RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2184487 - CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the permissions cannot be changed as directed
Summary: CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the p...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: scap-security-guide
Version: 8.7
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Marcus Burghardt
QA Contact: Milan Lysonek
Petr Hybl
URL:
Whiteboard:
Depends On:
Blocks: 2228443 2228445
TreeView+ depends on / blocked
 
Reported: 2023-04-04 20:33 UTC by Lark Gordon
Modified: 2023-11-14 17:08 UTC (History)
14 users (show)

Fixed In Version: scap-security-guide-0.1.69-1.el8
Doc Type: Bug Fix
Doc Text:
.The `file_permissions_efi_user_cfg` SCAP rule no longer fails when `/boot/efi` is mounted Previously, the default permissions of UEFI files were not accepted. Therefore, it was not possible to change the permissions with the `chmod` command when the `/boot/efi` partition used a virtual file allocation table (VFAT) file system. Consequently, the `file_permissions_efi_user_cfg` rule failed. This update changes the default permissions from `0600` to `0700`. Because the `0700` permission is also accepted by CIS, the assessment and remediation are now better aligned with CIS profiles.
Clone Of:
: 2228443 2228445 (view as bug list)
Environment:
Last Closed: 2023-11-14 15:36:38 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-154037 0 None None None 2023-04-04 20:34:57 UTC
Red Hat Product Errata RHBA-2023:7056 0 None None None 2023-11-14 15:37:30 UTC

Description Lark Gordon 2023-04-04 20:33:40 UTC 
Description of problem:
Oscap scans using the CIS profile will fail on the rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg if a grub user is configured. 

The default file permissions for files in /boot/efi is 700 and can't be changed due to the default umask for vfat filesystems. 

Version-Release number of selected component (if applicable):

openscap-1.3.6-5.el8_7.x86_64
openscap-scanner-1.3.6-5.el8_7.x86_64
scap-security-guide-0.1.66-2.el8_7.noarch

How reproducible:
Every time when scanning with the CIS profile on UEFI systems which have a grub password set.

Steps to Reproduce:
1. Create a grub password on a UEFI system

    grub2-setpassword

2. Scan system with the xccdf_org.ssgproject.content_profile_cis_server_l1 profile
3. Rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg will fail 

Actual results:

Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  fail

Suggested remediation is a chmod: 

$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg

Expected results:

Either the user.cfg permissions should not be marked as a finding because they are the defaults, or the remediation should mention that the umask must be changed in /etc/fstab before the permissions can be changed.

Additional info:
Comment 3 Maynord Rosales 2023-05-12 15:33:35 UTC 
Hello Lark/ Red Hat Engineering team - 

We had this same problem while working on a server with RHEL8.7 OS in our environment and even after following the suggested remediation shown in the OpenSCAP report the permissions will not be updated, see the following attempts:

	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]#


Usually /boot/efi partitions are vfat and threfore chmod will have not effect when attempting to change the permissions from the Linux Terminal:
Comment 4 Maynord Rosales 2023-05-12 15:57:02 UTC 
----------------------------------------------------
ERRATA: Please delete my previous post as it was an incomplete version of my collaboration for this Bugzilla case.
----------------------------------------------------




Here is the right edition:
----------------------------------------------------

Hello Lark/ Red Hat Engineering team - 

We had this same problem while working on a server with RHEL8.7 OS Hardening for our environments. From the Anaconda installer we selected the CIS-Server-Level1 profile and the problem was not there until we set the GRUB password right after the OS installation.


We used OpenSCAP to get an HTML report for the CIS Scoring. The item CCE-86028-8 was shown as Failed and it was complaining about user.cfg Permissions into the /boot/efi partition. After following the suggested remediation shown in the OpenSCAP report the permissions will not be updated, see the following attempts:

	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]#


Usually /boot/efi partitions are in VFAT format and therefore thee "chmod" command will not have any effect when attempting to change the permissions from the Linux Terminal.  The VFAT file system does not support Unix-style permissions managed by "chmod". In order to modify the permissions of files or directories on a VFAT partition in Linux, it will be needed to set the umask value from the mount options to specify default permissions when the partition is mounted in the boot up. 




So, for our specific case, after updating the umask value to 0177 for the EFI partition into /etc/fstab file, and then reboot, the problem was successfully solved for us:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@rhel8-template ~]# grep umask /etc/fstab
UUID=F6D5-1CD7          /boot/efi               vfat    defaults,umask=0177,shortname=winnt,uid=0,gid=0 0 2
[root@rhel8-template ~]#  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



I fetched again another OpenSCAP Evaluation report and the report show this item in GREEN color. The issue is not present anymore:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# grep -w CCE-86028-8 -B3 -A2 cis-validations-output-11-May-2023_14hrs_53mins.txt
Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  pass
#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I hope the permanent fix comes from future Red Hat 8 Releases. I'm not certain if the same situation will occur on Red Hat Enterprise Linux version 9. I will do a test later.

Maynord.
Comment 8 Jan Černý 2023-07-20 12:29:04 UTC 
a fix has been merged upstream by https://github.com/ComplianceAsCode/content/pull/10884
Comment 23 errata-xmlrpc 2023-11-14 15:36:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (scap-security-guide bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7056
Note You need to log in before you can comment on or make changes to this bug.