Skip to content

Add rules for access to all files under /boot/grub2#14199

Merged
vojtapolasek merged 1 commit intoComplianceAsCode:masterfrom
Mab879:add_grub2_access_rules
Dec 16, 2025
Merged

Add rules for access to all files under /boot/grub2#14199
vojtapolasek merged 1 commit intoComplianceAsCode:masterfrom
Mab879:add_grub2_access_rules

Conversation

@Mab879
Copy link
Member

@Mab879 Mab879 commented Dec 1, 2025

Description:

  • Add three new rules for RHEL 10 CIS 1.4.2.

Rationale:

Update the rules to match upstream.

@Mab879 Mab879 added this to the 0.1.80 milestone Dec 1, 2025
@Mab879 Mab879 added New Rule Issues or pull requests related to new Rules. CIS CIS Benchmark related. RHEL10 Red Hat Enterprise Linux 10 product related. labels Dec 1, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Dec 1, 2025
@openshift-ci
Copy link

openshift-ci bot commented Dec 1, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@Mab879 Mab879 force-pushed the add_grub2_access_rules branch from 9c6f842 to 81119c3 Compare December 1, 2025 21:15
@Mab879 Mab879 marked this pull request as ready for review December 2, 2025 13:26
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Dec 2, 2025
@vojtapolasek vojtapolasek self-assigned this Dec 4, 2025
vojtapolasek
vojtapolasek requested changes Dec 4, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks mostly good, please see comments.

linux_os/guide/system/bootloader-grub2/file_groupowner_boot_grub2/rule.yml Outdated
title: 'All GRUB configuration files must be group-owned by root'

description: |-
The file <tt>{{{ grub2_uefi_boot_path }}}</tt> should
Copy link
Collaborator

@vojtapolasek vojtapolasek Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest the description talks about "files within the directory" rather than a file.

linux_os/guide/system/bootloader-grub2/file_permissions_boot_grub2/rule.yml Outdated
The file <tt>{{{ grub2_uefi_boot_path }}}</tt> should
have mode <tt>0600</tt> to prevent
destruction or modification of the file.
{{{ describe_file_group_owner(file=grub2_uefi_boot_path ~ "/grub.cfg", group="root") }}}
Copy link
Collaborator

@vojtapolasek vojtapolasek Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wrong macro used, this is about file permissions.

linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml Outdated
title: 'All GRUB configuration files must be owned by root'

description: |-
The file <tt>{{{ grub2_uefi_boot_path }}}/grub.cfg</tt> should
Copy link
Collaborator

@vojtapolasek vojtapolasek Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The specific file is mentioned here while the rule covers all files within the directory.

@Mab879 Mab879 force-pushed the add_grub2_access_rules branch from 81119c3 to cfb1806 Compare December 4, 2025 13:09
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Dec 4, 2025
@Mab879 Mab879 force-pushed the add_grub2_access_rules branch from cfb1806 to 4ef6926 Compare December 4, 2025 13:28
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Dec 4, 2025
@Mab879 Mab879 requested a review from vojtapolasek December 5, 2025 15:55
vojtapolasek
vojtapolasek requested changes Dec 12, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,
sorry that it took so long. Please rebase and see my comment.
Also please set the severity of rules to medium. Thank you.

linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml Outdated
title: 'All GRUB configuration files must be owned by root'

description: |-
The files in <tt>{{{ grub2_uefi_boot_path }}}/grub.cfg</tt> should
Copy link
Collaborator

@vojtapolasek vojtapolasek Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The files in <tt>{{{ grub2_uefi_boot_path }}}/grub.cfg</tt> should
The files in <tt>{{{ grub2_uefi_boot_path }}}</tt> should

@Mab879 Mab879 force-pushed the add_grub2_access_rules branch from 4ef6926 to cdd2b7b Compare December 15, 2025 12:50
@github-actions
Copy link

github-actions bot commented Dec 15, 2025
edited
Loading

ATEX Test Results

Test artifacts have been submitted to Testing Farm.

Results: View Test Results
Workflow Run: View Workflow Details

This comment was automatically generated by the ATEX workflow.

@Mab879 Mab879 force-pushed the add_grub2_access_rules branch from cdd2b7b to 7f1303d Compare December 15, 2025 14:13
@openshift-ci
Copy link

openshift-ci bot commented Dec 15, 2025

@Mab879: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 7f1303d link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

vojtapolasek
vojtapolasek approved these changes Dec 16, 2025
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now.

@vojtapolasek vojtapolasek merged commit 16e20f6 into ComplianceAsCode:master Dec 16, 2025
143 of 145 checks passed
@Mab879 Mab879 deleted the add_grub2_access_rules branch December 16, 2025 14:25
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Dec 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

Assignees

@vojtapolasek vojtapolasek

Labels

CIS CIS Benchmark related. New Rule Issues or pull requests related to new Rules. RHEL10 Red Hat Enterprise Linux 10 product related.

Projects

None yet

Milestone

0.1.80

Development

Successfully merging this pull request may close these issues.

3 participants

@Mab879 @vojtapolasek @openshift-merge-robot