Back to bug 2228445
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2023-08-02 12:10:20 UTC | Pool ID | sst_security_compliance_rhel_8 | |
| Red Hat One Jira (issues.redhat.com) | 2023-08-02 12:22:29 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-164140 | |
| Milan Lysonek | 2023-08-02 14:00:40 UTC | Doc Text | Cause: Default permissions of uefi files were not accepted and where not possible to be changed via chmod when /boot/efi was using a vfat file system. Consequence: The file_permissions_efi_user_cfg rule was failing and the remediation was ineffective. Fix: Allow the "0700" permission for files in /boot/efi instead of only "0600". "0700" is the default permission and is accepted by CIS, so the assessment and remediation are not better aligned to CIS. Result: The file_permissions_efi_user_cfg rule should no longer fail if /boot/efi is mounted using the default permissions. | |
| Doc Type | If docs needed, set a value | Bug Fix | ||
| Vojtech Polasek | 2023-08-04 07:24:14 UTC | Status | NEW | POST |
| Matus Marhefka | 2023-08-09 11:04:40 UTC | Fixed In Version | scap-security-guide-0.1.69-1.el8_6 | |
| Status | POST | MODIFIED | ||
| errata-xmlrpc | 2023-08-10 10:00:46 UTC | Status | MODIFIED | ON_QA |
| Milan Lysonek | 2023-08-14 13:23:05 UTC | QA Contact | qe-baseos-security | mlysonek |
| Doc Text | Cause: Default permissions of uefi files were not accepted and where not possible to be changed via chmod when /boot/efi was using a vfat file system. Consequence: The file_permissions_efi_user_cfg rule was failing and the remediation was ineffective. Fix: Allow the "0700" permission for files in /boot/efi instead of only "0600". "0700" is the default permission and is accepted by CIS, so the assessment and remediation are not better aligned to CIS. Result: The file_permissions_efi_user_cfg rule should no longer fail if /boot/efi is mounted using the default permissions. | Cause: Default permissions of uefi files were not accepted and were not possible to be changed via chmod when /boot/efi was using a vfat file system. Consequence: The file_permissions_efi_user_cfg rule was failing and the remediation was ineffective. Fix: Allow the "0700" permission for files in /boot/efi instead of only "0600". "0700" is the default permission and is accepted by CIS, so the assessment and remediation are now better aligned to CIS. Result: The file_permissions_efi_user_cfg rule should no longer fail if /boot/efi is mounted using the default permissions. | ||
| Status | ON_QA | VERIFIED |
Back to bug 2228445