Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grub2 argument rules are misaligned with DISA #13034

Open
4 tasks
jan-cerny opened this issue Feb 12, 2025 · 0 comments
Open
4 tasks

grub2 argument rules are misaligned with DISA #13034

jan-cerny opened this issue Feb 12, 2025 · 0 comments
Labels
productization-issue Issue found in upstream stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related.

Comments

@jan-cerny
Copy link
Collaborator

Description of problem:

On 2025-02-12 the daily productization run showed that the following rules failed tests /scanning/disa-alignment/anaconda, /scanning/disa-alignment/ansible and /scanning/disa-alignment/oscap on RHEL 8.10:

  • grub2_pti_argument
  • grub2_vsyscall_argument
  • grub2_page_poison_argument
  • grub2_slub_debug_argument
  • grub2_audit_argument
  • grub2_audit_backlog_limit_argument

The content is misaligned with an external (third party) content that targets the same policy - typically, this means that a system hardened by our content doesn't pass the scan by the external content.

Details:

Our rules are evaluated as pass. The corresponding DISA rules are evaluated as fail.

I think the reason is that our rules allow kernelopts variable in /boot/loader/entries/*.conf but their checks don't allow this and require the exact argument there.

This issue might be related to #12375.

Outcome:

  • This project's content can be improved:
    • Check needs to be improved.
    • Remediation needs to be improved.
  • The external content's check is faulty - the other party needs to be notified, they have work to do.

SCAP Security Guide Version:

current upstream master as of 2025-02-12 as of HEAD 0f151a1

External Content's Version:

V2R2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
productization-issue Issue found in upstream stabilization process. RHEL8 Red Hat Enterprise Linux 8 product related. STIG STIG Benchmark related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jan-cerny