From 8d36cef25fc9d890f7ec9756246513a92110b3db Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Wed, 10 Aug 2022 10:53:26 +0200 Subject: [PATCH 10/10] Merge pull request #9321 from vojtapolasek/fix_rhel8_iboot Patch-name: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch Patch-status: change rules protecting boot in RHEL8 OSPP --- .../bootloader-grub2/grub2_disable_recovery/rule.yml | 1 + products/rhel8/profiles/ospp.profile | 2 +- shared/references/cce-redhat-avail.txt | 11 ----------- tests/data/profile_stability/rhel8/ospp.profile | 2 +- 4 files changed, 3 insertions(+), 13 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml index 4f8d4ddcfd..fb126cbe7d 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml @@ -17,6 +17,7 @@ rationale: |- severity: medium identifiers: + cce@rhel8: CCE-86006-4 cce@rhel9: CCE-85986-8 references: diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile index ebec8a3a6f..6e3b30f64b 100644 --- a/products/rhel8/profiles/ospp.profile +++ b/products/rhel8/profiles/ospp.profile @@ -304,7 +304,7 @@ selections: ## Disable Unauthenticated Login (such as Guest Accounts) ## FIA_UAU.1 - require_singleuser_auth - - grub2_disable_interactive_boot + - grub2_disable_recovery - grub2_uefi_password - no_empty_passwords diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 9480db3eae..903fc848eb 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,14 +1,3 @@ -CCE-85985-0 -CCE-85988-4 -CCE-85997-5 -CCE-85998-3 -CCE-85999-1 -CCE-86000-7 -CCE-86001-5 -CCE-86002-3 -CCE-86003-1 -CCE-86005-6 -CCE-86006-4 CCE-86007-2 CCE-86008-0 CCE-86009-8 diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile index 21e93e310d..267b66a4f8 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -89,7 +89,7 @@ selections: - ensure_redhat_gpgkey_installed - grub2_audit_argument - grub2_audit_backlog_limit_argument -- grub2_disable_interactive_boot +- grub2_disable_recovery - grub2_kernel_trust_cpu_rng - grub2_page_poison_argument - grub2_pti_argument -- 2.37.1