RHEL 8 UEFI Bootloader check

[bdou]

Share the context

Running the RHEL 8 STIG scan on a STIG-hardened UEFI-boot RedHat 8 VM

Description of problem:

When RHEL-08-010140 and RHEL-08-010141 are audited on a UEFI instance, they check for the correct values set in /boot/efi/EFI/redhat/grub.cfg and /boot/efi/EFI/redhat/user.cfg. However, the latest AWS RHEL 8 images by default set /boot/efi/EFI/redhat/grub.cfg to load in values from /boot/grub2:

search --no-floppy --set prefix --file /boot/grub2/grub.cfg
set prefix=($prefix)/boot/grub2
configfile $prefix/grub.cfg

Proposed change:

The audits should be more advanced and know to check values in either /boot/efi/EFI/redhat/grub.cfg OR in /boot/grub2/grub.cfg, if the UEFI grub config file redirects there. The same should be done for the user.cfg file.

References: