From d303ee9d0dcdf1d1fa57b50454aa2a9692381e93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 4 Jul 2022 15:46:31 +0200 Subject: [PATCH 1/5] Create rule grub2_disable_recovery Create a rule that only checks for the GRUB_DISABLE_RECOVERY=true option in /etc/default/grub. The rule is similar to grub2_disable_interactive_boot, but that one in addition checks for systemd.confirm_spawn. This is introduced for OSPP. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809 --- .../grub2_disable_recovery/ansible/shared.yml | 20 +++++++++ .../grub2_disable_recovery/bash/shared.sh | 13 ++++++ .../grub2_disable_recovery/oval/shared.xml | 9 ++++ .../grub2_disable_recovery/rule.yml | 43 +++++++++++++++++++ .../tests/correct_value.pass.sh | 3 ++ .../tests/wrong_value.fail.sh | 3 ++ shared/references/cce-redhat-avail.txt | 1 - 7 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml new file mode 100644 index 00000000000..f6285cb13cb --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml @@ -0,0 +1,20 @@ +# platform = multi_platform_all +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low + +- name: Verify GRUB_DISABLE_RECOVERY=true + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_DISABLE_RECOVERY=.*' + line: 'GRUB_DISABLE_RECOVERY=true' + state: present + +{{% if product in ['sle12', 'sle15'] %}} +- name: Update grub defaults and the bootloader menu + command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg +{{% else %}} +- name: Update grub defaults and the bootloader menu + command: /sbin/grubby --update-kernel=ALL +{{% endif -%}} \ No newline at end of file diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh new file mode 100644 index 00000000000..78322e63446 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/bash/shared.sh @@ -0,0 +1,13 @@ +# platform = multi_platform_all +# reboot = true +# strategy = restrict +# complexity = low +# disruption = low + +if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then + sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub" +else + echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' +fi + +{{{ grub_command("update") }}} diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml new file mode 100644 index 00000000000..10adbe0a30b --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/oval/shared.xml @@ -0,0 +1,9 @@ + + + {{{ oval_metadata("Recovery mode should be disabled.") }}} + + + + + diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml new file mode 100644 index 00000000000..4f8d4ddcfde --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml @@ -0,0 +1,43 @@ +documentation_complete: true + +title: 'Disable Recovery Booting' + +description: |- + {{{ full_name }}} systems support an "recovery boot" option that can be used + to prevent services from being started. The GRUB_DISABLE_RECOVERY + configuration option in /etc/default/grub should be set to + true to disable the generation of recovery mode menu entries. It is + also required to change the runtime configuration, run: + 
$ sudo {{{ grub_command("update") }}}
+ +rationale: |- + Using recovery boot, the console user could disable auditing, firewalls, + or other services, weakening system security. + +severity: medium + +identifiers: + cce@rhel9: CCE-85986-8 + +references: + ospp: FIA_UAU.1 + +ocil_clause: 'GRUB_DISABLE_RECOVERY is not set to true or is missing' + +ocil: |- + Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot. + Run the following command: + + $ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub + +fixtext: |- + Configure the GRUB 2 boot loader to disable recovery mode boot loader entries. + Add or edit the following line in /etc/default/grub: + + GRUB_DISABLE_RECOVERY=true + + Then, run the following command: + + $ sudo {{{ grub_command("update") }}} + +platform: grub2 diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh new file mode 100644 index 00000000000..cb8824a6bef --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' \ No newline at end of file diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh new file mode 100644 index 00000000000..7241fd5aad6 --- /dev/null +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' \ No newline at end of file diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index ee246384416..431b133d416 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -44,7 +44,6 @@ CCE-85982-7 CCE-85983-5 CCE-85984-3 CCE-85985-0 -CCE-85986-8 CCE-85988-4 CCE-85997-5 CCE-85998-3 From 5637b1465c1ceb40efb33ebdd2cf8b4211a4ef9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 4 Jul 2022 15:52:10 +0200 Subject: [PATCH 2/5] Stop checking systemd.confirm_spawn in RHEL 9 OSPP Use grub2_disable_recovery instead of grub2_disable_interactive_boot to check solely for the GRUB_DISABLE_RECOVERY=true config option. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092809 --- products/rhel9/profiles/ospp.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile index 534b3312575..8245bb9ce63 100644 --- a/products/rhel9/profiles/ospp.profile +++ b/products/rhel9/profiles/ospp.profile @@ -275,7 +275,7 @@ selections: ## Disable Unauthenticated Login (such as Guest Accounts) ## FIA_UAU.1 - require_singleuser_auth - - grub2_disable_interactive_boot + - grub2_disable_recovery - grub2_uefi_password - no_empty_passwords From 09f11408ed83da07238ad5fccf89d59b4b2707fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 4 Jul 2022 16:05:22 +0200 Subject: [PATCH 3/5] Fix regular expression The original expression `^true|"true"$` could match things like `truex` or `x"true"` because the first alternative doesn't contain `$` and the second alternative doesn't contain `^`. --- shared/checks/oval/bootloader_disable_recovery_set_to_true.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml index 563006cd803..ff64177d6df 100644 --- a/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml +++ b/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml @@ -31,7 +31,7 @@ - ^true|"true"$ + ^(true|"true")$ From 2900fb986dc21ec4ce78a8b9f27f89b4d8fafbee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 4 Jul 2022 17:18:37 +0200 Subject: [PATCH 4/5] Improve a regular expression According to https://www.freedesktop.org/software/systemd/man/systemd.html#systemd.confirm_spawn the option systemd.confirm_spawn can be also specified without an argument, with the same effect as a positive boolean. This commit changes the regular expression used in checks for this, forbidding also the occurence of systemd.confirm_spawn without any argument. Also improves whitespace handling. Also adds a test scenario covering the situation in which the systemd.confirm_spawn is also specified without an argument. --- .../oval/shared.xml | 2 +- ...led_interactive_boot_empty_boolean.fail.sh | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml index 837fc037300..e7358a49fa9 100644 --- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml @@ -25,7 +25,7 @@ /etc/default/grub - ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ + ^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$ 1 diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh new file mode 100644 index 00000000000..37a12f021e4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/tests/enabled_interactive_boot_empty_boolean.fail.sh @@ -0,0 +1,25 @@ +#!/bin/bash + +# The option systemd.confirm_spawn can be also specified without an argument, +# with the same effect as a positive boolean. +CONFIRM_SPAWN_OPT="systemd.confirm_spawn" + +if grep -q "^GRUB_CMDLINE_LINUX=" /etc/default/grub; then + if grep -q "^GRUB_CMDLINE_LINUX=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then + sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub + else + sed -i "s/\(^GRUB_CMDLINE_LINUX=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub + fi +else + echo "GRUB_CMDLINE_LINUX=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub +fi + +if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=" /etc/default/grub; then + if grep -q "^GRUB_CMDLINE_LINUX_DEFAULT=\".*${CONFIRM_SPAWN_OPT}.*\"" /etc/default/grub; then + sed -i "s/${CONFIRM_SPAWN_OPT}=[^ \t]*/${CONFIRM_SPAWN_OPT}/" /etc/default/grub + else + sed -i "s/\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)\"$/\1 ${CONFIRM_SPAWN_OPT}\"/" /etc/default/grub + fi +else + echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${CONFIRM_SPAWN_OPT}\"" >> /etc/default/grub +fi From 3cf7a22b59f52b2149d3ce54ef6bcd94ba9f8901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 4 Jul 2022 17:36:07 +0200 Subject: [PATCH 5/5] Fix missing newlines at EOF --- .../bootloader-grub2/grub2_disable_recovery/ansible/shared.yml | 2 +- .../grub2_disable_recovery/tests/correct_value.pass.sh | 2 +- .../grub2_disable_recovery/tests/wrong_value.fail.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml index f6285cb13cb..4348e239f2e 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/ansible/shared.yml @@ -17,4 +17,4 @@ {{% else %}} - name: Update grub defaults and the bootloader menu command: /sbin/grubby --update-kernel=ALL -{{% endif -%}} \ No newline at end of file +{{% endif -%}} diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh index cb8824a6bef..e8fa3574436 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/correct_value.pass.sh @@ -1,3 +1,3 @@ #!/bin/bash -echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' \ No newline at end of file +echo "GRUB_DISABLE_RECOVERY=true" >> '/etc/default/grub' diff --git a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh index 7241fd5aad6..20392dc7f7a 100644 --- a/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/tests/wrong_value.fail.sh @@ -1,3 +1,3 @@ #!/bin/bash -echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub' \ No newline at end of file +echo "GRUB_DISABLE_RECOVERY=false" >> '/etc/default/grub'