content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

grub2 argument rules are misaligned with DISA

Open jan-cerny opened this issue 11 months ago • 2 comments

Description of problem:

On 2025-02-12 the daily productization run showed that the following rules failed tests /scanning/disa-alignment/anaconda, /scanning/disa-alignment/ansible and /scanning/disa-alignment/oscap on RHEL 8.10:

  • grub2_pti_argument
  • grub2_vsyscall_argument
  • grub2_page_poison_argument
  • grub2_slub_debug_argument
  • grub2_audit_argument
  • grub2_audit_backlog_limit_argument

The content is misaligned with an external (third party) content that targets the same policy - typically, this means that a system hardened by our content doesn't pass the scan by the external content.

Details:

Our rules are evaluated as pass. The corresponding DISA rules are evaluated as fail.

I think the reason is that our rules allow kernelopts variable in /boot/loader/entries/*.conf but their checks don't allow this and require the exact argument there.

This issue might be related to https://github.com/ComplianceAsCode/content/pull/12375.

Outcome:

  • [ ] This project's content can be improved:
    • [ ] Check needs to be improved.
    • [ ] Remediation needs to be improved.
  • [ ] The external content's check is faulty - the other party needs to be notified, they have work to do.

SCAP Security Guide Version:

current upstream master as of 2025-02-12 as of HEAD 0f151a1b78273764df0d0e86a5088d089b386231

External Content's Version:

V2R2

jan-cerny avatar Feb 12 '25 10:02 jan-cerny

I contacted DISA and suggested improvements to their content.

vojtapolasek avatar Apr 03 '25 12:04 vojtapolasek

Note that these were initially waived in Contest as RHEL-8, but grub2_slub_debug_argument started failing now on RHEL-9 too,

SSG result: pass, DISA result(s): SV-257794r1069362_rule:fail

comps avatar Apr 24 '25 13:04 comps

The rule grub2_slub_debug_argument isn't part of RHEL 9 stig profile now. It was replaced by to grub2_init_on_free by 21270b6f186f5a18e15c23600bdf1af2d351cbbe and the rule grub2_init_on_free is aligned with DISA content and passes the disa-alignment test.

jan-cerny avatar Jul 16 '25 11:07 jan-cerny

In the latest RHEL 8 STIG V2R3 these rules no longer have corresponding rules in DISA SCAP content. They are part of the manual.xml but they aren't present in scap.xml. Here are the interesting lines from the disa-alignment contest test run using the content from the current upstream master as of 2025-07-16 as of HEAD 6d08b217cef0ea0262998a1a215d24273cfd3b8f.

2025-07-16 13:13:12 oscap.py:48: lib.results.report_plain:238: PASS grub2_audit_argument ((waived pass) SSG result: pass, DISA result(s): SV-230468r1017260_rule:not found)
2025-07-16 13:13:12 oscap.py:48: lib.results.report_plain:238: PASS grub2_audit_backlog_limit_argument ((waived pass) SSG result: pass, DISA result(s): SV-230469r958752_rule:not found)
...
2025-07-16 13:13:12 oscap.py:48: lib.results.report_plain:238: PASS grub2_page_poison_argument ((waived pass) SSG result: pass, DISA result(s): SV-230277r1017090_rule:not found)
...
2025-07-16 13:13:11 oscap.py:48: lib.results.report_plain:238: PASS grub2_init_on_free (SSG result: pass, DISA result(s): SV-230279r1069286_rule:not found)
2025-07-16 13:13:11 oscap.py:48: lib.results.report_plain:238: PASS grub2_pti_argument ((waived pass) SSG result: pass, DISA result(s): SV-230491r1017274_rule:not found)
2025-07-16 13:13:11 oscap.py:48: lib.results.report_plain:238: PASS grub2_vsyscall_argument ((waived pass) SSG result: pass, DISA result(s): SV-230278r1017091_rule:not found)

Since there are no automated checks for these rules in DISA content at this moment our content can't be misaligned with them.

jan-cerny avatar Jul 16 '25 14:07 jan-cerny