From 9a24260fcb0377ece7af598086184ee58c35e725 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 Mar 2026 14:50:06 +0100
Subject: [PATCH 1/3] Extend check in grub2_uefi_password for cloud images

On RHEL 8, the GRUB configuration for UEFI is normally located at
`/boot/efi/EFI/redhat`. However, in RHEL 8 cloud images (eg. AWS)
the `/boot/efi/EFI/redhat/` contains a stub pointing to
`/boot/grub2/` and the actual configuration is located at the
`/boot/grub2/` directory.

Example stub in `/boot/efi/EFI/redhat/grub.cfg`:
```
search --no-floppy --set prefix --file /boot/grub2/grub.cfg
set prefix=($prefix)/boot/grub2
configfile $prefix/grub.cfg
```

In this commit, we extend the check to account for this special
configuration of the cloud images.

Fixes: https://github.com/ComplianceAsCode/content/issues/13211
---
 .../uefi/grub2_uefi_password/oval/shared.xml  | 29 ++++++++++++++++++-
 .../grub2_uefi_password/tests/stub.fail.sh    | 12 ++++++++
 .../grub2_uefi_password/tests/stub.pass.sh    | 13 +++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
index 6323828071e6..c780cf69e5e1 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml
@@ -4,9 +4,16 @@
 
     <criteria operator="OR">
       <criterion comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_usercfg" />
+{{% if product in ["rhel8"] %}}
+<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg -->
+      <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg">
+        <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_password_stub" />
+        <criterion comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" test_ref="test_grub2_uefi_password_boot_usercfg" />
+      </criteria>
+{{% endif %}}
     </criteria>
   </definition>
-  
+
   <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_uefi_boot_path }}}/user.cfg" id="test_grub2_uefi_password_usercfg" version="1">
     <ind:object object_ref="object_grub2_uefi_password_usercfg" />
   </ind:textfilecontent54_test>
@@ -16,4 +23,24 @@
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+{{% if product in ["rhel8"] %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_password_stub" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_stub" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_stub" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in {{{ grub2_boot_path }}}/user.cfg" id="test_grub2_uefi_password_boot_usercfg" version="1">
+    <ind:object object_ref="object_grub2_uefi_password_boot_usercfg" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_password_boot_usercfg" version="1">
+    <ind:filepath>{{{ grub2_boot_path }}}/user.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% endif %}}
+
 </def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh
new file mode 100644
index 000000000000..0673a07f6c1a
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cp "/boot/efi/EFI/redhat/user.cfg" "/boot/grub2/user.cfg"
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+rm -rf "/boot/grub2/user.cfg"
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh
new file mode 100644
index 000000000000..13dd27d8aca1
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/stub.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+make_grub_password

From c5347d838b09d2e6d71054ca4b87ccb34456d857 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 4 Mar 2026 11:51:04 +0100
Subject: [PATCH 2/3] Remove outdated test scenario

Remove `invalid_username.fail.sh` that configures an invalid GRUB user
name. The reason is that starting from
https://github.com/ComplianceAsCode/content/pull/8438 the rule
`grub2_uefi_password` no longer checks user names, it only checks
passwords now, no an invalid user name can't make the rule fail.
---
 .../tests/invalid_username.fail.sh                   | 12 ------------
 1 file changed, 12 deletions(-)
 delete mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh
deleted file mode 100644
index c477fd7a9acd..000000000000
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/tests/invalid_username.fail.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/bash
-
-# remediation = none
-
-. $SHARED/grub2.sh
-
-set_grub_uefi_root
-
-make_grub_password
-sed -i '/set superusers/d' /boot/grub/grub.cfg
-sed -i '/export superusers/d' /boot/grub/grub.cfg
-set_superusers "use r"

From 8a115799eb8cc61a46af5d726bec23eb0dd657f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 6 Mar 2026 09:19:18 +0100
Subject: [PATCH 3/3] Enable RHEL 8 cloud images in grub2_uefi_admin_username

Fixes: https://github.com/ComplianceAsCode/content/issues/13211
---
 .../grub2_uefi_admin_username/oval/shared.xml | 39 ++++++++++++++++++-
 .../tests/stub.fail.sh                        | 13 +++++++
 .../tests/stub.pass.sh                        | 13 +++++++
 3 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh
 create mode 100644 linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh

diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
index 07f99ff5bba8..170d6e34ab17 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/oval/shared.xml
@@ -7,6 +7,15 @@
       <criterion comment="Superuser is defined in {{{ grub2_uefi_boot_path }}}/grub.cfg and it
             isn't root, admin, administrator nor equal to any system username"
             test_ref="test_bootloader_uefi_superuser_differ_from_other_users"/>
+{{% if product in ["rhel8"] %}}
+<!-- In RHEL 8 cloud images (eg. AWS) the /boot/efi/EFI/redhat/grub.cfg contains a stub pointing to /boot/grub2/grub.cfg -->
+      <criteria operator="AND" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg is a stub pointing to {{{ grub2_boot_path }}}/grub.cfg">
+        <criterion comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" test_ref="test_grub2_uefi_admin_username_stub" />
+        <criterion comment="Superuser is defined in {{{ grub2_boot_path }}}/grub.cfg and it
+              isn't root, admin, administrator nor equal to any system username"
+              test_ref="test_bootloader_uefi_boot_superuser_differ_from_other_users"/>
+      </criteria>
+{{% endif %}}
     </criteria>
   </definition>
 
@@ -33,10 +42,36 @@
     <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" />
   </ind:textfilecontent54_test>
 
+{{% set superusers_regex = '^[\\s]*set[\\s]+superusers="(?i)\\b(?!(?:root|admin|administrator)\\b)(\\w+)".*\\n[\\s]*export[\\s]+superusers[\\s]*$' %}}
+
   <ind:textfilecontent54_object id="object_bootloader_uefi_unique_superuser" version="1">
     <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
-    <ind:pattern operation="pattern match"
-          >^[\s]*set[\s]+superusers="(?i)\b(?!(?:root|admin|administrator)\b)(\w+)".*\n[\s]*export[\s]+superusers[\s]*$</ind:pattern>
+    <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+{{% if product in ["rhel8"] %}}
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if {{{ grub2_uefi_boot_path }}}/grub.cfg contains a configfile directive" id="test_grub2_uefi_admin_username_stub" version="1">
+    <ind:object object_ref="object_grub2_uefi_admin_username_stub" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_grub2_uefi_admin_username_stub" version="1">
+    <ind:filepath>{{{ grub2_uefi_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*configfile\b.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser
+          is defined in {{{ grub2_boot_path }}}/grub.cfg. Superuser is not
+          equal to other system account nor root, admin, administrator"
+          id="test_bootloader_uefi_boot_superuser_differ_from_other_users" version="1">
+    <ind:object object_ref="object_bootloader_uefi_boot_unique_superuser" />
+    <ind:state state_ref="state_bootloader_uefi_superuser_differ_from_other_users" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_bootloader_uefi_boot_unique_superuser" version="1">
+    <ind:filepath>{{{ grub2_boot_path }}}/grub.cfg</ind:filepath>
+    <ind:pattern operation="pattern match">{{{ superusers_regex }}}</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
+{{% endif %}}
+
 </def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh
new file mode 100644
index 000000000000..4c077fa1bb1f
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.fail.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+set_superusers "root"
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh
new file mode 100644
index 000000000000..45a6bb0c61f2
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/tests/stub.pass.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 8
+
+. $SHARED/grub2.sh
+
+cat <<'EOF' >/boot/efi/EFI/redhat/grub.cfg
+search --no-floppy --set prefix --file /boot/grub2/grub.cfg
+set prefix=($prefix)/boot/grub2
+configfile $prefix/grub.cfg
+EOF
+
+GRUB_CFG_ROOT="/boot/grub2"
+set_superusers "koskic"