Description
Description of Problem:
Hi there, i'm using RHEL 8.4 and OpenSCAP command line tool (oscap) 1.3.4
After remediating and manually configure the remaining failed GRUB related rules, rebuilding the grub.cfg and rebooting then re-scan the system, why the GRUB related rules still count as failed even though all the settings are already applied in the OS?
OpenSCAP Version:
OpenSCAP command line tool (oscap) 1.3.4
Operating System & Version:
RHEL 8.4
Steps to Reproduce:
-
Scan and Remediate using profile xccdf_org.ssgproject.content_profile_cui, content ssg-rhel8-ds.xml
-
Manually configure the remaining failed GRUB related rules, in this case:
-
Extend Audit Backlog Limit for the Audit Daemon
$ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192" -
Enable Auditing for Processes Which Start Prior to the Audit Daemon
$ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1" -
Configure kernel to trust the CPU random number generator
$ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on" -
Enable Kernel Page-Table Isolation (KPTI)
$ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) pti=on" -
Enable SLUB/SLAB allocator poisoning
$ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slub_debug=P" -
Enable page allocator poisoning
$ grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) page_poison=1"
-
Rebuild the grub.cfg file using this command:
$ grub2-mkconfig -o /boot/grub2/grub.cfg -
Reboot and re-scan
-
The related rules still failed
Actual Results:
Expected Results:
Those 6 remaining rules should've passed
Additional Information / Debugging Steps:
/etc/default/grub
grub2-editenv list
/proc/cmdline
All the required settings are already applied
Any help is appreciated. Thanks in advance!