Bug 2184487

Summary: CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the permissions cannot be changed as directed
Product: Red Hat Enterprise Linux 8 Reporter: Lark Gordon <lagordon>
Component: scap-security-guideAssignee: Marcus Burghardt <maburgha>
Status: CLOSED ERRATA QA Contact: Milan Lysonek <mlysonek>
Severity: medium Docs Contact: Petr Hybl <phybl>
Priority: unspecified    
Version: 8.7CC: dbodnarc, ggasparb, jcerny, jjaburek, libin.babu, maburgha, matyc, maynord.rosales, mhaicman, mjahoda, mlysonek, peter.vreman, vpolasek, wsato
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.69-1.el8 Doc Type: Bug Fix
Doc Text:
.The `file_permissions_efi_user_cfg` SCAP rule no longer fails when `/boot/efi` is mounted Previously, the default permissions of UEFI files were not accepted. Therefore, it was not possible to change the permissions with the `chmod` command when the `/boot/efi` partition used a virtual file allocation table (VFAT) file system. Consequently, the `file_permissions_efi_user_cfg` rule failed. This update changes the default permissions from `0600` to `0700`. Because the `0700` permission is also accepted by CIS, the assessment and remediation are now better aligned with CIS profiles.
 Story Points: ---
Clone Of:
: 2228443 2228445 (view as bug list) Environment:
Last Closed: 2023-11-14 15:36:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2228443, 2228445    

Description Lark Gordon 2023-04-04 20:33:40 UTC 
Description of problem:
Oscap scans using the CIS profile will fail on the rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg if a grub user is configured. 

The default file permissions for files in /boot/efi is 700 and can't be changed due to the default umask for vfat filesystems. 

Version-Release number of selected component (if applicable):

openscap-1.3.6-5.el8_7.x86_64
openscap-scanner-1.3.6-5.el8_7.x86_64
scap-security-guide-0.1.66-2.el8_7.noarch

How reproducible:
Every time when scanning with the CIS profile on UEFI systems which have a grub password set.

Steps to Reproduce:
1. Create a grub password on a UEFI system

    grub2-setpassword

2. Scan system with the xccdf_org.ssgproject.content_profile_cis_server_l1 profile
3. Rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg will fail 

Actual results:

Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  fail

Suggested remediation is a chmod: 

$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg

Expected results:

Either the user.cfg permissions should not be marked as a finding because they are the defaults, or the remediation should mention that the umask must be changed in /etc/fstab before the permissions can be changed.

Additional info:
Comment 3 Maynord Rosales 2023-05-12 15:33:35 UTC 
Hello Lark/ Red Hat Engineering team - 

We had this same problem while working on a server with RHEL8.7 OS in our environment and even after following the suggested remediation shown in the OpenSCAP report the permissions will not be updated, see the following attempts:

	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]#


Usually /boot/efi partitions are vfat and threfore chmod will have not effect when attempting to change the permissions from the Linux Terminal:
Comment 4 Maynord Rosales 2023-05-12 15:57:02 UTC 
----------------------------------------------------
ERRATA: Please delete my previous post as it was an incomplete version of my collaboration for this Bugzilla case.
----------------------------------------------------




Here is the right edition:
----------------------------------------------------

Hello Lark/ Red Hat Engineering team - 

We had this same problem while working on a server with RHEL8.7 OS Hardening for our environments. From the Anaconda installer we selected the CIS-Server-Level1 profile and the problem was not there until we set the GRUB password right after the OS installation.


We used OpenSCAP to get an HTML report for the CIS Scoring. The item CCE-86028-8 was shown as Failed and it was complaining about user.cfg Permissions into the /boot/efi partition. After following the suggested remediation shown in the OpenSCAP report the permissions will not be updated, see the following attempts:

	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]#


Usually /boot/efi partitions are in VFAT format and therefore thee "chmod" command will not have any effect when attempting to change the permissions from the Linux Terminal.  The VFAT file system does not support Unix-style permissions managed by "chmod". In order to modify the permissions of files or directories on a VFAT partition in Linux, it will be needed to set the umask value from the mount options to specify default permissions when the partition is mounted in the boot up. 




So, for our specific case, after updating the umask value to 0177 for the EFI partition into /etc/fstab file, and then reboot, the problem was successfully solved for us:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@rhel8-template ~]# grep umask /etc/fstab
UUID=F6D5-1CD7          /boot/efi               vfat    defaults,umask=0177,shortname=winnt,uid=0,gid=0 0 2
[root@rhel8-template ~]#  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



I fetched again another OpenSCAP Evaluation report and the report show this item in GREEN color. The issue is not present anymore:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# grep -w CCE-86028-8 -B3 -A2 cis-validations-output-11-May-2023_14hrs_53mins.txt
Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  pass
#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I hope the permanent fix comes from future Red Hat 8 Releases. I'm not certain if the same situation will occur on Red Hat Enterprise Linux version 9. I will do a test later.

Maynord.
Comment 8 Jan Černý 2023-07-20 12:29:04 UTC 
a fix has been merged upstream by https://github.com/ComplianceAsCode/content/pull/10884
Comment 23 errata-xmlrpc 2023-11-14 15:36:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056