby --info=ALL it will replace $kernelopts variable with its contents (defined in /boot/grub2/grubenv) in /boot/loader/entries/*conf files.

Therefore, we need to update OVAL check of the grub2_bootloader_argument template to look for a specific option in /boot/loader/entries/*conf files in case $kernelopts variable is not found there.

Example of what the OVAL check expects:

# cat /boot/loader/entries/134ff6d5833342f28b78fb553833bfe5-4.18.0-536.el8.x86_64.conf 
...
options  $kernelopts $tuned_params
...

Example of what is still valid, but not expected by the OVAL check (kernel parameters listed explicitly, no $kernelopts variable):

# cat /boot/loader/entries/134ff6d5833342f28b78fb553833bfe5-4.18.0-536.el8.x86_64.conf 
...
options root=/dev/mapper/rhel_sheep--44-root ro console=tty0 elevator=noop crashkernel=auto rd.lvm.lv=rhel_sheep-44/root rd.lvm.lv=rhel_sheep-44/swap console=ttyS0 $tuned_params net.ifnames=0 audit=1
...

Please provide the package NVR for which bug is seen:

scap-security-guide-0.1.69-2.el8

How reproducible:

deterministic

Steps to reproduce

1. Upgrade RHEL-7.9 system to RHEL-8.10
2. Harden upgraded RHEL-8.10 system to PCI-DSS profile

Expected results

Remediating rule grub2_audit_argument produces error result.

Actual results

Remediating rule grub2_audit_argument produces fixed result.