Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-53365

STIG xccdf_org.ssgproject.content_rule_grub2_audit_argument check fails if none of the entries in /boot/loader/entries uses $kernelopts, even if the options do include audit=1

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhel-8.10.z
    • rhel-8.10
    • scap-security-guide
    • None
    • scap-security-guide-0.1.75-1.el8
    • No
    • Moderate
    • rhel-sst-security-compliance
    • ssg_security
    • 4
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      1. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_grub2_audit_argument /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

        Please provide the package NVR for which bug is seen:

       

      openscap-1.3.10-2.el8_9.x86_64 
scap-workbench-1.2.0-8.el8.x86_64 
openscap-engine-sce-1.3.10-2.el8_9.x86_64 
scap-security-guide-0.1.73-1.el8_10.noarch 
openscap-scanner-1.3.10-2.el8_9.x86_64 
openscap-utils-1.3.10-2.el8_9.x86_64

      Also reproducible with:

       

       

      openscap-1.3.8-1.el8_8.x86_64         
openscap-scanner-1.3.8-1.el8_8.x86_64      
perl-Pod-Escapes-1.07-395.el8.noarch      
scap-security-guide-0.1.72-2.el8_9.noarch        

       

      How reproducible:

      Only reproducible if none of the /boot/loader/entries use $kernelopts. Even if only one kernel has "options $kernelopts", the scan passes. 

      Steps to reproduce

      1. Edit /boot/loader/entries/* so that each kernel has its own options instead of using $kernelopts to pull from grubenv. For example: 
        # cat /boot/loader/entries/cfa40fec9f7043c3831ac397fd713d94-4.18.0-553.8.1.el8_10.x86_64.conf  
title Red Hat Enterprise Linux (4.18.0-553.8.1.el8_10.x86_64) 8.10 (Ootpa)
version 4.18.0-553.8.1.el8_10.x86_64
linux /vmlinuz-4.18.0-553.8.1.el8_10.x86_64
initrd /initramfs-4.18.0-553.8.1.el8_10.x86_64.img $tuned_initrd
options kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.l
v=rhel/swap rhgb quiet audit=1 $tuned_params
id rhel-20240614075900-4.18.0-553.8.1.el8_10.x86_64
grub_users $grub_users
grub_arg --unrestricted
grub_class kernel
      1. The options still include audit=1
      2. Scan for the xccdf_org.ssgproject.content_rule_grub2_audit_argument rule in the STIG profile (xccdf_org.ssgproject.content_profile_stig)
      # oscap xccdf eval  --verbose INFO --report kernelopts3.html --profile xccdf_org.ssgproject.content_profi
le_stig --rule xccdf_org.ssgproject.content_rule_grub2_audit_argument /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
      1. The check fails: 
        # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --rule xccdf_org.ssgproject.content_rule_grub2_audit_argument /usr/share/xml/scap/ssg/content/ssg-r
hel8-ds.xml

--- Starting Evaluation ---

Title   Enable Auditing for Processes Which Start Prior to the Audit Daemon
Rule    xccdf_org.ssgproject.content_rule_grub2_audit_argument
Ident   CCE-80825-3
Result  fail

      Expected results

      oscap scan should only fail if the kernel options actually do not include audit=1

      Actual results

      The scan only passes if audit=1 exists in /etc/default/grub and the grubenv files, and only if at least one kernel entry in /boot/loader/entries has "options $kernelopts" instead of all the kernels having their own boot options. 

        1. kernelopts3.html
          250 kB

              vpolasek@redhat.com Vojtech Polasek
              rhn-support-lagordon Kaitlin Gordon
              Vojtech Polasek Vojtech Polasek
              Milan Lysonek Milan Lysonek
              Votes:
              2 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: