Update STIG id of grub2_password

[ggbecker]

Description:

- Since v2r1, RHEL7 STIG has a specific item to check for the GRUB2_PASSWORD in /boot/grub2/user.cfg (V-81005). So far we have this check embedded with the grub2_password rule from V-71961, the ideia here is to open the discussion if we should split into two separate rules.

• Update STIG id of grub2_password to match STIG item that is RHEL >= 7.2 only (V-81005).

Similarly this apply for the UEFI related rules.

[openshift-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[mildas]

Changes identified:
Rule grub2_password:
 Attribute value changed in OVAL check.
 Text changed in OVAL check.
 Node deleted from OVAL check.
 New node inserted to OVAL check.
 Deleted attribute from OVAL check.
 Node moved within OVAL check.
 Text added outsite tags in OVAL check.
Rule grub2_superuser_password:
 The rule doesn't occur in any profile nor product.
 OVAL check is newly added.

Recommended tests to execute:
 build_product fedora
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-fedora-ds.xml grub2_password

[redhatrises]

What is the correct way to handle configure grub passwords? Obviously, there are multiple ways to configure, but we need to define the 1 correct way of checking this. So, if user.cfg is the correct way, creating a new rule rather than fixing the broken one probably isn't the correct way.

[ggbecker]

What is the correct way to handle configure grub passwords? Obviously, there are multiple ways to configure, but we need to define the 1 correct way of checking this. So, if user.cfg is the correct way, creating a new rule rather than fixing the broken one probably isn't the correct way.

Actually both ways are correct. The thing is that one check is applicable only to RHEL < 7.2 and the other to RHEL >= 7.2. One quick way to solve this would be to add both STIG ID to the same rule and that would be it.

Update1: Build system doesn't allow to have multiple STIG IDs assigned to the same rule.

[redhatrises]

As we are now at RHEL 7.9, let's fix this for RHEL >= 7.2.

[ggbecker]

As we are now at RHEL 7.9, let's fix this for RHEL >= 7.2.

The current rule already checks for RHEL >= 7.2 configuration, but also for RHEL < 7.2. The selected STIG ID is from the item that is RHEL < 7.2. So the proposal can be just to change the STIG ID to reference the item which covers RHEL >= 7.2.

[JAORMX]

/test all

[redhatrises]

As we are now at RHEL 7.9, let's fix this for RHEL >= 7.2.

The current rule already checks for RHEL >= 7.2 configuration, but also for RHEL < 7.2. The selected STIG ID is from the item that is RHEL < 7.2. So the proposal can be just to change the STIG ID to reference the item which covers RHEL >= 7.2.

Sounds good. Should also do a spot check to verify that the rule.yml is correct for RHEL >= 7.2

[JAORMX]

/retest

[ggbecker]

As we are now at RHEL 7.9, let's fix this for RHEL >= 7.2.

The current rule already checks for RHEL >= 7.2 configuration, but also for RHEL < 7.2. The selected STIG ID is from the item that is RHEL < 7.2. So the proposal can be just to change the STIG ID to reference the item which covers RHEL >= 7.2.

Sounds good. Should also do a spot check to verify that the rule.yml is correct for RHEL >= 7.2

The only needed change was to update the STIG id. Tests scenarios already cover correctness of rule for RHEL >= 7.2.

[openshift-ci-robot]

@ggbecker: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-rhcos4-moderate	824004f	link	/test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.