grub2 argument rules are misaligned with DISA

[jan-cerny]

Description of problem:

On 2025-02-12 the daily productization run showed that the following rules failed tests /scanning/disa-alignment/anaconda, /scanning/disa-alignment/ansible and /scanning/disa-alignment/oscap on RHEL 8.10:

• grub2_pti_argument
• grub2_vsyscall_argument
• grub2_page_poison_argument
• grub2_slub_debug_argument
• grub2_audit_argument
• grub2_audit_backlog_limit_argument

The content is misaligned with an external (third party) content that targets the same policy - typically, this means that a system hardened by our content doesn't pass the scan by the external content.

Details:

Our rules are evaluated as pass. The corresponding DISA rules are evaluated as fail.

I think the reason is that our rules allow kernelopts variable in /boot/loader/entries/*.conf but their checks don't allow this and require the exact argument there.

This issue might be related to #12375.

Outcome:

• This project's content can be improved:
  • Check needs to be improved.
  • Remediation needs to be improved.
• The external content's check is faulty - the other party needs to be notified, they have work to do.

SCAP Security Guide Version:

current upstream master as of 2025-02-12 as of HEAD 0f151a1

External Content's Version:

V2R2

[vojtapolasek]

I contacted DISA and suggested improvements to their content.

[comps]

Note that these were initially waived in Contest as RHEL-8, but grub2_slub_debug_argument started failing now on RHEL-9 too,

SSG result: pass, DISA result(s): SV-257794r1069362_rule:fail

[jan-cerny]

The rule grub2_slub_debug_argument isn't part of RHEL 9 stig profile now. It was replaced by to grub2_init_on_free by 21270b6 and the rule grub2_init_on_free is aligned with DISA content and passes the disa-alignment test.

[jan-cerny]

In the latest RHEL 8 STIG V2R3 these rules no longer have corresponding rules in DISA SCAP content. They are part of the manual.xml but they aren't present in scap.xml. Here are the interesting lines from the disa-alignment contest test run using the content from the current upstream master as of 2025-07-16 as of HEAD 6d08b21.

2025-07-16 13:13:12 oscap.py:48: lib.results.report_plain:238: PASS grub2_audit_argument ((waived pass) SSG result: pass, DISA result(s): SV-230468r1017260_rule:not found)
2025-07-16 13:13:12 oscap.py:48: lib.results.report_plain:238: PASS grub2_audit_backlog_limit_argument ((waived pass) SSG result: pass, DISA result(s): SV-230469r958752_rule:not found)
...
2025-07-16 13:13:12 oscap.py:48: lib.results.report_plain:238: PASS grub2_page_poison_argument ((waived pass) SSG result: pass, DISA result(s): SV-230277r1017090_rule:not found)
...
2025-07-16 13:13:11 oscap.py:48: lib.results.report_plain:238: PASS grub2_init_on_free (SSG result: pass, DISA result(s): SV-230279r1069286_rule:not found)
2025-07-16 13:13:11 oscap.py:48: lib.results.report_plain:238: PASS grub2_pti_argument ((waived pass) SSG result: pass, DISA result(s): SV-230491r1017274_rule:not found)
2025-07-16 13:13:11 oscap.py:48: lib.results.report_plain:238: PASS grub2_vsyscall_argument ((waived pass) SSG result: pass, DISA result(s): SV-230278r1017091_rule:not found)

Since there are no automated checks for these rules in DISA content at this moment our content can't be misaligned with them.