Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1987231

Summary: Rule grub2_uefi_password fails detect that password was set
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED CURRENTRELEASE QA Contact: Matus Marhefka <mmarhefk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: fmartine, ggasparb, jjaburek, jpazdziora, matyc, mhaicman, vpolasek
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: scap-security-guide-0.1.57-3.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:42:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2021-07-29 09:23:21 UTC 
Description of problem:

Rule xccdf_org.ssgproject.content_rule_grub2_uefi_password fails with xccdf_org.ssgproject.content_profile_ospp but running --remediate does not fix the failure.

Version-Release number of selected component (if applicable):

scap-security-guide-0.1.57-1.gitdae5726.el9.noarch
openscap-scanner-1.3.5-5.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --rule xccdf_org.ssgproject.content_rule_grub2_uefi_password /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

Actual results:

WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL9.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL9.xml' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title   Set the UEFI Boot Loader Password
Rule    xccdf_org.ssgproject.content_rule_grub2_uefi_password
Ident   CCE-88654-9
Result  fail


 --- Starting Remediation ---
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL9.xml file which is referenced from XCCDF content
Title   Set the UEFI Boot Loader Password
Rule    xccdf_org.ssgproject.content_rule_grub2_uefi_password
Ident   CCE-88654-9
Result  fail

Expected results:

Remediation passes.

Additional info:
Comment 2 Gabriel Gaspar Becker 2021-07-29 10:36:30 UTC 
This rule doesn't have a remediation since it means it would have to set a password.
Comment 3 Jan Pazdziora (Red Hat) 2021-07-30 10:21:25 UTC 
Fair point.

However the rule currently also fails to detect when RHEL 9 is provisioned with kickstart saying

   bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 pti=on vsyscall=none" --iscrypted --password=grub.pbkdf2.sha512.10000.3A8BA0AB351ADA8FAD49BC54A8730AD53F67EA1762E99DF4881FD2FF9CD2A361623DB0AA6FF31A8C0E9731EB60ACA8AE7B2E870BE5D2B9E2CA7DE2EC2A013B3D.4161020F9952809D4F0BF6E0B40795283673769E869B74C52EF2FBFE751A5B0F2B149B409922D6EB1073ABEC531696F92AA8B8A5A7CA2F575D3BBBDA0BFC1A98

which seems to put the value to

# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.3A8BA0AB351ADA8FAD49BC54A8730AD53F67EA1762E99DF4881FD2FF9CD2A361623DB0AA6FF31A8C0E9731EB60ACA8AE7B2E870BE5D2B9E2CA7DE2EC2A013B3D.4161020F9952809D4F0BF6E0B40795283673769E869B74C52EF2FBFE751A5B0F2B149B409922D6EB1073ABEC531696F92AA8B8A5A7CA2F575D3BBBDA0BFC1A98

Would you like a separate bugzilla for that, or can we turn this one without the --remediate part?
Comment 5 Jan Pazdziora (Red Hat) 2021-08-03 08:01:44 UTC 
As mentioned in comment 3, not having remediation is fine ... but on RHEL 9 the rule does not seem to correctly detect that the password has been set via the kickstart. Would you like a separate bugzilla for that, or can we turn this one into the failing evaluation (no --remediate)?
Comment 11 Matěj Týč 2021-08-16 12:17:13 UTC 
https://github.com/ComplianceAsCode/content/pull/7335
Comment 25 Jan Pazdziora (Red Hat) 2021-11-08 09:48:45 UTC 
The Description text of the xccdf_org.ssgproject.content_rule_grub2_uefi_password still seems wrong. It says

  Once the superuser password has been added, update the grub.cfg file by running:

    grub2-mkconfig -o /boot/grub2/grub.cfg

However, that does not seem to be needed at all, at least per https://access.redhat.com/solutions/4575381 and per testing the behaviour on both RHEL 8 and RHEL 9 where the password_pbkdf2 root ${GRUB2_PASSWORD} is there always, just wrapped in

if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
  fi
fi

Would you like separate bugzilla for getting that Description fixed, or would you prefer to address it via this bugzilla?