From a59040cec2adf8f81fc5784e4273e1701ca21995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 11:45:20 +0200 Subject: [PATCH 01/20] Update OCIL for require_emergency_target_auth Extends the OCIL text according to the OVAL check. --- .../require_emergency_target_auth/rule.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index cc0a2c53017..1d5febf54c7 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -53,7 +53,7 @@ ocil: |- To check if authentication is required for emergency mode, run the following command: 
$ grep sulogin /usr/lib/systemd/system/emergency.service
The output should be similar to the following, and the line must begin with - {{% if product in ["fedora", "rhel8", "rhel9", "ol8"] -%}} + {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} ExecStart and /usr/lib/systemd/systemd-sulogin-shell. 
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
{{%- else -%}} @@ -61,4 +61,20 @@ ocil: |- 
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
{{%- endif %}} + Then, check if the emergency target requires the emergency service: + Run the following command: + 
$ sudo grep Requires /usr/lib/systemd/system/emergency.target
+ The output should be the following: + 
Requires=emergency.service
+ + Then, check if there is no custom emergency target configured in systemd configuration. + Run the following command: + 
$ sudo grep -r emergency.target /etc/systemd/system/
+ The output should be empty. + + Then, check if there is no custom emergency service configured in systemd configuration. + Run the following command: + 
$ sudo grep -r emergency.service /etc/systemd/system/
+ The output should be empty. + platform: machine From 16c898ce4b960e33088b025f1ea0a8e432ae01a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 11:46:19 +0200 Subject: [PATCH 02/20] Add fixtext to require_emergency_target_auth --- .../require_emergency_target_auth/rule.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml index 1d5febf54c7..c4860915b67 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml @@ -78,3 +78,13 @@ ocil: |- The output should be empty. platform: machine + +fixtext: |- + Configure {{{ full_name }}} to require authentication for system emergency mode. + + Add or edit the following line in "/usr/lib/systemd/system/emergency.service": + {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency + {{%- else -%}} + ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" + {{%- endif %}} From 836497f3b9c9b1a206023f7aa16d2df8a025ece3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 13:43:16 +0200 Subject: [PATCH 03/20] Align OCIL with OVAL for require_singleuser_auth --- .../require_singleuser_auth/rule.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index 8d7a4fa7b74..cbd048aad0a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -70,4 +70,22 @@ ocil: |- 
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
{{%- endif %}} + {{% if product not in ["ol8", "rhel8"] %}} + Then, verify that the rescue service is in the runlevel1.target. + Run the following command: + 
$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target
+ The output should be the following: + 
Requires=sysinit.target rescue.service
+ + Then, check if there is no custom runlevel1 target configured in systemd configuration. + Run the following command: + 
$ sudo grep -r "^runlevel1.target$" /etc/systemd/system
+ There should be no output. + + Then, check if there is no custom rescue service configured in systemd configuration. + Run the following command: + 
$ sudo grep -r "^rescue.service$" /etc/systemd/system
+ There should be no output. + {{% endif %}} + platform: machine From 11715c35c9cdbfdc7ed4c30a8612a125ec3c77e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 13:43:30 +0200 Subject: [PATCH 04/20] Add fixtext to require_singleuser_auth --- .../require_singleuser_auth/rule.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index cbd048aad0a..3a0cad455cc 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -89,3 +89,20 @@ ocil: |- {{% endif %}} platform: machine + +fixtext: |- + Configure {{{ full_name }}} to require authentication in single user mode. + + {{% if init_system == "systemd" -%}} + Add or update the following line in "/usr/lib/systemd/system/rescue.service": + {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}} + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + {{%- elif product in ["rhel7"] -%}} + ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" + {{%- else -%}} + ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" + {{%- endif %}} + {{%- else -%}} + Add or update the following line in "/etc/sysconfig/init": + SINGLE=/sbin/sulogin + {{%- endif %}} From ad14aee19d11dc99ead242535281d56791bfc213 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 14:15:12 +0200 Subject: [PATCH 05/20] Update OCIL in grub2_admin_username --- .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index a43d5fcc038..0c824434e07 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -52,17 +52,17 @@ references: stigid@rhel7: RHEL-07-010483 stigid@rhel8: RHEL-08-010149 -ocil_clause: 'it does not' +ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name' ocil: |- To verify the boot loader superuser account has been set, run the following command: - 
sudo grep -A1 "superusers" /etc/grub2.cfg
+ 
sudo grep -A1 "superusers" {{{ grub2_boot_path + "/grub.cfg" }}}
The output should show the following: 
set superusers="superusers-account"
     export superusers
where superusers-account is the actual account name different from common names like root, - admin, or administrator. + admin, or administrator and different from any other existing user name. warnings: - general: |- From 7ee002478c778fd271aa2c289e74d14aa2853355 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 14:15:28 +0200 Subject: [PATCH 06/20] Add fixtext for grub2_admin_username --- .../non-uefi/grub2_admin_username/rule.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index 0c824434e07..a813b417a00 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -73,3 +73,14 @@ warnings: grub.cfg file as the grub2-mkconfig command overwrites this file. platform: machine + +fixtext: |- + Configure the system to require a grub bootloader password for the grub superuser account. + + Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: + + set superusers="" + export superusers + + Once the superuser account has been added, update the grub.cfg file by running: + $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg From 9f5a6d48ef97180e7720dc066c83409633c80899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 15:04:21 +0200 Subject: [PATCH 07/20] Align OCIL with OVAL in grub2_password --- .../non-uefi/grub2_password/rule.yml | 35 ++++++------------- 1 file changed, 10 insertions(+), 25 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index ad515a65ee7..268f48a16c1 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -77,33 +77,18 @@ references: stigid@sle15: SLES-15-010190 stigid@ubuntu2004: UBTU-20-010009 -ocil_clause: 'it does not' +ocil_clause: 'it does not produce any output' ocil: |- - To verify the boot loader superuser password has been set, run the following - command: - {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}} - 
sudo grep "boot" {{{ grub2_boot_path }}}/grub.cfg
- {{% else %}} - 
sudo grep "superusers" /etc/grub2.cfg
- {{% endif %}} - The output should show the following: - 
password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
- To verify the boot loader superuser account password has been set, - and the password encrypted, run the following command: - {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}} - 
sudo cat /etc/grub.d/40_custom
- The output should be similar to: - 
set superusers="boot"
-    password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088
- {{% else %}} - 
sudo cat {{{ grub2_boot_path }}}/user.cfg
- The output should be similar to: - 
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
-    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
-    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
-    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
- {{% endif %}} + First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or + {{{ grub2_boot_path }}}/grub.cfg. + Run the following commands: + 
$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
+    $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
+
+ + Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg. + 
$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$'  {{{ grub2_boot_path }}}/grub.cfg
warnings: - general: |- From 1bd446ee0efb4cefeaaca7a1808e7de703f2b1be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 15:04:34 +0200 Subject: [PATCH 08/20] Add fixtext for grub2_password Adopted from the RHEL 8 STIG spreadsheet. --- .../non-uefi/grub2_password/rule.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index 268f48a16c1..4a7e0694884 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -99,3 +99,20 @@ warnings: grub.cfg file as the grub2-mkconfig command overwrites this file. platform: machine + +fixtext: |- + Configure the system to require a grub bootloader password for the grub superuser account. + + Generate an encrypted grub2 password for the grub superuser account with the following command: + + $ sudo grub2-setpassword + Enter password: + Confirm password: + + Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: + + set superusers="[someuniquestringhere]" + export superusers + + Once the superuser account has been added, update the grub.cfg file by running: + $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg From 85cc9f300c860e456996fa8cf7aec2532bb88a08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 15:54:12 +0200 Subject: [PATCH 09/20] Fix a typo --- .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index 17b4918c5f5..fcf9031fa93 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -15,7 +15,7 @@ description: |- admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root'). - 
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users
+ 
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the From e3d765df471350cbcc629d67439902b8189cde14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 15:54:44 +0200 Subject: [PATCH 10/20] Align OCIL with OVAL in grub2_uefi_admin_username --- .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index fcf9031fa93..c76d086c5f2 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -64,12 +64,12 @@ ocil_clause: 'it does not' ocil: |- To verify the boot loader superuser account has been set, run the following command: - 
sudo grep -A1 "superusers" /etc/grub2-efi.cfg
+ 
sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg
The output should show the following: 
set superusers="superusers-account"
     export superusers
where superusers-account is the actual account name different from common names like root, - admin, or administrator. + admin, or administrator and different from any other existing user name. warnings: - general: |- From d8cb9ec4ae23535a04ae5715c9dfbf94126082f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 15:54:57 +0200 Subject: [PATCH 11/20] Add fixtext in grub2_uefi_admin_username --- .../uefi/grub2_uefi_admin_username/rule.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index c76d086c5f2..2a4556c1659 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -80,3 +80,16 @@ warnings: grub.cfg file as the grub2-mkconfig command overwrites this file. platform: machine + +fixtext: |- + Configure the system to require a grub bootloader password for the grub superuser account. + + Select a password-protected superuser account with unique name, and modify the + "/etc/grub.d/01_users" configuration file to reflect the account name change. + + Add or edit the following line in /etc/grub.d/01_users: + + set superusers= + + Once the superuser account has been added, update the grub.cfg file by running: + $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg From 73a5e86cbfc77fa8344499347c074b5f04e32a0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 17:55:09 +0200 Subject: [PATCH 12/20] Align OCIL with OVAL in grub2_uefi_password --- .../uefi/grub2_uefi_password/rule.yml | 30 +++---------------- 1 file changed, 4 insertions(+), 26 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 4579b1ff2e7..ee4f6c1470a 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -77,39 +77,17 @@ references: stigid@sle15: SLES-15-010200 stigid@ubuntu2004: UBTU-20-010009 -ocil_clause: 'it does not' +ocil_clause: 'no password is set' ocil: |- - To verify the boot loader superuser password has been set, run the following - command: - {{% if product in ["sle12", "sle15", "ubuntu2004"] %}} - 
sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom
- {{% else %}} - 
sudo grep "password" /etc/grub2-efi.cfg
- {{% endif %}} - The output should show the following: - 
password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
- To verify the boot loader superuser account password has been set, - and the password encrypted, run the following command: - {{% if product in ["sle12", "sle15"] %}} - 
sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg
- The output should be similar to: - 
password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
-    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
-    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
-    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
- {{% elif "ubuntu" in product %}} - 
grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg
- The output should contain something similar to: - 
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
- {{% else %}} - 
sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg
+ To verify the boot loader superuser password has been set, run the following command: + $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" {{{ grub2_uefi_boot_path }}}/user.cfg The output should be similar to: 
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
- {{% endif %}} + warnings: - general: |- From 5332d2961da8f14965d9b6b32ea0d4f5a7c2b817 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 25 Apr 2022 17:55:31 +0200 Subject: [PATCH 13/20] Add fixtext in grub2_uefi_password --- .../uefi/grub2_uefi_password/rule.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index ee4f6c1470a..4ed65d5f68d 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -98,3 +98,18 @@ warnings: grub.cfg file as the grub2-mkconfig command overwrites this file. platform: machine + +fixtext: |- + Configure {{{ full_name }}} to use a secure UEFI boot loader password. + + Run the following command: + $ sudo grub2-setpassword + + When prompted, enter the password that was selected. + Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content: + + set superusers="boot" + password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash + + Then, update the grub.cfg file by running: + $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg From f1fae705e533ec0f4d4e83518f581dadd1552e2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 26 Apr 2022 08:43:08 +0200 Subject: [PATCH 14/20] Fix a typo --- .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index a813b417a00..88551a068bf 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -52,7 +52,7 @@ references: stigid@rhel7: RHEL-07-010483 stigid@rhel8: RHEL-08-010149 -ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name' +ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name' ocil: |- To verify the boot loader superuser account has been set, run the following From 5f6cbfc9440e029526b86e448b51ab39e6bf6c35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 3 May 2022 10:07:51 +0200 Subject: [PATCH 15/20] Add an update operation to macro grub_command --- shared/macros/general.jinja | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/shared/macros/general.jinja b/shared/macros/general.jinja index 3802ea40eea..df4c696d3ca 100644 --- a/shared/macros/general.jinja +++ b/shared/macros/general.jinja @@ -1071,17 +1071,17 @@ p+i+n+u+g+s+b+acl+xattrs+sha512 {{# -Macro to generate a command to modify (add or remove) kernel command line argument in a GRUB 2 bootloader. +Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader. Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.) Part of the grub2_bootloader_argument(_absent) templates. -:param action: What to do with the argument, either "add" or "remove". +:param action: What to do with the argument, must be one of: "update", "add", "remove". :type action str: :param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit". :type arg_name_value str: #}} -{{% macro grub_command(action, arg_name_value) -%}} +{{% macro grub_command(action, arg_name_value=None) -%}} {{%- if 'ubuntu' in product -%}} {{%- set grub_helper_executable = "update-grub" -%}} {{%- set grub_helper_args = [] -%}} @@ -1090,7 +1090,9 @@ Part of the grub2_bootloader_argument(_absent) templates. {{%- set grub_helper_args = ["-o " + grub2_boot_path + "/grub2.cfg"] -%}} {{%- else -%}} {{%- set grub_helper_executable = "grubby" -%}} - {{%- if action == "add" -%}} + {{%- if action == "update" -%}} + {{%- set grub_helper_args = ["--update-kernel=ALL"] -%}} + {{%- elif action == "add" -%}} {{%- set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ arg_name_value ] -%}} {{%- elif action == "remove" -%}} {{%- set grub_helper_args = ["--update-kernel=ALL", "--remove-args=" ~ arg_name_value ] -%}} From 591cc74770433614595326a514e459a4efb7f491 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 3 May 2022 10:08:54 +0200 Subject: [PATCH 16/20] Use grub_command macro in rules in SRG-OS-000080-GPOS-00048 --- .../non-uefi/grub2_admin_username/rule.yml | 5 +++-- .../bootloader-grub2/non-uefi/grub2_password/rule.yml | 9 +++------ .../uefi/grub2_uefi_admin_username/rule.yml | 5 +++-- .../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 9 +++------ 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index 88551a068bf..5557664f8be 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -20,7 +20,7 @@ description: |- Once the superuser account has been added, update the grub.cfg file by running: - 
grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
+ 
{{{ grub_command("update") }}}
rationale: |- Having a non-default grub superuser username makes password-guessing attacks less effective. @@ -83,4 +83,5 @@ fixtext: |- export superusers Once the superuser account has been added, update the grub.cfg file by running: - $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + + $ sudo {{{ grub_command("update") }}} diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index 4a7e0694884..43c63b56ffc 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -28,11 +28,7 @@ description: |- Once the superuser password has been added, update the grub.cfg file by running: - {{% if "ubuntu" in product %}} - 
update-grub
- {{% elif product in ["sle12", "sle15"] %}} - 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
- {{% endif %}} + 
{{{ grub_command("update") }}}
{{% endif %}} rationale: |- @@ -115,4 +111,5 @@ fixtext: |- export superusers Once the superuser account has been added, update the grub.cfg file by running: - $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + + $ sudo {{{ grub_command("update") }}} diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index 2a4556c1659..bd07ab2ee29 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -20,7 +20,7 @@ description: |- Once the superuser account has been added, update the grub.cfg file by running: - 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+ 
{{{ grub_command("update") }}}
rationale: |- Having a non-default grub superuser username makes password-guessing attacks less effective. @@ -92,4 +92,5 @@ fixtext: |- set superusers= Once the superuser account has been added, update the grub.cfg file by running: - $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + + $ sudo {{{ grub_command("update") }}} diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 4ed65d5f68d..98144a9e651 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -28,11 +28,7 @@ description: |- Once the superuser password has been added, update the grub.cfg file by running: - {{% if "ubuntu" in product %}} - 
update-grub
- {{% elif product in ["sle12", "sle15"] %}} - 
grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
- {{% endif %}} + 
{{{ grub_command("update") }}}
{{% endif %}} rationale: |- @@ -112,4 +108,5 @@ fixtext: |- password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash Then, update the grub.cfg file by running: - $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg + + $ sudo {{{ grub_command("update") }}} From b2fce574abb7cf4bf72058023646178cd574ff90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 3 May 2022 10:09:14 +0200 Subject: [PATCH 17/20] Update OCIL --- .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index 5557664f8be..ccf7ca74932 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -79,7 +79,7 @@ fixtext: |- Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: - set superusers="" + set superusers="superusers-account" export superusers Once the superuser account has been added, update the grub.cfg file by running: diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index bd07ab2ee29..61e2e4e066f 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -59,7 +59,7 @@ references: stigid@rhel7: RHEL-07-010492 stigid@rhel8: RHEL-08-010141 -ocil_clause: 'it does not' +ocil_clause: 'superuser account is not set or is set to an existing name or to a common name' ocil: |- To verify the boot loader superuser account has been set, run the following @@ -89,7 +89,7 @@ fixtext: |- Add or edit the following line in /etc/grub.d/01_users: - set superusers= + set superusers="superusers-account" Once the superuser account has been added, update the grub.cfg file by running: From 1cefb7749a4ec5fabd27a53e15096ab44a566a16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 3 May 2022 10:19:19 +0200 Subject: [PATCH 18/20] Use a unique account name for the superusers account --- .../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 98144a9e651..58fb77ab98f 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -103,9 +103,10 @@ fixtext: |- When prompted, enter the password that was selected. Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content: + Use a unique account name for the superusers account. - set superusers="boot" - password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash + set superusers="superusers-account" + password_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash Then, update the grub.cfg file by running: From 1cbaba853c2dbff8cd9ba55117d6f46fd5e9ab58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 6 May 2022 13:51:29 +0200 Subject: [PATCH 19/20] Apply suggestions from code review Co-authored-by: Matthew Burket --- .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index ccf7ca74932..7a9f397f744 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -75,7 +75,7 @@ warnings: platform: machine fixtext: |- - Configure the system to require a grub bootloader password for the grub superuser account. + Configure the system to have a unique username for the grub superuser account. Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index 61e2e4e066f..8d6ebad550c 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -82,7 +82,7 @@ warnings: platform: machine fixtext: |- - Configure the system to require a grub bootloader password for the grub superuser account. + Configure the system to have a unique username for the grub superuser account. Select a password-protected superuser account with unique name, and modify the "/etc/grub.d/01_users" configuration file to reflect the account name change. From e73fefa9548264d24959284fd2447ef0bc474d6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 9 May 2022 08:33:54 +0200 Subject: [PATCH 20/20] Replace the system by full name --- .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +- .../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +- .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml index 7a9f397f744..14bdfd57a6d 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml @@ -75,7 +75,7 @@ warnings: platform: machine fixtext: |- - Configure the system to have a unique username for the grub superuser account. + Configure {{{ full_name }}} to have a unique username for the grub superuser account. Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index 43c63b56ffc..211d8b28a84 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -97,7 +97,7 @@ warnings: platform: machine fixtext: |- - Configure the system to require a grub bootloader password for the grub superuser account. + Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account. Generate an encrypted grub2 password for the grub superuser account with the following command: diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml index 8d6ebad550c..d36dbcbb187 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml @@ -82,7 +82,7 @@ warnings: platform: machine fixtext: |- - Configure the system to have a unique username for the grub superuser account. + Configure {{{ full_name }}} to have a unique username for the grub superuser account. Select a password-protected superuser account with unique name, and modify the "/etc/grub.d/01_users" configuration file to reflect the account name change.