diff --git a/scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch b/scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch new file mode 100644 index 0000000..b4194f7 --- /dev/null +++ b/scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch @@ -0,0 +1,330 @@ +From d303ee9d0dcdf1d1fa57b50454aa2a9692381e93 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 4 Jul 2022 15:46:31 +0200 +Subject: [PATCH 1/5] Create rule grub2_disable_recovery + +Create a rule that only checks for the GRUB_DISABLE_RECOVERY=true +option in /etc/default/grub. The rule is similar to +grub2_disable_interactive_boot, but that one in addition checks +for systemd.confirm_spawn. This is introduced for OSPP. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809 +--- + .../grub2_disable_recovery/ansible/shared.yml | 20 +++++++++ + .../grub2_disable_recovery/bash/shared.sh | 13 ++++++ + .../grub2_disable_recovery/oval/shared.xml | 9 ++++ + .../grub2_disable_recovery/rule.yml | 43 +++++++++++++++++++ + .../tests/correct_value.pass.sh | 3 ++ + .../tests/wrong_value.fail.sh | 3 ++ + shared/references/cce-redhat-avail.txt | 1 - + 7 files changed, 91 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml + create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh + create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml + create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml + create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml +new file mode 100644 +index 00000000000..f6285cb13cb +--- /dev/null ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml +@@ -0,0 +1,20 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Verify GRUB_DISABLE_RECOVERY=true ++ lineinfile: ++ path: /etc/default/grub ++ regexp: '^GRUB_DISABLE_RECOVERY=.*' ++ line: 'GRUB_DISABLE_RECOVERY=true' ++ state: present ++ ++{{% if product in ['sle12', 'sle15'] %}} ++- name: Update grub defaults and the bootloader menu ++ command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg ++{{% else %}} ++- name: Update grub defaults and the bootloader menu ++ command: /sbin/grubby --update-kernel=ALL ++{{% endif -%}} +\ No newline at end of file +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh +new file mode 100644 +index 00000000000..78322e63446 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh +@@ -0,0 +1,13 @@ ++# platform = multi_platform_all ++# reboot = true ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then ++ sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub" ++else ++ echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' ++fi ++ ++{{{ grub_command("update") }}} +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml +new file mode 100644 +index 00000000000..10adbe0a30b +--- /dev/null ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml +@@ -0,0 +1,9 @@ ++ ++ ++ {{{ oval_metadata("Recovery mode should be disabled.") }}} ++ ++ ++ ++ ++ +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml +new file mode 100644 +index 00000000000..4f8d4ddcfde +--- /dev/null ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml +@@ -0,0 +1,43 @@ ++documentation_complete: true ++ ++title: 'Disable Recovery Booting' ++ ++description: |- ++ {{{ full_name }}} systems support an "recovery boot" option that can be used ++ to prevent services from being started. The GRUB_DISABLE_RECOVERY ++ configuration option in /etc/default/grub should be set to ++ true to disable the generation of recovery mode menu entries. It is ++ also required to change the runtime configuration, run: ++ 
$ sudo {{{ grub_command("update") }}}
++ ++rationale: |- ++ Using recovery boot, the console user could disable auditing, firewalls, ++ or other services, weakening system security. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel9: CCE-85986-8 ++ ++references: ++ ospp: FIA_UAU.1 ++ ++ocil_clause: 'GRUB_DISABLE_RECOVERY is not set to true or is missing' ++ ++ocil: |- ++ Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot. ++ Run the following command: ++ ++ $ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub ++ ++fixtext: |- ++ Configure the GRUB 2 boot loader to disable recovery mode boot loader entries. ++ Add or edit the following line in /etc/default/grub: ++ ++ GRUB_DISABLE_RECOVERY=true ++ ++ Then, run the following command: ++ ++ $ sudo {{{ grub_command("update") }}} ++ ++platform: grub2 +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh +new file mode 100644 +index 00000000000..cb8824a6bef +--- /dev/null ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +\ No newline at end of file +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh +new file mode 100644 +index 00000000000..7241fd5aad6 +--- /dev/null ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' +\ No newline at end of file +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index ee246384416..431b133d416 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -44,7 +44,6 @@ CCE-85982-7 + CCE-85983-5 + CCE-85984-3 + CCE-85985-0 +-CCE-85986-8 + CCE-85988-4 + CCE-85997-5 + CCE-85998-3 + +From 5637b1465c1ceb40efb33ebdd2cf8b4211a4ef9e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 4 Jul 2022 15:52:10 +0200 +Subject: [PATCH 2/5] Stop checking systemd.confirm_spawn in RHEL 9 OSPP + +Use grub2_disable_recovery instead of grub2_disable_interactive_boot +to check solely for the GRUB_DISABLE_RECOVERY=true config option. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809 +--- + products/rhel9/profiles/ospp.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 534b3312575..8245bb9ce63 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -275,7 +275,7 @@ selections: + ## Disable Unauthenticated Login (such as Guest Accounts) + ## FIA_UAU.1 + - require_singleuser_auth +- - grub2_disable_interactive_boot ++ - grub2_disable_recovery + - grub2_uefi_password + - no_empty_passwords + + +From 09f11408ed83da07238ad5fccf89d59b4b2707fd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 4 Jul 2022 16:05:22 +0200 +Subject: [PATCH 3/5] Fix regular expression + +The original expression `^true|"true"$` could match things like +`truex` or `x"true"` because the first alternative doesn't contain +`$` and the second alternative doesn't contain `^`. +--- + shared/checks/oval/bootloader_disable_recovery_set_to_true.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml +index 563006cd803..ff64177d6df 100644 +--- a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml ++++ b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml +@@ -31,7 +31,7 @@ + + +- ^true|"true"$ ++ ^(true|"true")$ + + + + +From 2900fb986dc21ec4ce78a8b9f27f89b4d8fafbee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 4 Jul 2022 17:18:37 +0200 +Subject: [PATCH 4/5] Improve a regular expression + +According to +https://www.freedesktop.org/software/systemd/man/systemd.html#systemd.confirm_spawn +the option systemd.confirm_spawn can be also specified without an +argument, with the same effect as a positive boolean. This commit +changes the regular expression used in checks for this, forbidding also +the occurence of systemd.confirm_spawn without any argument. Also +improves whitespace handling. Also adds a test scenario covering the +situation in which the systemd.confirm_spawn is also specified without +an argument. +--- + .../oval/shared.xml | 2 +- + ...led_interactive_boot_empty_boolean.fail.sh | 25 +++++++++++++++++++ + 2 files changed, 26 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml +index 837fc037300..e7358a49fa9 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml +@@ -25,7 +25,7 @@ + + /etc/default/grub +- ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ ++ ^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$ + 1 + + +diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh +new file mode 100644 +index 00000000000..37a12f021e4 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++ ++# The option systemd.confirm_spawn can be also specified without an argument, ++# with the same effect as a positive boolean. ++CONFIRM_SPAWN_OPT="systemd.confirm_spawn" ++ ++if grep -q "^GRUB_CMDLINE_LINUX=" /etc/default/grub; then ++ if grep -q "^GRUB_CMDLINE_LINUX=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then ++ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub ++ else ++ sed -i "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub ++ fi ++else ++ echo "GRUB_CMDLINE_LINUX=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub ++fi ++ ++if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub; then ++ if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then ++ sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub ++ else ++ sed -i "s/\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub ++ fi ++else ++ echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub ++fi + +From 3cf7a22b59f52b2149d3ce54ef6bcd94ba9f8901 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 4 Jul 2022 17:36:07 +0200 +Subject: [PATCH 5/5] Fix missing newlines at EOF + +--- + .../bootloader-grub2/grub2_disable_recovery/ansible/shared.yml | 2 +- + .../grub2_disable_recovery/tests/correct_value.pass.sh | 2 +- + .../grub2_disable_recovery/tests/wrong_value.fail.sh | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml +index f6285cb13cb..4348e239f2e 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml +@@ -17,4 +17,4 @@ + {{% else %}} + - name: Update grub defaults and the bootloader menu + command: /sbin/grubby --update-kernel=ALL +-{{% endif -%}} +\ No newline at end of file ++{{% endif -%}} +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh +index cb8824a6bef..e8fa3574436 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh +@@ -1,3 +1,3 @@ + #!/bin/bash + +-echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +\ No newline at end of file ++echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh +index 7241fd5aad6..20392dc7f7a 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh ++++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh +@@ -1,3 +1,3 @@ + #!/bin/bash + +-echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' +\ No newline at end of file ++echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' diff --git a/scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch b/scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch new file mode 100644 index 0000000..f1650bb --- /dev/null +++ b/scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch @@ -0,0 +1,809 @@ +From a59040cec2adf8f81fc5784e4273e1701ca21995 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 11:45:20 +0200 +Subject: [PATCH 01/20] Update OCIL for require_emergency_target_auth + +Extends the OCIL text according to the OVAL check. +--- + .../require_emergency_target_auth/rule.yml | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index cc0a2c53017..1d5febf54c7 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -53,7 +53,7 @@ ocil: |- + To check if authentication is required for emergency mode, run the following command: + 
$ grep sulogin /usr/lib/systemd/system/emergency.service
+ The output should be similar to the following, and the line must begin with +- {{% if product in ["fedora", "rhel8", "rhel9", "ol8"] -%}} ++ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} + ExecStart and /usr/lib/systemd/systemd-sulogin-shell. + 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+ {{%- else -%}} +@@ -61,4 +61,20 @@ ocil: |- + 
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}} + ++ Then, check if the emergency target requires the emergency service: ++ Run the following command: ++ 
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
++ The output should be the following: ++ 
Requires=emergency.service
++ ++ Then, check if there is no custom emergency target configured in systemd configuration. ++ Run the following command: ++ 
$ sudo grep -r emergency.target /etc/systemd/system/
++ The output should be empty. ++ ++ Then, check if there is no custom emergency service configured in systemd configuration. ++ Run the following command: ++ 
$ sudo grep -r emergency.service /etc/systemd/system/
++ The output should be empty. ++ + platform: machine + +From 16c898ce4b960e33088b025f1ea0a8e432ae01a4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 11:46:19 +0200 +Subject: [PATCH 02/20] Add fixtext to require_emergency_target_auth + +--- + .../require_emergency_target_auth/rule.yml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index 1d5febf54c7..c4860915b67 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -78,3 +78,13 @@ ocil: |- + The output should be empty. + + platform: machine ++ ++fixtext: |- ++ Configure {{{ full_name }}} to require authentication for system emergency mode. ++ ++ Add or edit the following line in "/usr/lib/systemd/system/emergency.service": ++ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} ++ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency ++ {{%- else -%}} ++ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" ++ {{%- endif %}} + +From 836497f3b9c9b1a206023f7aa16d2df8a025ece3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 13:43:16 +0200 +Subject: [PATCH 03/20] Align OCIL with OVAL for require_singleuser_auth + +--- + .../require_singleuser_auth/rule.yml | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index 8d7a4fa7b74..cbd048aad0a 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -70,4 +70,22 @@ ocil: |- + 
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}} + ++ {{% if product not in ["ol8", "rhel8"] %}} ++ Then, verify that the rescue service is in the runlevel1.target. ++ Run the following command: ++ 
$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target
++ The output should be the following: ++ 
Requires=sysinit.target rescue.service
++ ++ Then, check if there is no custom runlevel1 target configured in systemd configuration. ++ Run the following command: ++ 
$ sudo grep -r "^runlevel1.target$" /etc/systemd/system
++ There should be no output. ++ ++ Then, check if there is no custom rescue service configured in systemd configuration. ++ Run the following command: ++ 
$ sudo grep -r "^rescue.service$" /etc/systemd/system
++ There should be no output. ++ {{% endif %}} ++ + platform: machine + +From 11715c35c9cdbfdc7ed4c30a8612a125ec3c77e5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 13:43:30 +0200 +Subject: [PATCH 04/20] Add fixtext to require_singleuser_auth + +--- + .../require_singleuser_auth/rule.yml | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index cbd048aad0a..3a0cad455cc 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -89,3 +89,20 @@ ocil: |- + {{% endif %}} + + platform: machine ++ ++fixtext: |- ++ Configure {{{ full_name }}} to require authentication in single user mode. ++ ++ {{% if init_system == "systemd" -%}} ++ Add or update the following line in "/usr/lib/systemd/system/rescue.service": ++ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} ++ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue ++ {{%- elif product in ["rhel7"] -%}} ++ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" ++ {{%- else -%}} ++ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" ++ {{%- endif %}} ++ {{%- else -%}} ++ Add or update the following line in "/etc/sysconfig/init": ++ SINGLE=/sbin/sulogin ++ {{%- endif %}} + +From ad14aee19d11dc99ead242535281d56791bfc213 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 14:15:12 +0200 +Subject: [PATCH 05/20] Update OCIL in grub2_admin_username + +--- + .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index a43d5fcc038..0c824434e07 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -52,17 +52,17 @@ references: + stigid@rhel7: RHEL-07-010483 + stigid@rhel8: RHEL-08-010149 + +-ocil_clause: 'it does not' ++ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name' + + ocil: |- + To verify the boot loader superuser account has been set, run the following + command: +- 
sudo grep -A1 "superusers" /etc/grub2.cfg
++ 
sudo grep -A1 "superusers" {{{ grub2_boot_path + "/grub.cfg" }}}
+ The output should show the following: + 
set superusers="superusers-account"
+     export superusers
+ where superusers-account is the actual account name different from common names like root, +- admin, or administrator. ++ admin, or administrator and different from any other existing user name. + + warnings: + - general: |- + +From 7ee002478c778fd271aa2c289e74d14aa2853355 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 14:15:28 +0200 +Subject: [PATCH 06/20] Add fixtext for grub2_admin_username + +--- + .../non-uefi/grub2_admin_username/rule.yml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index 0c824434e07..a813b417a00 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -73,3 +73,14 @@ warnings: + grub.cfg file as the grub2-mkconfig command overwrites this file. + + platform: machine ++ ++fixtext: |- ++ Configure the system to require a grub bootloader password for the grub superuser account. ++ ++ Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: ++ ++ set superusers="" ++ export superusers ++ ++ Once the superuser account has been added, update the grub.cfg file by running: ++ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + +From 9f5a6d48ef97180e7720dc066c83409633c80899 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 15:04:21 +0200 +Subject: [PATCH 07/20] Align OCIL with OVAL in grub2_password + +--- + .../non-uefi/grub2_password/rule.yml | 35 ++++++------------- + 1 file changed, 10 insertions(+), 25 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index ad515a65ee7..268f48a16c1 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -77,33 +77,18 @@ references: + stigid@sle15: SLES-15-010190 + stigid@ubuntu2004: UBTU-20-010009 + +-ocil_clause: 'it does not' ++ocil_clause: 'it does not produce any output' + + ocil: |- +- To verify the boot loader superuser password has been set, run the following +- command: +- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}} +- 
sudo grep "boot" {{{ grub2_boot_path }}}/grub.cfg
+- {{% else %}} +- 
sudo grep "superusers" /etc/grub2.cfg
+- {{% endif %}} +- The output should show the following: +- 
password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
+- To verify the boot loader superuser account password has been set, +- and the password encrypted, run the following command: +- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}} +- 
sudo cat /etc/grub.d/40_custom
+- The output should be similar to: +- 
set superusers="boot"
+-    password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088
+- {{% else %}} +- 
sudo cat {{{ grub2_boot_path }}}/user.cfg
+- The output should be similar to: +- 
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+-    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+-    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
+-    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
+- {{% endif %}} ++ First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or ++ {{{ grub2_boot_path }}}/grub.cfg. ++ Run the following commands: ++ 
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
++    $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
++
++ ++ Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg. ++ 
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  {{{ grub2_boot_path }}}/grub.cfg
+ + warnings: + - general: |- + +From 1bd446ee0efb4cefeaaca7a1808e7de703f2b1be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 15:04:34 +0200 +Subject: [PATCH 08/20] Add fixtext for grub2_password + +Adopted from the RHEL 8 STIG spreadsheet. +--- + .../non-uefi/grub2_password/rule.yml | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index 268f48a16c1..4a7e0694884 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -99,3 +99,20 @@ warnings: + grub.cfg file as the grub2-mkconfig command overwrites this file. + + platform: machine ++ ++fixtext: |- ++ Configure the system to require a grub bootloader password for the grub superuser account. ++ ++ Generate an encrypted grub2 password for the grub superuser account with the following command: ++ ++ $ sudo grub2-setpassword ++ Enter password: ++ Confirm password: ++ ++ Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: ++ ++ set superusers="[someuniquestringhere]" ++ export superusers ++ ++ Once the superuser account has been added, update the grub.cfg file by running: ++ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + +From 85cc9f300c860e456996fa8cf7aec2532bb88a08 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 15:54:12 +0200 +Subject: [PATCH 09/20] Fix a typo + +--- + .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index 17b4918c5f5..fcf9031fa93 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -15,7 +15,7 @@ description: |- + admin, or administrator for the grub2 superuser account. +

+ Change the superuser to a different username (The default is 'root'). +- 
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
++ 
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
+

+ Once the superuser account has been added, + update the + +From e3d765df471350cbcc629d67439902b8189cde14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 15:54:44 +0200 +Subject: [PATCH 10/20] Align OCIL with OVAL in grub2_uefi_admin_username + +--- + .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index fcf9031fa93..c76d086c5f2 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -64,12 +64,12 @@ ocil_clause: 'it does not' + ocil: |- + To verify the boot loader superuser account has been set, run the following + command: +- 
sudo grep -A1 "superusers" /etc/grub2-efi.cfg
++ 
sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg
+ The output should show the following: + 
set superusers="superusers-account"
+     export superusers
+ where superusers-account is the actual account name different from common names like root, +- admin, or administrator. ++ admin, or administrator and different from any other existing user name. + + warnings: + - general: |- + +From d8cb9ec4ae23535a04ae5715c9dfbf94126082f0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 15:54:57 +0200 +Subject: [PATCH 11/20] Add fixtext in grub2_uefi_admin_username + +--- + .../uefi/grub2_uefi_admin_username/rule.yml | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index c76d086c5f2..2a4556c1659 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -80,3 +80,16 @@ warnings: + grub.cfg file as the grub2-mkconfig command overwrites this file. + + platform: machine ++ ++fixtext: |- ++ Configure the system to require a grub bootloader password for the grub superuser account. ++ ++ Select a password-protected superuser account with unique name, and modify the ++ "/etc/grub.d/01_users" configuration file to reflect the account name change. ++ ++ Add or edit the following line in /etc/grub.d/01_users: ++ ++ set superusers= ++ ++ Once the superuser account has been added, update the grub.cfg file by running: ++ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + +From 73a5e86cbfc77fa8344499347c074b5f04e32a0e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 17:55:09 +0200 +Subject: [PATCH 12/20] Align OCIL with OVAL in grub2_uefi_password + +--- + .../uefi/grub2_uefi_password/rule.yml | 30 +++---------------- + 1 file changed, 4 insertions(+), 26 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index 4579b1ff2e7..ee4f6c1470a 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -77,39 +77,17 @@ references: + stigid@sle15: SLES-15-010200 + stigid@ubuntu2004: UBTU-20-010009 + +-ocil_clause: 'it does not' ++ocil_clause: 'no password is set' + + ocil: |- +- To verify the boot loader superuser password has been set, run the following +- command: +- {{% if product in ["sle12", "sle15", "ubuntu2004"] %}} +- 
sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom
+- {{% else %}} +- 
sudo grep "password" /etc/grub2-efi.cfg
+- {{% endif %}} +- The output should show the following: +- 
password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
+- To verify the boot loader superuser account password has been set, +- and the password encrypted, run the following command: +- {{% if product in ["sle12", "sle15"] %}} +- 
sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg
+- The output should be similar to: +- 
password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+-    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+-    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
+-    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
+- {{% elif "ubuntu" in product %}} +- 
grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg
+- The output should contain something similar to: +- 
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
+- {{% else %}} +- 
sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg
++ To verify the boot loader superuser password has been set, run the following command: ++ $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" {{{ grub2_uefi_boot_path }}}/user.cfg + The output should be similar to: + 
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
+     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
+     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
+     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
+- {{% endif %}} ++ + + warnings: + - general: |- + +From 5332d2961da8f14965d9b6b32ea0d4f5a7c2b817 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 25 Apr 2022 17:55:31 +0200 +Subject: [PATCH 13/20] Add fixtext in grub2_uefi_password + +--- + .../uefi/grub2_uefi_password/rule.yml | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index ee4f6c1470a..4ed65d5f68d 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -98,3 +98,18 @@ warnings: + grub.cfg file as the grub2-mkconfig command overwrites this file. + + platform: machine ++ ++fixtext: |- ++ Configure {{{ full_name }}} to use a secure UEFI boot loader password. ++ ++ Run the following command: ++ $ sudo grub2-setpassword ++ ++ When prompted, enter the password that was selected. ++ Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content: ++ ++ set superusers="boot" ++ password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash ++ ++ Then, update the grub.cfg file by running: ++ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + +From f1fae705e533ec0f4d4e83518f581dadd1552e2c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 26 Apr 2022 08:43:08 +0200 +Subject: [PATCH 14/20] Fix a typo + +--- + .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index a813b417a00..88551a068bf 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -52,7 +52,7 @@ references: + stigid@rhel7: RHEL-07-010483 + stigid@rhel8: RHEL-08-010149 + +-ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name' ++ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name' + + ocil: |- + To verify the boot loader superuser account has been set, run the following + +From 5f6cbfc9440e029526b86e448b51ab39e6bf6c35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 3 May 2022 10:07:51 +0200 +Subject: [PATCH 15/20] Add an update operation to macro grub_command + +--- + shared/macros/general.jinja | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/shared/macros/general.jinja b/shared/macros/general.jinja +index 3802ea40eea..df4c696d3ca 100644 +--- a/shared/macros/general.jinja ++++ b/shared/macros/general.jinja +@@ -1071,17 +1071,17 @@ p+i+n+u+g+s+b+acl+xattrs+sha512 + + + {{# +-Macro to generate a command to modify (add or remove) kernel command line argument in a GRUB 2 bootloader. ++Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader. + Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.) + Part of the grub2_bootloader_argument(_absent) templates. + +-:param action: What to do with the argument, either "add" or "remove". ++:param action: What to do with the argument, must be one of: "update", "add", "remove". + :type action str: + :param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit". + :type arg_name_value str: + + #}} +-{{% macro grub_command(action, arg_name_value) -%}} ++{{% macro grub_command(action, arg_name_value=None) -%}} + {{%- if 'ubuntu' in product -%}} + {{%- set grub_helper_executable = "update-grub" -%}} + {{%- set grub_helper_args = [] -%}} +@@ -1090,7 +1090,9 @@ Part of the grub2_bootloader_argument(_absent) templates. + {{%- set grub_helper_args = ["-o " + grub2_boot_path + "/grub2.cfg"] -%}} + {{%- else -%}} + {{%- set grub_helper_executable = "grubby" -%}} +- {{%- if action == "add" -%}} ++ {{%- if action == "update" -%}} ++ {{%- set grub_helper_args = ["--update-kernel=ALL"] -%}} ++ {{%- elif action == "add" -%}} + {{%- set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ arg_name_value ] -%}} + {{%- elif action == "remove" -%}} + {{%- set grub_helper_args = ["--update-kernel=ALL", "--remove-args=" ~ arg_name_value ] -%}} + +From 591cc74770433614595326a514e459a4efb7f491 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 3 May 2022 10:08:54 +0200 +Subject: [PATCH 16/20] Use grub_command macro in rules in + SRG-OS-000080-GPOS-00048 + +--- + .../non-uefi/grub2_admin_username/rule.yml | 5 +++-- + .../bootloader-grub2/non-uefi/grub2_password/rule.yml | 9 +++------ + .../uefi/grub2_uefi_admin_username/rule.yml | 5 +++-- + .../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 9 +++------ + 4 files changed, 12 insertions(+), 16 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index 88551a068bf..5557664f8be 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -20,7 +20,7 @@ description: |- + Once the superuser account has been added, + update the + grub.cfg file by running: +- 
grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
++ 
{{{ grub_command("update") }}}
+ + rationale: |- + Having a non-default grub superuser username makes password-guessing attacks less effective. +@@ -83,4 +83,5 @@ fixtext: |- + export superusers + + Once the superuser account has been added, update the grub.cfg file by running: +- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg ++ ++ $ sudo {{{ grub_command("update") }}} +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index 4a7e0694884..43c63b56ffc 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -28,11 +28,7 @@ description: |- + Once the superuser password has been added, + update the + grub.cfg file by running: +- {{% if "ubuntu" in product %}} +- 
update-grub
+- {{% elif product in ["sle12", "sle15"] %}} +- 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+- {{% endif %}} ++ 
{{{ grub_command("update") }}}
+ {{% endif %}} + + rationale: |- +@@ -115,4 +111,5 @@ fixtext: |- + export superusers + + Once the superuser account has been added, update the grub.cfg file by running: +- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg ++ ++ $ sudo {{{ grub_command("update") }}} +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index 2a4556c1659..bd07ab2ee29 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -20,7 +20,7 @@ description: |- + Once the superuser account has been added, + update the + grub.cfg file by running: +- 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
++ 
{{{ grub_command("update") }}}
+ + rationale: |- + Having a non-default grub superuser username makes password-guessing attacks less effective. +@@ -92,4 +92,5 @@ fixtext: |- + set superusers= + + Once the superuser account has been added, update the grub.cfg file by running: +- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg ++ ++ $ sudo {{{ grub_command("update") }}} +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index 4ed65d5f68d..98144a9e651 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -28,11 +28,7 @@ description: |- + Once the superuser password has been added, + update the + grub.cfg file by running: +- {{% if "ubuntu" in product %}} +- 
update-grub
+- {{% elif product in ["sle12", "sle15"] %}} +- 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+- {{% endif %}} ++ 
{{{ grub_command("update") }}}
+ {{% endif %}} + + rationale: |- +@@ -112,4 +108,5 @@ fixtext: |- + password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash + + Then, update the grub.cfg file by running: +- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg ++ ++ $ sudo {{{ grub_command("update") }}} + +From b2fce574abb7cf4bf72058023646178cd574ff90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 3 May 2022 10:09:14 +0200 +Subject: [PATCH 17/20] Update OCIL + +--- + .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- + .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index 5557664f8be..ccf7ca74932 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -79,7 +79,7 @@ fixtext: |- + + Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: + +- set superusers="" ++ set superusers="superusers-account" + export superusers + + Once the superuser account has been added, update the grub.cfg file by running: +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index bd07ab2ee29..61e2e4e066f 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -59,7 +59,7 @@ references: + stigid@rhel7: RHEL-07-010492 + stigid@rhel8: RHEL-08-010141 + +-ocil_clause: 'it does not' ++ocil_clause: 'superuser account is not set or is set to an existing name or to a common name' + + ocil: |- + To verify the boot loader superuser account has been set, run the following +@@ -89,7 +89,7 @@ fixtext: |- + + Add or edit the following line in /etc/grub.d/01_users: + +- set superusers= ++ set superusers="superusers-account" + + Once the superuser account has been added, update the grub.cfg file by running: + + +From 1cefb7749a4ec5fabd27a53e15096ab44a566a16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 3 May 2022 10:19:19 +0200 +Subject: [PATCH 18/20] Use a unique account name for the superusers account + +--- + .../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index 98144a9e651..58fb77ab98f 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -103,9 +103,10 @@ fixtext: |- + + When prompted, enter the password that was selected. + Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content: ++ Use a unique account name for the superusers account. + +- set superusers="boot" +- password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash ++ set superusers="superusers-account" ++ password_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash + + Then, update the grub.cfg file by running: + + +From 1cbaba853c2dbff8cd9ba55117d6f46fd5e9ab58 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 6 May 2022 13:51:29 +0200 +Subject: [PATCH 19/20] Apply suggestions from code review + +Co-authored-by: Matthew Burket +--- + .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- + .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index ccf7ca74932..7a9f397f744 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -75,7 +75,7 @@ warnings: + platform: machine + + fixtext: |- +- Configure the system to require a grub bootloader password for the grub superuser account. ++ Configure the system to have a unique username for the grub superuser account. + + Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index 61e2e4e066f..8d6ebad550c 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -82,7 +82,7 @@ warnings: + platform: machine + + fixtext: |- +- Configure the system to require a grub bootloader password for the grub superuser account. ++ Configure the system to have a unique username for the grub superuser account. + + Select a password-protected superuser account with unique name, and modify the + "/etc/grub.d/01_users" configuration file to reflect the account name change. + +From e73fefa9548264d24959284fd2447ef0bc474d6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 9 May 2022 08:33:54 +0200 +Subject: [PATCH 20/20] Replace the system by full name + +--- + .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- + .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +- + .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index 7a9f397f744..14bdfd57a6d 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -75,7 +75,7 @@ warnings: + platform: machine + + fixtext: |- +- Configure the system to have a unique username for the grub superuser account. ++ Configure {{{ full_name }}} to have a unique username for the grub superuser account. + + Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index 43c63b56ffc..211d8b28a84 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -97,7 +97,7 @@ warnings: + platform: machine + + fixtext: |- +- Configure the system to require a grub bootloader password for the grub superuser account. ++ Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account. + + Generate an encrypted grub2 password for the grub superuser account with the following command: + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index 8d6ebad550c..d36dbcbb187 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -82,7 +82,7 @@ warnings: + platform: machine + + fixtext: |- +- Configure the system to have a unique username for the grub superuser account. ++ Configure {{{ full_name }}} to have a unique username for the grub superuser account. + + Select a password-protected superuser account with unique name, and modify the + "/etc/grub.d/01_users" configuration file to reflect the account name change. diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 558ee3b..c72a9a6 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -29,6 +29,8 @@ Patch1: scap-security-guide-0.1.63-audit_access_success_unenforci Patch2: scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch Patch3: scap-security-guide-0.1.63-sysctl_user_max_user_namespaces_enforce_in_ospp-PR_9084.patch Patch4: scap-security-guide-0.1.63-remove_network_sysctl_rules-PR_9092.patch +Patch5: scap-security-guide-0.1.63-separate_rule_for_grub_disable_recovery-PR_9095.patch +Patch6: scap-security-guide-0.1.63-update_grub2_macro-PR_8616.patch %description The scap-security-guide project provides a guide for configuration of the @@ -110,6 +112,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md - Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049) - make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716) - Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708) +- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809) * Wed Jun 01 2022 Matej Tyc - 0.1.62-1 - Rebase to a new upstream release (RHBZ#2070563)