|
 |
f386a0 |
From 8d36cef25fc9d890f7ec9756246513a92110b3db Mon Sep 17 00:00:00 2001
|
|
|
f386a0 |
From: Watson Yuuma Sato <wsato@redhat.com>
|
|
|
f386a0 |
Date: Wed, 10 Aug 2022 10:53:26 +0200
|
|
|
f386a0 |
Subject: [PATCH 10/10] Merge pull request #9321 from
|
|
|
f386a0 |
vojtapolasek/fix_rhel8_iboot
|
|
|
f386a0 |
|
|
|
f386a0 |
Patch-name: scap-security-guide-0.1.64-select_grub2_disable_recovery-PR_9231.patch
|
|
|
f386a0 |
Patch-status: change rules protecting boot in RHEL8 OSPP
|
|
|
f386a0 |
---
|
|
|
f386a0 |
.../bootloader-grub2/grub2_disable_recovery/rule.yml | 1 +
|
|
|
f386a0 |
products/rhel8/profiles/ospp.profile | 2 +-
|
|
|
f386a0 |
shared/references/cce-redhat-avail.txt | 11 -----------
|
|
|
f386a0 |
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
|
|
|
f386a0 |
4 files changed, 3 insertions(+), 13 deletions(-)
|
|
|
f386a0 |
|
|
|
f386a0 |
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
|
|
f386a0 |
index 4f8d4ddcfd..fb126cbe7d 100644
|
|
|
f386a0 |
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
|
|
f386a0 |
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
|
|
|
f386a0 |
@@ -17,6 +17,7 @@ rationale: |-
|
|
|
f386a0 |
severity: medium
|
|
|
f386a0 |
|
|
|
f386a0 |
identifiers:
|
|
|
f386a0 |
+ cce@rhel8: CCE-86006-4
|
|
|
f386a0 |
cce@rhel9: CCE-85986-8
|
|
|
f386a0 |
|
|
|
f386a0 |
references:
|
|
|
f386a0 |
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
|
|
|
f386a0 |
index ebec8a3a6f..6e3b30f64b 100644
|
|
|
f386a0 |
--- a/products/rhel8/profiles/ospp.profile
|
|
|
f386a0 |
+++ b/products/rhel8/profiles/ospp.profile
|
|
|
f386a0 |
@@ -304,7 +304,7 @@ selections:
|
|
|
f386a0 |
## Disable Unauthenticated Login (such as Guest Accounts)
|
|
|
f386a0 |
## FIA_UAU.1
|
|
|
f386a0 |
- require_singleuser_auth
|
|
|
f386a0 |
- - grub2_disable_interactive_boot
|
|
|
f386a0 |
+ - grub2_disable_recovery
|
|
|
f386a0 |
- grub2_uefi_password
|
|
|
f386a0 |
- no_empty_passwords
|
|
|
f386a0 |
|
|
|
f386a0 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
f386a0 |
index 9480db3eae..903fc848eb 100644
|
|
|
f386a0 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
f386a0 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
f386a0 |
@@ -1,14 +1,3 @@
|
|
|
f386a0 |
-CCE-85985-0
|
|
|
f386a0 |
-CCE-85988-4
|
|
|
f386a0 |
-CCE-85997-5
|
|
|
f386a0 |
-CCE-85998-3
|
|
|
f386a0 |
-CCE-85999-1
|
|
|
f386a0 |
-CCE-86000-7
|
|
|
f386a0 |
-CCE-86001-5
|
|
|
f386a0 |
-CCE-86002-3
|
|
|
f386a0 |
-CCE-86003-1
|
|
|
f386a0 |
-CCE-86005-6
|
|
|
f386a0 |
-CCE-86006-4
|
|
|
f386a0 |
CCE-86007-2
|
|
|
f386a0 |
CCE-86008-0
|
|
|
f386a0 |
CCE-86009-8
|
|
|
f386a0 |
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f386a0 |
index 21e93e310d..267b66a4f8 100644
|
|
|
f386a0 |
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f386a0 |
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f386a0 |
@@ -89,7 +89,7 @@ selections:
|
|
|
f386a0 |
- ensure_redhat_gpgkey_installed
|
|
|
f386a0 |
- grub2_audit_argument
|
|
|
f386a0 |
- grub2_audit_backlog_limit_argument
|
|
|
f386a0 |
-- grub2_disable_interactive_boot
|
|
|
f386a0 |
+- grub2_disable_recovery
|
|
|
f386a0 |
- grub2_kernel_trust_cpu_rng
|
|
|
f386a0 |
- grub2_page_poison_argument
|
|
|
f386a0 |
- grub2_pti_argument
|
|
|
f386a0 |
--
|
|
|
f386a0 |
2.37.1
|
|
|
f386a0 |
|