2184487 – CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the permissions cannot be changed as directed

Bug 2184487 - CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the permissions cannot be changed as directed

Summary: CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the p...

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marcus Burghardt
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2228443 2228445
TreeView+	depends on / blocked

Reported:	2023-04-04 20:33 UTC by Lark Gordon
Modified:	2023-08-14 11:48 UTC (History)
CC List:	13 users (show)
Fixed In Version:	scap-security-guide-0.1.69-1.el8
Doc Type:	Bug Fix
Doc Text:	Cause: Default permissions of uefi files were not accepted and where not possible to be changed via chmod when /boot/efi was using a vfat file system. Consequence: The file_permissions_efi_user_cfg rule was failing and the remediation was ineffective. Fix: Allow the "0700" permission for files in /boot/efi instead of only "0600". "0700" is the default permission and is accepted by CIS, so the assessment and remediation are not better aligned to CIS. Result: The file_permissions_efi_user_cfg rule should no longer fail if /boot/efi is mounted using the default permissions.
Clone Of:
Clones:	2228443 2228445 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-154037	0	None	None	None	2023-04-04 20:34:57 UTC

Description Lark Gordon 2023-04-04 20:33:40 UTC

Description of problem:
Oscap scans using the CIS profile will fail on the rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg if a grub user is configured. 

The default file permissions for files in /boot/efi is 700 and can't be changed due to the default umask for vfat filesystems. 

Version-Release number of selected component (if applicable):

openscap-1.3.6-5.el8_7.x86_64
openscap-scanner-1.3.6-5.el8_7.x86_64
scap-security-guide-0.1.66-2.el8_7.noarch

How reproducible:
Every time when scanning with the CIS profile on UEFI systems which have a grub password set.

Steps to Reproduce:
1. Create a grub password on a UEFI system

    grub2-setpassword

2. Scan system with the xccdf_org.ssgproject.content_profile_cis_server_l1 profile
3. Rule xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg will fail 

Actual results:

Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  fail

Suggested remediation is a chmod: 

$ sudo chmod 600 /boot/efi/EFI/redhat/user.cfg

Expected results:

Either the user.cfg permissions should not be marked as a finding because they are the defaults, or the remediation should mention that the umask must be changed in /etc/fstab before the permissions can be changed.

Additional info:

Comment 3 Maynord Rosales 2023-05-12 15:33:35 UTC

Hello Lark/ Red Hat Engineering team - 

We had this same problem while working on a server with RHEL8.7 OS in our environment and even after following the suggested remediation shown in the OpenSCAP report the permissions will not be updated, see the following attempts:

	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]#


Usually /boot/efi partitions are vfat and threfore chmod will have not effect when attempting to change the permissions from the Linux Terminal:

Comment 4 Maynord Rosales 2023-05-12 15:57:02 UTC

----------------------------------------------------
ERRATA: Please delete my previous post as it was an incomplete version of my collaboration for this Bugzilla case.
----------------------------------------------------




Here is the right edition:
----------------------------------------------------

Hello Lark/ Red Hat Engineering team - 

We had this same problem while working on a server with RHEL8.7 OS Hardening for our environments. From the Anaconda installer we selected the CIS-Server-Level1 profile and the problem was not there until we set the GRUB password right after the OS installation.


We used OpenSCAP to get an HTML report for the CIS Scoring. The item CCE-86028-8 was shown as Failed and it was complaining about user.cfg Permissions into the /boot/efi partition. After following the suggested remediation shown in the OpenSCAP report the permissions will not be updated, see the following attempts:

	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# stat  /boot/efi/EFI/redhat/user.cfg | grep Access
	Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
	Access: 2023-04-19 04:00:00.000000000 +0400
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# chmod -v 0600  /boot/efi/EFI/redhat/user.cfg
	mode of '/boot/efi/EFI/redhat/user.cfg' changed from 0700 (rwx------) to 0600 (rw-------)
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# 
	[root@rhel8-template .cis-validations]# ls -l  /boot/efi/EFI/redhat/user.cfg
	-rwx------. 1 root root 298 Apr 19 15:59 /boot/efi/EFI/redhat/user.cfg
	[root@rhel8-template .cis-validations]#


Usually /boot/efi partitions are in VFAT format and therefore thee "chmod" command will not have any effect when attempting to change the permissions from the Linux Terminal.  The VFAT file system does not support Unix-style permissions managed by "chmod". In order to modify the permissions of files or directories on a VFAT partition in Linux, it will be needed to set the umask value from the mount options to specify default permissions when the partition is mounted in the boot up. 




So, for our specific case, after updating the umask value to 0177 for the EFI partition into /etc/fstab file, and then reboot, the problem was successfully solved for us:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@rhel8-template ~]# grep umask /etc/fstab
UUID=F6D5-1CD7          /boot/efi               vfat    defaults,umask=0177,shortname=winnt,uid=0,gid=0 0 2
[root@rhel8-template ~]#  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



I fetched again another OpenSCAP Evaluation report and the report show this item in GREEN color. The issue is not present anymore:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# grep -w CCE-86028-8 -B3 -A2 cis-validations-output-11-May-2023_14hrs_53mins.txt
Title   Verify /boot/efi/EFI/redhat/user.cfg Permissions
Rule    xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
Ident   CCE-86028-8
Result  pass
#
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I hope the permanent fix comes from future Red Hat 8 Releases. I'm not certain if the same situation will occur on Red Hat Enterprise Linux version 9. I will do a test later.

Maynord.

Comment 8 Jan Černý 2023-07-20 12:29:04 UTC

a fix has been merged upstream by https://github.com/ComplianceAsCode/content/pull/10884

Note You need to log in before you can comment on or make changes to this bug.