Bug 1547642
| Summary: | OVAL check for content_rule_bootloader_audit_argument uses wrong file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matt Micene <mmicene> |
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
| Status: | CLOSED ERRATA | QA Contact: | Gabriel Gaspar Becker <ggasparb> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.5 | CC: | matyc, mhaicman, openscap-maint, vpolasek, wsato |
| Target Milestone: | rc | Flags: | lcervako:
mirror+
|
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | scap-security-guide-0.1.49-1.el7 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 19:52:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Check of this rule seem to be correct only in RHEL6. In RHEL7, grubby is used to generate grub.cfg, and it doesn't interact with the /etc/default/grub file at all. Therefore, this rule needs to be fixed for RHEL>=7 I will fix this. Verified for: scap-security-guide-0.1.49-1.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3909 |
Description of problem: The remediations for content_rule_bootloader_audit_argument use grubby to update the kernel command line to enable auditing prior to audit daemon start up. The OVAL check looks for the "audit=1" argument in /etc/default/grub. grubby adds the argument to /boot/grub2/grub.cg on an x86_64 BIOS based system. Version-Release number of selected component (if applicable): scap-security-guide-0.1.36-7.el7.noarch grubby-8.28-23.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Apply bash or ansible remediation to system 2. Scan with C2S profile that has check enabled 3. Actual results: "Enable Auditing for Processes Which Start Prior to the Audit Daemon" marked as failed Expected results: "Enable Auditing for Processes Which Start Prior to the Audit Daemon" passes Additional info: I don't know if this is a recent behavior change for grubby but the man page on a RHEL 7.5 Beta system shows the following defaults for grub2 config files. These defaults are listed in the table below. ┌────────────────┬────────────┬─────────────────────────────────┐ │ Arch │ Bootloader │ Configuration File │ ├────────────────┼────────────┼─────────────────────────────────┤ │ x86_64 [BIOS] │ grub2 │ /boot/grub2/grub.cfg │ ├────────────────┼────────────┼─────────────────────────────────┤ │ x86_64 [UEFI] │ grub2 │ /boot/efi/EFI/redhat/grub.cfg │ The description and warnings (edit /etc/default/grub and rebuild grub.cfg with grub-mkconfig ) match the OVAL expectations, but not what the remediations do.