rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

add new rule to check only for grub2 recovery disabled to RHEL9 OSPP

Browse Source 
Resolves: rhbz#2092809
This commit is contained in:
Vojtech Polasek 2022-07-18 10:55:35 +02:00
parent 71a4d79910
commit 2838eb99d0
3 changed files with 1142 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

330
scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch Normal file
View File

@ -0,0 +1,330 @@
From d303ee9d0dcdf1d1fa57b50454aa2a9692381e93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 15:46:31 +0200
Subject: [PATCH 1/5] Create rule grub2_disable_recovery
Create a rule that only checks for the GRUB_DISABLE_RECOVERY=true
option in /etc/default/grub. The rule is similar to
grub2_disable_interactive_boot, but that one in addition checks
for systemd.confirm_spawn. This is introduced for OSPP.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809
---
.../grub2_disable_recovery/ansible/shared.yml | 20 +++++++++
.../grub2_disable_recovery/bash/shared.sh | 13 ++++++
.../grub2_disable_recovery/oval/shared.xml | 9 ++++
.../grub2_disable_recovery/rule.yml | 43 +++++++++++++++++++
.../tests/correct_value.pass.sh | 3 ++
.../tests/wrong_value.fail.sh | 3 ++
shared/references/cce-redhat-avail.txt | 1 -
7 files changed, 91 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
new file mode 100644
index 00000000000..f6285cb13cb
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
@@ -0,0 +1,20 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Verify GRUB_DISABLE_RECOVERY=true
+ lineinfile:
+ path: /etc/default/grub
+ regexp: '^GRUB_DISABLE_RECOVERY=.*'
+ line: 'GRUB_DISABLE_RECOVERY=true'
+ state: present
+
+{{% if product in ['sle12', 'sle15'] %}}
+- name: Update grub defaults and the bootloader menu
+ command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
+{{% else %}}
+- name: Update grub defaults and the bootloader menu
+ command: /sbin/grubby --update-kernel=ALL
+{{% endif -%}}
\ No newline at end of file
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
new file mode 100644
index 00000000000..78322e63446
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh
@@ -0,0 +1,13 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then
+ sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
+else
+ echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
+fi
+
+{{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
new file mode 100644
index 00000000000..10adbe0a30b
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml
@@ -0,0 +1,9 @@
+<def-group>
+ <definition class="compliance" id="grub2_disable_recovery" version="1">
+ {{{ oval_metadata("Recovery mode should be disabled.") }}}
+ <criteria operator="AND">
+ <extend_definition definition_ref="bootloader_disable_recovery_set_to_true"
+ comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" />
+ </criteria>
+ </definition>
+</def-group>
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
new file mode 100644
index 00000000000..4f8d4ddcfde
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml
@@ -0,0 +1,43 @@
+documentation_complete: true
+
+title: 'Disable Recovery Booting'
+
+description: |-
+ {{{ full_name }}} systems support an "recovery boot" option that can be used
+ to prevent services from being started. The <tt>GRUB_DISABLE_RECOVERY</tt>
+ configuration option in <tt>/etc/default/grub</tt> should be set to
+ <tt>true</tt> to disable the generation of recovery mode menu entries. It is
+ also required to change the runtime configuration, run:
+ <pre>$ sudo {{{ grub_command("update") }}}</pre>
+
+rationale: |-
+ Using recovery boot, the console user could disable auditing, firewalls,
+ or other services, weakening system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-85986-8
+
+references:
+ ospp: FIA_UAU.1
+
+ocil_clause: 'GRUB_DISABLE_RECOVERY is not set to true or is missing'
+
+ocil: |-
+ Verify that <tt>GRUB_DISABLE_RECOVERY</tt> is set to </tt>true</tt> in <tt>/etc/default/grub</tt> to disable recovery boot.
+ Run the following command:
+
+ $ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub
+
+fixtext: |-
+ Configure the GRUB 2 boot loader to disable recovery mode boot loader entries.
+ Add or edit the following line in /etc/default/grub:
+
+ GRUB_DISABLE_RECOVERY=true
+
+ Then, run the following command:
+
+ $ sudo {{{ grub_command("update") }}}
+
+platform: grub2
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..cb8824a6bef
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
\ No newline at end of file
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..7241fd5aad6
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'
\ No newline at end of file
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ee246384416..431b133d416 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -44,7 +44,6 @@ CCE-85982-7
CCE-85983-5
CCE-85984-3
CCE-85985-0
-CCE-85986-8
CCE-85988-4
CCE-85997-5
CCE-85998-3
From 5637b1465c1ceb40efb33ebdd2cf8b4211a4ef9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 15:52:10 +0200
Subject: [PATCH 2/5] Stop checking systemd.confirm_spawn in RHEL 9 OSPP
Use grub2_disable_recovery instead of grub2_disable_interactive_boot
to check solely for the GRUB_DISABLE_RECOVERY=true config option.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 534b3312575..8245bb9ce63 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -275,7 +275,7 @@ selections:
## Disable Unauthenticated Login (such as Guest Accounts)
## FIA_UAU.1
- require_singleuser_auth
- - grub2_disable_interactive_boot
+ - grub2_disable_recovery
- grub2_uefi_password
- no_empty_passwords
From 09f11408ed83da07238ad5fccf89d59b4b2707fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 16:05:22 +0200
Subject: [PATCH 3/5] Fix regular expression
The original expression `^true|"true"$` could match things like
`truex` or `x"true"` because the first alternative doesn't contain
`$` and the second alternative doesn't contain `^`.
---
shared/checks/oval/bootloader_disable_recovery_set_to_true.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
index 563006cd803..ff64177d6df 100644
--- a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
+++ b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml
@@ -31,7 +31,7 @@
<ind:textfilecontent54_state id="state_bootloader_disable_recovery_argument"
version="1">
- <ind:subexpression datatype="string" operation="pattern match">^true|"true"$</ind:subexpression>
+ <ind:subexpression datatype="string" operation="pattern match">^(true|"true")$</ind:subexpression>
</ind:textfilecontent54_state>
</def-group>
From 2900fb986dc21ec4ce78a8b9f27f89b4d8fafbee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 17:18:37 +0200
Subject: [PATCH 4/5] Improve a regular expression
According to
https://www.freedesktop.org/software/systemd/man/systemd.html#systemd.confirm_spawn
the option systemd.confirm_spawn can be also specified without an
argument, with the same effect as a positive boolean. This commit
changes the regular expression used in checks for this, forbidding also
the occurence of systemd.confirm_spawn without any argument. Also
improves whitespace handling. Also adds a test scenario covering the
situation in which the systemd.confirm_spawn is also specified without
an argument.
---
.../oval/shared.xml | 2 +-
...led_interactive_boot_empty_boolean.fail.sh | 25 +++++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
index 837fc037300..e7358a49fa9 100644
--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
@@ -25,7 +25,7 @@
<ind:textfilecontent54_object id="object_grub2_disable_interactive_boot_grub_cmdline_linux"
version="1">
<ind:filepath>/etc/default/grub</ind:filepath>
- <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$</ind:pattern>
+ <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
new file mode 100644
index 00000000000..37a12f021e4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# The option systemd.confirm_spawn can be also specified without an argument,
+# with the same effect as a positive boolean.
+CONFIRM_SPAWN_OPT="systemd.confirm_spawn"
+
+if grep -q "^GRUB_CMDLINE_LINUX=" /etc/default/grub; then
+ if grep -q "^GRUB_CMDLINE_LINUX=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then
+ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub
+ else
+ sed -i "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub
+ fi
+else
+ echo "GRUB_CMDLINE_LINUX=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub
+fi
+
+if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub; then
+ if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then
+ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub
+ else
+ sed -i "s/\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub
+ fi
+else
+ echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub
+fi
From 3cf7a22b59f52b2149d3ce54ef6bcd94ba9f8901 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 4 Jul 2022 17:36:07 +0200
Subject: [PATCH 5/5] Fix missing newlines at EOF
---
.../bootloader-grub2/grub2_disable_recovery/ansible/shared.yml | 2 +-
.../grub2_disable_recovery/tests/correct_value.pass.sh | 2 +-
.../grub2_disable_recovery/tests/wrong_value.fail.sh | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
index f6285cb13cb..4348e239f2e 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml
@@ -17,4 +17,4 @@
{{% else %}}
- name: Update grub defaults and the bootloader menu
command: /sbin/grubby --update-kernel=ALL
-{{% endif -%}}
\ No newline at end of file
+{{% endif -%}}
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
index cb8824a6bef..e8fa3574436 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh
@@ -1,3 +1,3 @@
#!/bin/bash
-echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
\ No newline at end of file
+echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub'
diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
index 7241fd5aad6..20392dc7f7a 100644
--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh
@@ -1,3 +1,3 @@
#!/bin/bash
-echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'
\ No newline at end of file
+echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'

809
scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch Normal file
View File

@ -0,0 +1,809 @@
From a59040cec2adf8f81fc5784e4273e1701ca21995 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 11:45:20 +0200
Subject: [PATCH 01/20] Update OCIL for require_emergency_target_auth
Extends the OCIL text according to the OVAL check.
---
.../require_emergency_target_auth/rule.yml | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index cc0a2c53017..1d5febf54c7 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -53,7 +53,7 @@ ocil: |-
To check if authentication is required for emergency mode, run the following command:
<pre>$ grep sulogin /usr/lib/systemd/system/emergency.service</pre>
The output should be similar to the following, and the line must begin with
- {{% if product in ["fedora", "rhel8", "rhel9", "ol8"] -%}}
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
<pre>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</pre>
{{%- else -%}}
@@ -61,4 +61,20 @@ ocil: |-
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
{{%- endif %}}
+ Then, check if the emergency target requires the emergency service:
+ Run the following command:
+ <pre>$ sudo grep Requires /usr/lib/systemd/system/emergency.target</pre>
+ The output should be the following:
+ <pre>Requires=emergency.service</pre>
+
+ Then, check if there is no custom emergency target configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r emergency.target /etc/systemd/system/</pre>
+ The output should be empty.
+
+ Then, check if there is no custom emergency service configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r emergency.service /etc/systemd/system/</pre>
+ The output should be empty.
+
platform: machine
From 16c898ce4b960e33088b025f1ea0a8e432ae01a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 11:46:19 +0200
Subject: [PATCH 02/20] Add fixtext to require_emergency_target_auth
---
.../require_emergency_target_auth/rule.yml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index 1d5febf54c7..c4860915b67 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -78,3 +78,13 @@ ocil: |-
The output should be empty.
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to require authentication for system emergency mode.
+
+ Add or edit the following line in "/usr/lib/systemd/system/emergency.service":
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+ {{%- else -%}}
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}}
From 836497f3b9c9b1a206023f7aa16d2df8a025ece3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 13:43:16 +0200
Subject: [PATCH 03/20] Align OCIL with OVAL for require_singleuser_auth
---
.../require_singleuser_auth/rule.yml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 8d7a4fa7b74..cbd048aad0a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -70,4 +70,22 @@ ocil: |-
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
{{%- endif %}}
+ {{% if product not in ["ol8", "rhel8"] %}}
+ Then, verify that the rescue service is in the runlevel1.target.
+ Run the following command:
+ <pre>$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target</pre>
+ The output should be the following:
+ <pre>Requires=sysinit.target rescue.service</pre>
+
+ Then, check if there is no custom runlevel1 target configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r "^runlevel1.target$" /etc/systemd/system</pre>
+ There should be no output.
+
+ Then, check if there is no custom rescue service configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r "^rescue.service$" /etc/systemd/system</pre>
+ There should be no output.
+ {{% endif %}}
+
platform: machine
From 11715c35c9cdbfdc7ed4c30a8612a125ec3c77e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 13:43:30 +0200
Subject: [PATCH 04/20] Add fixtext to require_singleuser_auth
---
.../require_singleuser_auth/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index cbd048aad0a..3a0cad455cc 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -89,3 +89,20 @@ ocil: |-
{{% endif %}}
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to require authentication in single user mode.
+
+ {{% if init_system == "systemd" -%}}
+ Add or update the following line in "/usr/lib/systemd/system/rescue.service":
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ {{%- elif product in ["rhel7"] -%}}
+ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- else -%}}
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}}
+ {{%- else -%}}
+ Add or update the following line in "/etc/sysconfig/init":
+ SINGLE=/sbin/sulogin
+ {{%- endif %}}
From ad14aee19d11dc99ead242535281d56791bfc213 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 14:15:12 +0200
Subject: [PATCH 05/20] Update OCIL in grub2_admin_username
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index a43d5fcc038..0c824434e07 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -52,17 +52,17 @@ references:
stigid@rhel7: RHEL-07-010483
stigid@rhel8: RHEL-08-010149
-ocil_clause: 'it does not'
+ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
command:
- <pre>sudo grep -A1 "superusers" /etc/grub2.cfg</pre>
+ <pre>sudo grep -A1 "superusers" {{{ grub2_boot_path + "/grub.cfg" }}}</pre>
The output should show the following:
<pre>set superusers="<b>superusers-account</b>"
export superusers</pre>
where superusers-account is the actual account name different from common names like root,
- admin, or administrator.
+ admin, or administrator and different from any other existing user name.
warnings:
- general: |-
From 7ee002478c778fd271aa2c289e74d14aa2853355 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 14:15:28 +0200
Subject: [PATCH 06/20] Add fixtext for grub2_admin_username
---
.../non-uefi/grub2_admin_username/rule.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 0c824434e07..a813b417a00 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -73,3 +73,14 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
+
+ set superusers="<unique_user_id>"
+ export superusers
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 9f5a6d48ef97180e7720dc066c83409633c80899 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:04:21 +0200
Subject: [PATCH 07/20] Align OCIL with OVAL in grub2_password
---
.../non-uefi/grub2_password/rule.yml | 35 ++++++-------------
1 file changed, 10 insertions(+), 25 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index ad515a65ee7..268f48a16c1 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -77,33 +77,18 @@ references:
stigid@sle15: SLES-15-010190
stigid@ubuntu2004: UBTU-20-010009
-ocil_clause: 'it does not'
+ocil_clause: 'it does not produce any output'
ocil: |-
- To verify the boot loader superuser password has been set, run the following
- command:
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
- <pre>sudo grep "boot" {{{ grub2_boot_path }}}/grub.cfg</pre>
- {{% else %}}
- <pre>sudo grep "superusers" /etc/grub2.cfg</pre>
- {{% endif %}}
- The output should show the following:
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
- To verify the boot loader superuser account password has been set,
- and the password encrypted, run the following command:
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
- <pre>sudo cat /etc/grub.d/40_custom</pre>
- The output should be similar to:
- <pre>set superusers="boot"
- password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088</pre>
- {{% else %}}
- <pre>sudo cat {{{ grub2_boot_path }}}/user.cfg</pre>
- The output should be similar to:
- <pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% endif %}}
+ First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or
+ {{{ grub2_boot_path }}}/grub.cfg.
+ Run the following commands:
+ <pre>$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
+ $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
+ </pre>
+
+ Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg.
+ <pre>$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' {{{ grub2_boot_path }}}/grub.cfg</pre>
warnings:
- general: |-
From 1bd446ee0efb4cefeaaca7a1808e7de703f2b1be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:04:34 +0200
Subject: [PATCH 08/20] Add fixtext for grub2_password
Adopted from the RHEL 8 STIG spreadsheet.
---
.../non-uefi/grub2_password/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 268f48a16c1..4a7e0694884 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -99,3 +99,20 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Generate an encrypted grub2 password for the grub superuser account with the following command:
+
+ $ sudo grub2-setpassword
+ Enter password:
+ Confirm password:
+
+ Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
+
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 85cc9f300c860e456996fa8cf7aec2532bb88a08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:12 +0200
Subject: [PATCH 09/20] Fix a typo
---
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 17b4918c5f5..fcf9031fa93 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -15,7 +15,7 @@ description: |-
admin, or administrator for the grub2 superuser account.
<br /><br />
Change the superuser to a different username (The default is 'root').
- <pre>$ sed -i 's/\(set superuser=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</pre>
+ <pre>$ sed -i 's/\(set superusers=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</pre>
<br /><br />
Once the superuser account has been added,
update the
From e3d765df471350cbcc629d67439902b8189cde14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:44 +0200
Subject: [PATCH 10/20] Align OCIL with OVAL in grub2_uefi_admin_username
---
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index fcf9031fa93..c76d086c5f2 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -64,12 +64,12 @@ ocil_clause: 'it does not'
ocil: |-
To verify the boot loader superuser account has been set, run the following
command:
- <pre>sudo grep -A1 "superusers" /etc/grub2-efi.cfg</pre>
+ <pre>sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should show the following:
<pre>set superusers="<b>superusers-account</b>"
export superusers</pre>
where superusers-account is the actual account name different from common names like root,
- admin, or administrator.
+ admin, or administrator and different from any other existing user name.
warnings:
- general: |-
From d8cb9ec4ae23535a04ae5715c9dfbf94126082f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:57 +0200
Subject: [PATCH 11/20] Add fixtext in grub2_uefi_admin_username
---
.../uefi/grub2_uefi_admin_username/rule.yml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index c76d086c5f2..2a4556c1659 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -80,3 +80,16 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Select a password-protected superuser account with unique name, and modify the
+ "/etc/grub.d/01_users" configuration file to reflect the account name change.
+
+ Add or edit the following line in /etc/grub.d/01_users:
+
+ set superusers=<unique user id>
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 73a5e86cbfc77fa8344499347c074b5f04e32a0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 17:55:09 +0200
Subject: [PATCH 12/20] Align OCIL with OVAL in grub2_uefi_password
---
.../uefi/grub2_uefi_password/rule.yml | 30 +++----------------
1 file changed, 4 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4579b1ff2e7..ee4f6c1470a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -77,39 +77,17 @@ references:
stigid@sle15: SLES-15-010200
stigid@ubuntu2004: UBTU-20-010009
-ocil_clause: 'it does not'
+ocil_clause: 'no password is set'
ocil: |-
- To verify the boot loader superuser password has been set, run the following
- command:
- {{% if product in ["sle12", "sle15", "ubuntu2004"] %}}
- <pre>sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom</pre>
- {{% else %}}
- <pre>sudo grep "password" /etc/grub2-efi.cfg</pre>
- {{% endif %}}
- The output should show the following:
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
- To verify the boot loader superuser account password has been set,
- and the password encrypted, run the following command:
- {{% if product in ["sle12", "sle15"] %}}
- <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- The output should be similar to:
- <pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% elif "ubuntu" in product %}}
- <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- The output should contain something similar to:
- <pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
- {{% else %}}
- <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
+ To verify the boot loader superuser password has been set, run the following command:
+ $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" {{{ grub2_uefi_boot_path }}}/user.cfg
The output should be similar to:
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% endif %}}
+
warnings:
- general: |-
From 5332d2961da8f14965d9b6b32ea0d4f5a7c2b817 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 17:55:31 +0200
Subject: [PATCH 13/20] Add fixtext in grub2_uefi_password
---
.../uefi/grub2_uefi_password/rule.yml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index ee4f6c1470a..4ed65d5f68d 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -98,3 +98,18 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to use a secure UEFI boot loader password.
+
+ Run the following command:
+ $ sudo grub2-setpassword
+
+ When prompted, enter the password that was selected.
+ Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
+
+ set superusers="boot"
+ password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
+
+ Then, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From f1fae705e533ec0f4d4e83518f581dadd1552e2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 26 Apr 2022 08:43:08 +0200
Subject: [PATCH 14/20] Fix a typo
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index a813b417a00..88551a068bf 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -52,7 +52,7 @@ references:
stigid@rhel7: RHEL-07-010483
stigid@rhel8: RHEL-08-010149
-ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
+ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
From 5f6cbfc9440e029526b86e448b51ab39e6bf6c35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:07:51 +0200
Subject: [PATCH 15/20] Add an update operation to macro grub_command
---
shared/macros/general.jinja | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/shared/macros/general.jinja b/shared/macros/general.jinja
index 3802ea40eea..df4c696d3ca 100644
--- a/shared/macros/general.jinja
+++ b/shared/macros/general.jinja
@@ -1071,17 +1071,17 @@ p+i+n+u+g+s+b+acl+xattrs+sha512
{{#
-Macro to generate a command to modify (add or remove) kernel command line argument in a GRUB 2 bootloader.
+Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader.
Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.)
Part of the grub2_bootloader_argument(_absent) templates.
-:param action: What to do with the argument, either "add" or "remove".
+:param action: What to do with the argument, must be one of: "update", "add", "remove".
:type action str:
:param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit".
:type arg_name_value str:
#}}
-{{% macro grub_command(action, arg_name_value) -%}}
+{{% macro grub_command(action, arg_name_value=None) -%}}
{{%- if 'ubuntu' in product -%}}
{{%- set grub_helper_executable = "update-grub" -%}}
{{%- set grub_helper_args = [] -%}}
@@ -1090,7 +1090,9 @@ Part of the grub2_bootloader_argument(_absent) templates.
{{%- set grub_helper_args = ["-o " + grub2_boot_path + "/grub2.cfg"] -%}}
{{%- else -%}}
{{%- set grub_helper_executable = "grubby" -%}}
- {{%- if action == "add" -%}}
+ {{%- if action == "update" -%}}
+ {{%- set grub_helper_args = ["--update-kernel=ALL"] -%}}
+ {{%- elif action == "add" -%}}
{{%- set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ arg_name_value ] -%}}
{{%- elif action == "remove" -%}}
{{%- set grub_helper_args = ["--update-kernel=ALL", "--remove-args=" ~ arg_name_value ] -%}}
From 591cc74770433614595326a514e459a4efb7f491 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:08:54 +0200
Subject: [PATCH 16/20] Use grub_command macro in rules in
SRG-OS-000080-GPOS-00048
---
.../non-uefi/grub2_admin_username/rule.yml | 5 +++--
.../bootloader-grub2/non-uefi/grub2_password/rule.yml | 9 +++------
.../uefi/grub2_uefi_admin_username/rule.yml | 5 +++--
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 9 +++------
4 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 88551a068bf..5557664f8be 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+ <pre>{{{ grub_command("update") }}}</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
@@ -83,4 +83,5 @@ fixtext: |-
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 4a7e0694884..43c63b56ffc 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -28,11 +28,7 @@ description: |-
Once the superuser password has been added,
update the
<tt>grub.cfg</tt> file by running:
- {{% if "ubuntu" in product %}}
- <pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- {{% endif %}}
+ <pre>{{{ grub_command("update") }}}</pre>
{{% endif %}}
rationale: |-
@@ -115,4 +111,5 @@ fixtext: |-
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 2a4556c1659..bd07ab2ee29 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
+ <pre>{{{ grub_command("update") }}}</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
@@ -92,4 +92,5 @@ fixtext: |-
set superusers=<unique user id>
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4ed65d5f68d..98144a9e651 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -28,11 +28,7 @@ description: |-
Once the superuser password has been added,
update the
<tt>grub.cfg</tt> file by running:
- {{% if "ubuntu" in product %}}
- <pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- {{% endif %}}
+ <pre>{{{ grub_command("update") }}}</pre>
{{% endif %}}
rationale: |-
@@ -112,4 +108,5 @@ fixtext: |-
password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
Then, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
From b2fce574abb7cf4bf72058023646178cd574ff90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:09:14 +0200
Subject: [PATCH 17/20] Update OCIL
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 5557664f8be..ccf7ca74932 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -79,7 +79,7 @@ fixtext: |-
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
- set superusers="<unique_user_id>"
+ set superusers="superusers-account"
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index bd07ab2ee29..61e2e4e066f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -59,7 +59,7 @@ references:
stigid@rhel7: RHEL-07-010492
stigid@rhel8: RHEL-08-010141
-ocil_clause: 'it does not'
+ocil_clause: 'superuser account is not set or is set to an existing name or to a common name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
@@ -89,7 +89,7 @@ fixtext: |-
Add or edit the following line in /etc/grub.d/01_users:
- set superusers=<unique user id>
+ set superusers="superusers-account"
Once the superuser account has been added, update the grub.cfg file by running:
From 1cefb7749a4ec5fabd27a53e15096ab44a566a16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:19:19 +0200
Subject: [PATCH 18/20] Use a unique account name for the superusers account
---
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 98144a9e651..58fb77ab98f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -103,9 +103,10 @@ fixtext: |-
When prompted, enter the password that was selected.
Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
+ Use a unique account name for the superusers account.
- set superusers="boot"
- password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
+ set superusers="superusers-account"
+ password_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash
Then, update the grub.cfg file by running:
From 1cbaba853c2dbff8cd9ba55117d6f46fd5e9ab58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 6 May 2022 13:51:29 +0200
Subject: [PATCH 19/20] Apply suggestions from code review
Co-authored-by: Matthew Burket <m@tthewburket.com>
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index ccf7ca74932..7a9f397f744 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -75,7 +75,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure the system to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 61e2e4e066f..8d6ebad550c 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -82,7 +82,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure the system to have a unique username for the grub superuser account.
Select a password-protected superuser account with unique name, and modify the
"/etc/grub.d/01_users" configuration file to reflect the account name change.
From e73fefa9548264d24959284fd2447ef0bc474d6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 9 May 2022 08:33:54 +0200
Subject: [PATCH 20/20] Replace the system by full name
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 7a9f397f744..14bdfd57a6d 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -75,7 +75,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to have a unique username for the grub superuser account.
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 43c63b56ffc..211d8b28a84 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -97,7 +97,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.
Generate an encrypted grub2 password for the grub superuser account with the following command:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 8d6ebad550c..d36dbcbb187 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -82,7 +82,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to have a unique username for the grub superuser account.
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
Select a password-protected superuser account with unique name, and modify the
"/etc/grub.d/01_users" configuration file to reflect the account name change.

3
scap-security-guide.spec
View File

@ -29,6 +29,8 @@ Patch1: scap-security-guide-0.1.63-audit_access_success_unenforci
Patch2: scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch
Patch3: scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch
Patch4: scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch
Patch5: scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch
Patch6: scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch
%description
The scap-security-guide project provides a guide for configuration of the
@ -110,6 +112,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708)
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070563)