Bug 1927019
Summary: | RHEL 8.3 Install with CIS Benchmark profile boots to emergency mode on VM set to EFI. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Craig Robinson <crairobi> |
Component: | scap-security-guide | Assignee: | Vojtech Polasek <vpolasek> |
Status: | CLOSED ERRATA | QA Contact: | Milan Lysonek <mlysonek> |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> |
Priority: | high | ||
Version: | 8.3 | CC: | ggasparb, jafiala, mhaicman, mjahoda, mlysonek, tscherf, vpolasek, wsato |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.54-3.el8 | Doc Type: | Bug Fix |
Doc Text: |
.CIS-remediated systems with FAT no longer fail on boot
Previously, the Center for Internet Security (CIS) profile in the SCAP Security Guide (SSG) contained a rule which disabled loading of the kernel module responsible for access to FAT file systems. As a consequence, if SSG remediated this rule, the system could not access partitions formatted with FAT12, FAT16, and FAT32 file systems, including EFI System Partitions (ESP). This caused the systems to fail to boot. With this update, the rule has been removed from the profile. As a result, systems that use these file systems no longer fail to boot.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 15:54:39 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Craig Robinson
2021-02-09 20:45:12 UTC
I created a KVM instance with REHL8.3 using the steps provided and I got the same problem. I followed the steps in [1], but instead of /etc/modprobe.d/CIS.conf, the file was /etc/modprobe.d/vfat.conf. I commented out "install vfat /bin/true" in that file and then rebooted. The instance started without a problem. [1] https://access.redhat.com/solutions/3119601 This is fixed upstream by dropping the rule from the CIS profile. The rule should be checked manually anyway. https://github.com/ComplianceAsCode/content/pull/6613 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1886 |