Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rhel 7 won't boot on physical server #165

Closed
hdep opened this issue Dec 13, 2018 · 7 comments
Closed

Rhel 7 won't boot on physical server #165

hdep opened this issue Dec 13, 2018 · 7 comments
Assignees
@timstoop
Labels
bug

Comments

@hdep
Copy link
Contributor

hdep commented Dec 13, 2018

Hello,

I encounter an issue with this module with a HP physical server, using uefi.
To fix the issue I had to use rescue mode and follow this KB :
https://access.redhat.com/solutions/3215551

I'm not an expert, but defaults settings are a bit aggressive don't you think ? Maybe we can add some logic in order to detect uefi and prevent some default settings in this case ?
Or maybe a documentation update.

What do you think ?

Regards,
@timstoop
Copy link
Contributor

I'm not a RH subscriber, can you explain what's going wrong there so we can see what caused this?

@mcgege
Copy link
Member

mcgege commented Dec 14, 2018

If I understand this KB right, disabling vfat prevents the bootup on UEFI systems, as /boot/efi cannot be mounted. I have not much experience with UEFI, but if vfat is needed to boot the system, we shouldn't disable this filesystem per default.

@mcgege
Copy link
Member

mcgege commented Dec 14, 2018

Ok, this is a known problem:
dev-sec/linux-baseline#96

And has been fixed in ansible-os-hardening like this:
dev-sec/ansible-collection-hardening#162
dev-sec/ansible-collection-hardening#190

Who wants to solve this here? :-)

@hdep
Copy link
Contributor Author

hdep commented Dec 14, 2018

I will have a look, but maybe we can add some logic like if there is this partition vfat should be enabled ?
what do you think ?

@timstoop
Copy link
Contributor

I think adding the logic would be way too much of a hassle. Anyway, switching to UEFI should probably be on anyones todo list, especially when you're interested in hardening, right? I simply removed it from the list of default modules to remove.

@hdep
Copy link
Contributor Author

hdep commented Dec 14, 2018

All right that's fine for me ! thank you

@mcgege mcgege closed this as completed in 4c9d183 Dec 14, 2018
@mcgege mcgege added the bug label Dec 14, 2018
@mcgege
Copy link
Member

mcgege commented Dec 14, 2018

Pragmatic solution, thanks!!

enemarke pushed a commit to enemarke/puppet-os-hardening that referenced this issue Feb 2, 2019
@timstoop @enemarke
Do not disable vfat. Fixes dev-sec#165. (dev-sec#166)
09824af 
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <github@timstoop.nl> (github: timstoop)

Signed-off-by: Tim Stoop <tim@kumina.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timstoop timstoop

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@timstoop @chris-rock @mcgege @hdep