-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
rhel-8.10
-
None
-
None
-
None
-
rhel-sst-security-compliance
-
ssg_security
-
None
-
False
-
-
No
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
None
What were you trying to do that didn't work?
The rule grub2_audit_argument incorrectly expects that kernel command-line arguments in /boot/loader/entries/*conf files are only defined through $kernelopts variable. This is not the case as kernel command-line arguments can also be explicitly listed in these configuration files without using the $kernelopts variable.
Also when one runs grubby --info=ALL it will replace $kernelopts variable with its contents (defined in /boot/grub2/grubenv) in /boot/loader/entries/*conf files.
Therefore, we need to update OVAL check of the grub2_bootloader_argument template to look for a specific option in /boot/loader/entries/*conf files in case $kernelopts variable is not found there.
Example of what the OVAL check expects:
# cat /boot/loader/entries/134ff6d5833342f28b78fb553833bfe5-4.18.0-536.el8.x86_64.conf ... options $kernelopts $tuned_params ...
Example of what is still valid, but not expected by the OVAL check (kernel parameters listed explicitly, no $kernelopts variable):
# cat /boot/loader/entries/134ff6d5833342f28b78fb553833bfe5-4.18.0-536.el8.x86_64.conf ... options root=/dev/mapper/rhel_sheep--44-root ro console=tty0 elevator=noop crashkernel=auto rd.lvm.lv=rhel_sheep-44/root rd.lvm.lv=rhel_sheep-44/swap console=ttyS0 $tuned_params net.ifnames=0 audit=1 ...
Please provide the package NVR for which bug is seen:
scap-security-guide-0.1.69-2.el8
How reproducible:
deterministic
Steps to reproduce
- Upgrade RHEL-7.9 system to RHEL-8.10
- Harden upgraded RHEL-8.10 system to PCI-DSS profile
Expected results
Remediating rule grub2_audit_argument produces error result.
Actual results
Remediating rule grub2_audit_argument produces fixed result.
- duplicates
-
RHEL-53365 STIG xccdf_org.ssgproject.content_rule_grub2_audit_argument check fails if none of the entries in /boot/loader/entries uses $kernelopts, even if the options do include audit=1
- Closed