Bug 1722237
| Summary: | bootloader options on C2S show "notchecked" even when manually selected with a tailoring file | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ryan Mullett <rmullett> | ||||
| Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.6 | CC: | ggasparb, matyc, mhaicman, openscap-maint, wsato | ||||
| Target Milestone: | rc | Flags: | lcervako:
mirror+
|
||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | scap-security-guide-0.1.49-1.el7 | Doc Type: | No Doc Update | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-09-29 19:52:12 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Hello Ryan, (In reply to Ryan Mullett from comment #0) > > Title Verify /boot/grub2/grub.cfg Permissions > Rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg > Ident CCE-27054-6 > Result notchecked > Title Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership > Rule xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg > Result notchecked > Title Verify /boot/grub2/grub.cfg Group Ownership > Rule xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg > Ident CCE-26812-8 > Result notchecked > Title Verify /boot/efi/EFI/redhat/grub.cfg User Ownership > Rule xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg > Result notchecked > Title Verify /boot/grub2/grub.cfg User Ownership > Rule xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg > Ident CCE-26860-7 > Result notchecked The 5 rules above don't have an OVAL check in 7.6 (scap-security-guide-0.1.40). In 7.7 these checks will be available (scap-security-guide-0.1.43). > Title Boat Loader Is Not Installed On Removeable Media > Rule xccdf_org.ssgproject.content_rule_grub2_no_removeable_media > Ident CCE-80517-6 > Result notchecked > Title UEFI Boat Loader Is Not Installed On Removeable Media > Rule xccdf_org.ssgproject.content_rule_uefi_no_removeable_media > Ident CCE-80518-4 > Result notchecked These 2 rules don't have check implemented. > > Expected results: > The "Result" sections will not show "notchecked" and will actually show the > proper result from the scan > > Additional info: > Tailoring file attached. Whether the tailoring file is used or not, I am > getting the same result, but this makes it a bit quicker to test rather than > running through a full check. Attempting to scan only individual > grub2/bootloader components had the same result of showing "notchecked" > without any reasoning as to why it doesn't actually get checked during the > scanning. When a rule results in "notchecked" it usually means that there is no OVAL check for the rule. Some info about this can be found here: https://static.open-scap.org/openscap-1.2/oscap_user_manual.html#_check_engines Fixed upstream in https://github.com/ComplianceAsCode/content/pull/5178 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3909 |
Created attachment 1582359 [details] Tailoring file used during the testing listed in initial description Description of problem: When using the C2S profile shipped with scap-security-guide all of the grub2/bootloader options on the C2S profile show "notchecked" even when manually selecting only those options via a tailoring file. Version-Release number of selected component (if applicable): scap-security-guide-0.1.40-13.el7_6.noarch How reproducible: Always Steps to Reproduce: 1. Install scap-security-guide 2. Attempt to scan with scap-security-guide Actual results: Title Set Boot Loader Password in grub2 Rule xccdf_org.ssgproject.content_rule_grub2_password Ident CCE-27309-4 Result fail Title Verify /boot/grub2/grub.cfg Permissions Rule xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg Ident CCE-27054-6 Result notchecked Title Verify /boot/grub2/grub.cfg User Ownership Rule xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg Ident CCE-26860-7 Result notchecked Title Set the UEFI Boot Loader Password Rule xccdf_org.ssgproject.content_rule_grub2_uefi_password Ident CCE-80354-4 Result pass Title Boat Loader Is Not Installed On Removeable Media Rule xccdf_org.ssgproject.content_rule_grub2_no_removeable_media Ident CCE-80517-6 Result notchecked Title Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership Rule xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg Result notchecked Title Verify /boot/grub2/grub.cfg Group Ownership Rule xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg Ident CCE-26812-8 Result notchecked Title UEFI Boat Loader Is Not Installed On Removeable Media Rule xccdf_org.ssgproject.content_rule_uefi_no_removeable_media Ident CCE-80518-4 Result notchecked Title Verify /boot/efi/EFI/redhat/grub.cfg User Ownership Rule xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg Result notchecked Title Verify /boot/efi/EFI/redhat/grub.cfg Permissions Rule xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg Result fail Expected results: The "Result" sections will not show "notchecked" and will actually show the proper result from the scan Additional info: Tailoring file attached. Whether the tailoring file is used or not, I am getting the same result, but this makes it a bit quicker to test rather than running through a full check. Attempting to scan only individual grub2/bootloader components had the same result of showing "notchecked" without any reasoning as to why it doesn't actually get checked during the scanning.