Bug 1569425 - False positive rule violation when bootloader password is set for C2S for Red Hat Enterprise Linux 7 profile
Summary: False positive rule violation when bootloader password is set for C2S for Red...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.0
Hardware: x86_64
OS: Linux
Target Milestone: pre-dev-freeze
: ---
Assignee: Watson Yuuma Sato
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-19 09:22 UTC by Sagar Lutade
Modified: 2018-05-18 11:45 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-18 11:45:28 UTC
Target Upstream Version:

Attachments (Terms of Use)
error_screenshot (40.57 KB, image/png)
2018-04-19 09:23 UTC, Sagar Lutade
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1576874 0 high CLOSED Satellite 6.3: Scap client scan for RHEL7 system installed with 'grub-efi' (System firmware UEFI) always shows results ... 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Article) 3440311 0 None None None 2018-05-15 06:30:27 UTC

Internal Links: 1576874

Description Sagar Lutade 2018-04-19 09:22:12 UTC
Description of problem:

>> Default RHEL 7 scap policy not working as expected.

>> Set Boot Loader Password for a host is not working as expected.
 Shows as Items found violating "/boot/grub2/grub.cfg does not exists"
 But the file seems to be present and with correct permissions.

Version-Release number of selected component (if applicable):
>> openscap-1.2.16-6.el7.x86_64

How reproducible:
>> Create a new scap policy with profile:C2S for Red Hat Enterprise Linux 7.

Steps to Reproduce:
1.Create a new policy.
2.Assign to the host.
3.Run the compliance report.

Actual results:
>> It shows risk of high severity "xccdf_org.ssgproject.content".

Expected results:
It should not show the severity as the bootloader password is set.

Additional info:

Comment 1 Sagar Lutade 2018-04-19 09:23:38 UTC
Created attachment 1423971 [details]

Comment 2 Ondřej Pražák 2018-04-19 11:05:49 UTC
Thank you for reporting this, however this is not a problem with Sat6 but rather how openscap evaluates the given rule. Therefore I will move this to a different component.

Comment 4 Ondřej Pražák 2018-05-15 06:30:28 UTC
*** Bug 1576874 has been marked as a duplicate of this bug. ***

Comment 5 Watson Yuuma Sato 2018-05-18 11:36:43 UTC

I see in SOS report that "superusers" in /boot/grub2/grub.cf is set to "root", and although Rule "bootloader_password" recommends to not use common names as superuser (i.e. root, admin, administrator), it is actually required that they are not root, nor admin nor administrator.

Please, try to set a different superuser account name, and scan again.

Comment 6 Watson Yuuma Sato 2018-05-18 11:45:28 UTC
I'm closing this, if the problem persists, please reopen.

Note You need to log in before you can comment on or make changes to this bug.