CIS 1.7.1.2 on 20.04 AppArmor bootloader does not work on Azure
Bug #1948668 reported by
Aaron Whitehouse
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Security Certifications |
In Progress
|
Undecided
|
Adam Bell | ||
cloud-images |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
It looks like there is an Azure-specific bug in the CIS hardening script for rule "Ensure AppArmor is enabled in the bootloader configuration" (CIS 1.7.1.2).
It looks like we append
GRUB_CMDLINE_
to /etc/default/grub, but Azure has its own /etc/default/
GRUB_CMDLINE_
so we need to be appending the additional lines to that command instead (i.e. to make it GRUB_CMDLINE_
Changed in ubuntu-security-certifications: | |
assignee: | nobody → Adam Bell (arbell) |
Changed in ubuntu-security-certifications: | |
status: | New → Triaged |
Changed in cloud-images: | |
status: | New → Confirmed |
To post a comment you must log in.
Hi Aaron (et al),
Is it possible that the /e/d/grub. d/50-cloudimg- settings. cfg GRUB_CMDLINE_LINUX line could be modified to include the previously defined GRUB_CMDLINE_LINUX variable? For example: LINUX=" $GRUB_CMDLINE_ LINUX console=tty1 console=ttyS0 earlyprintk=ttyS0"
```
GRUB_CMDLINE_
```
We do the same thing on the FIPS side with GRUB_CMDLINE_ LINUX_DEFAULT to add "fips=1" to the command line.
Please let us know whether that could work on the Azure images or whether this would open a different issue on unhardened images.