RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1722237 - bootloader options on C2S show "notchecked" even when manually selected with a tailoring file
Summary: bootloader options on C2S show "notchecked" even when manually selected with ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Vojtech Polasek
QA Contact: Matus Marhefka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-19 18:34 UTC by Ryan Mullett
Modified: 2023-12-15 16:34 UTC (History)
5 users (show)

Fixed In Version: scap-security-guide-0.1.49-1.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 19:52:12 UTC
Target Upstream Version:
Embargoed:
lcervako: mirror+

Attachments (Terms of Use)
Tailoring file used during the testing listed in initial description (33.72 KB, application/xml)
2019-06-19 18:34 UTC, Ryan Mullett 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3909 0 None None None 2020-09-29 19:52:34 UTC

Description Ryan Mullett 2019-06-19 18:34:49 UTC 
Created attachment 1582359 [details]
Tailoring file used during the testing listed in initial description

Description of problem:
When using the C2S profile shipped with scap-security-guide all of the grub2/bootloader options on the C2S profile show "notchecked" even when manually selecting only those options via a tailoring file.

Version-Release number of selected component (if applicable):
scap-security-guide-0.1.40-13.el7_6.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install scap-security-guide
2. Attempt to scan with scap-security-guide

Actual results:
Title   Set Boot Loader Password in grub2
Rule    xccdf_org.ssgproject.content_rule_grub2_password
Ident   CCE-27309-4
Result  fail

Title   Verify /boot/grub2/grub.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
Ident   CCE-27054-6
Result  notchecked

Title   Verify /boot/grub2/grub.cfg User Ownership
Rule    xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
Ident   CCE-26860-7
Result  notchecked

Title   Set the UEFI Boot Loader Password
Rule    xccdf_org.ssgproject.content_rule_grub2_uefi_password
Ident   CCE-80354-4
Result  pass

Title   Boat Loader Is Not Installed On Removeable Media
Rule    xccdf_org.ssgproject.content_rule_grub2_no_removeable_media
Ident   CCE-80517-6
Result  notchecked

Title   Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership
Rule    xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
Result  notchecked

Title   Verify /boot/grub2/grub.cfg Group Ownership
Rule    xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
Ident   CCE-26812-8
Result  notchecked

Title   UEFI Boat Loader Is Not Installed On Removeable Media
Rule    xccdf_org.ssgproject.content_rule_uefi_no_removeable_media
Ident   CCE-80518-4
Result  notchecked

Title   Verify /boot/efi/EFI/redhat/grub.cfg User Ownership
Rule    xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
Result  notchecked

Title   Verify /boot/efi/EFI/redhat/grub.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
Result  fail

Expected results:
The "Result" sections will not show "notchecked" and will actually show the proper result from the scan

Additional info:
Tailoring file attached. Whether the tailoring file is used or not, I am getting the same result, but this makes it a bit quicker to test rather than running through a full check. Attempting to scan only individual grub2/bootloader components had the same result of showing "notchecked" without any reasoning as to why it doesn't actually get checked during the scanning.
Comment 3 Watson Yuuma Sato 2019-06-21 10:08:53 UTC 
Hello Ryan,

(In reply to Ryan Mullett from comment #0)
> 
> Title   Verify /boot/grub2/grub.cfg Permissions
> Rule    xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
> Ident   CCE-27054-6
> Result  notchecked

> Title   Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership
> Rule    xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
> Result  notchecked

> Title   Verify /boot/grub2/grub.cfg Group Ownership
> Rule    xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
> Ident   CCE-26812-8
> Result  notchecked

> Title   Verify /boot/efi/EFI/redhat/grub.cfg User Ownership
> Rule    xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
> Result  notchecked

> Title   Verify /boot/grub2/grub.cfg User Ownership
> Rule    xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
> Ident   CCE-26860-7
> Result  notchecked

The 5 rules above don't have an OVAL check in 7.6 (scap-security-guide-0.1.40).
In 7.7 these checks will be available (scap-security-guide-0.1.43).


> Title   Boat Loader Is Not Installed On Removeable Media
> Rule    xccdf_org.ssgproject.content_rule_grub2_no_removeable_media
> Ident   CCE-80517-6
> Result  notchecked

> Title   UEFI Boat Loader Is Not Installed On Removeable Media
> Rule    xccdf_org.ssgproject.content_rule_uefi_no_removeable_media
> Ident   CCE-80518-4
> Result  notchecked

These 2 rules don't have check implemented.


> 
> Expected results:
> The "Result" sections will not show "notchecked" and will actually show the
> proper result from the scan
> 
> Additional info:
> Tailoring file attached. Whether the tailoring file is used or not, I am
> getting the same result, but this makes it a bit quicker to test rather than
> running through a full check. Attempting to scan only individual
> grub2/bootloader components had the same result of showing "notchecked"
> without any reasoning as to why it doesn't actually get checked during the
> scanning.

When a rule results in "notchecked" it usually means that there is no OVAL check for the rule.
Some info about this can be found here: https://static.open-scap.org/openscap-1.2/oscap_user_manual.html#_check_engines
Comment 5 Vojtech Polasek 2020-02-07 12:06:47 UTC 
Fixed upstream in https://github.com/ComplianceAsCode/content/pull/5178
Comment 10 errata-xmlrpc 2020-09-29 19:52:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3909
Note You need to log in before you can comment on or make changes to this bug.