openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

GRUB related rules still failed even after remediation and manual configuration

Open ghost opened this issue 4 years ago • 6 comments

Description of Problem:

Hi there, i'm using RHEL 8.4 and OpenSCAP command line tool (oscap) 1.3.4

After remediating and manually configure the remaining failed GRUB related rules, rebuilding the grub.cfg and rebooting then re-scan the system, why the GRUB related rules still count as failed even though all the settings are already applied in the OS?

OpenSCAP Version:

OpenSCAP command line tool (oscap) 1.3.4

Operating System & Version:

RHEL 8.4

Steps to Reproduce:

  1. Scan and Remediate using profile xccdf_org.ssgproject.content_profile_cui, content ssg-rhel8-ds.xml

  2. Manually configure the remaining failed GRUB related rules, in this case:

  • Extend Audit Backlog Limit for the Audit Daemon $ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192"

  • Enable Auditing for Processes Which Start Prior to the Audit Daemon $ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"

  • Configure kernel to trust the CPU random number generator $ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"

  • Enable Kernel Page-Table Isolation (KPTI) $ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on"

  • Enable SLUB/SLAB allocator poisoning $ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug=P"

  • Enable page allocator poisoning $ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_poison=1"

  1. Rebuild the grub.cfg file using this command: $ grub2-mkconfig -o /boot/grub2/grub.cfg

  2. Reboot and re-scan

  3. The related rules still failed

Actual Results:

image

Expected Results:

Those 6 remaining rules should've passed

Additional Information / Debugging Steps:

/etc/default/grub image

grub2-editenv list image

/proc/cmdline image

All the required settings are already applied

Any help is appreciated. Thanks in advance!

ghost avatar Nov 04 '21 10:11 ghost

It is most likely related to the content itself rather than the scanner.

@yuumasato @ggbecker

evgenyz avatar Nov 04 '21 10:11 evgenyz

@farhanjohandy you can run oscap with --oval-results option so we can understand why the checks are failing.

ggbecker avatar Nov 04 '21 12:11 ggbecker

@farhanjohandy you can run oscap with --oval-results option so we can understand why the checks are failing.

thanks for the reply

i re-run the scan using --oval-results option and it generates this two xml files

ssg-rhel8-cpe-oval.xml.result.txt ssg-rhel8-oval.xml.result.txt

ghost avatar Nov 05 '21 06:11 ghost

If you can please upload the HTML report instead, it should be easier to detect as we can easily find the results for evaluated OVAL tests.

ggbecker avatar Nov 05 '21 10:11 ggbecker

If you can please upload the HTML report instead, it should be easier to detect as we can easily find the results for evaluated OVAL tests.

sure thing, here you go result.zip

ghost avatar Nov 05 '21 10:11 ghost

I've seen from the report that you have scap-security-guide package 0.1.54. There has been a new release in 8.4 this Monday and those rules have received some updates in the remediation. Can you try updating that package first and see if it changes anything after rerunning remediations?

From the report it couldn't find any kernelopts entries in the file /boot/grub2/grubenv

ggbecker avatar Nov 05 '21 11:11 ggbecker