810 lines
38 KiB
Diff
810 lines
38 KiB
Diff
From a59040cec2adf8f81fc5784e4273e1701ca21995 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 11:45:20 +0200
|
|
Subject: [PATCH 01/20] Update OCIL for require_emergency_target_auth
|
|
|
|
Extends the OCIL text according to the OVAL check.
|
|
---
|
|
.../require_emergency_target_auth/rule.yml | 18 +++++++++++++++++-
|
|
1 file changed, 17 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
|
index cc0a2c53017..1d5febf54c7 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
|
@@ -53,7 +53,7 @@ ocil: |-
|
|
To check if authentication is required for emergency mode, run the following command:
|
|
<pre>$ grep sulogin /usr/lib/systemd/system/emergency.service</pre>
|
|
The output should be similar to the following, and the line must begin with
|
|
- {{% if product in ["fedora", "rhel8", "rhel9", "ol8"] -%}}
|
|
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
|
|
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
|
|
<pre>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</pre>
|
|
{{%- else -%}}
|
|
@@ -61,4 +61,20 @@ ocil: |-
|
|
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
|
|
{{%- endif %}}
|
|
|
|
+ Then, check if the emergency target requires the emergency service:
|
|
+ Run the following command:
|
|
+ <pre>$ sudo grep Requires /usr/lib/systemd/system/emergency.target</pre>
|
|
+ The output should be the following:
|
|
+ <pre>Requires=emergency.service</pre>
|
|
+
|
|
+ Then, check if there is no custom emergency target configured in systemd configuration.
|
|
+ Run the following command:
|
|
+ <pre>$ sudo grep -r emergency.target /etc/systemd/system/</pre>
|
|
+ The output should be empty.
|
|
+
|
|
+ Then, check if there is no custom emergency service configured in systemd configuration.
|
|
+ Run the following command:
|
|
+ <pre>$ sudo grep -r emergency.service /etc/systemd/system/</pre>
|
|
+ The output should be empty.
|
|
+
|
|
platform: machine
|
|
|
|
From 16c898ce4b960e33088b025f1ea0a8e432ae01a4 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 11:46:19 +0200
|
|
Subject: [PATCH 02/20] Add fixtext to require_emergency_target_auth
|
|
|
|
---
|
|
.../require_emergency_target_auth/rule.yml | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
|
index 1d5febf54c7..c4860915b67 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
|
|
@@ -78,3 +78,13 @@ ocil: |-
|
|
The output should be empty.
|
|
|
|
platform: machine
|
|
+
|
|
+fixtext: |-
|
|
+ Configure {{{ full_name }}} to require authentication for system emergency mode.
|
|
+
|
|
+ Add or edit the following line in "/usr/lib/systemd/system/emergency.service":
|
|
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
|
|
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
|
|
+ {{%- else -%}}
|
|
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
|
|
+ {{%- endif %}}
|
|
|
|
From 836497f3b9c9b1a206023f7aa16d2df8a025ece3 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 13:43:16 +0200
|
|
Subject: [PATCH 03/20] Align OCIL with OVAL for require_singleuser_auth
|
|
|
|
---
|
|
.../require_singleuser_auth/rule.yml | 18 ++++++++++++++++++
|
|
1 file changed, 18 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
|
index 8d7a4fa7b74..cbd048aad0a 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
|
@@ -70,4 +70,22 @@ ocil: |-
|
|
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
|
|
{{%- endif %}}
|
|
|
|
+ {{% if product not in ["ol8", "rhel8"] %}}
|
|
+ Then, verify that the rescue service is in the runlevel1.target.
|
|
+ Run the following command:
|
|
+ <pre>$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target</pre>
|
|
+ The output should be the following:
|
|
+ <pre>Requires=sysinit.target rescue.service</pre>
|
|
+
|
|
+ Then, check if there is no custom runlevel1 target configured in systemd configuration.
|
|
+ Run the following command:
|
|
+ <pre>$ sudo grep -r "^runlevel1.target$" /etc/systemd/system</pre>
|
|
+ There should be no output.
|
|
+
|
|
+ Then, check if there is no custom rescue service configured in systemd configuration.
|
|
+ Run the following command:
|
|
+ <pre>$ sudo grep -r "^rescue.service$" /etc/systemd/system</pre>
|
|
+ There should be no output.
|
|
+ {{% endif %}}
|
|
+
|
|
platform: machine
|
|
|
|
From 11715c35c9cdbfdc7ed4c30a8612a125ec3c77e5 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 13:43:30 +0200
|
|
Subject: [PATCH 04/20] Add fixtext to require_singleuser_auth
|
|
|
|
---
|
|
.../require_singleuser_auth/rule.yml | 17 +++++++++++++++++
|
|
1 file changed, 17 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
|
index cbd048aad0a..3a0cad455cc 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
|
|
@@ -89,3 +89,20 @@ ocil: |-
|
|
{{% endif %}}
|
|
|
|
platform: machine
|
|
+
|
|
+fixtext: |-
|
|
+ Configure {{{ full_name }}} to require authentication in single user mode.
|
|
+
|
|
+ {{% if init_system == "systemd" -%}}
|
|
+ Add or update the following line in "/usr/lib/systemd/system/rescue.service":
|
|
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
|
|
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
|
|
+ {{%- elif product in ["rhel7"] -%}}
|
|
+ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
|
|
+ {{%- else -%}}
|
|
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
|
|
+ {{%- endif %}}
|
|
+ {{%- else -%}}
|
|
+ Add or update the following line in "/etc/sysconfig/init":
|
|
+ SINGLE=/sbin/sulogin
|
|
+ {{%- endif %}}
|
|
|
|
From ad14aee19d11dc99ead242535281d56791bfc213 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 14:15:12 +0200
|
|
Subject: [PATCH 05/20] Update OCIL in grub2_admin_username
|
|
|
|
---
|
|
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
index a43d5fcc038..0c824434e07 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
@@ -52,17 +52,17 @@ references:
|
|
stigid@rhel7: RHEL-07-010483
|
|
stigid@rhel8: RHEL-08-010149
|
|
|
|
-ocil_clause: 'it does not'
|
|
+ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
|
|
|
|
ocil: |-
|
|
To verify the boot loader superuser account has been set, run the following
|
|
command:
|
|
- <pre>sudo grep -A1 "superusers" /etc/grub2.cfg</pre>
|
|
+ <pre>sudo grep -A1 "superusers" {{{ grub2_boot_path + "/grub.cfg" }}}</pre>
|
|
The output should show the following:
|
|
<pre>set superusers="<b>superusers-account</b>"
|
|
export superusers</pre>
|
|
where superusers-account is the actual account name different from common names like root,
|
|
- admin, or administrator.
|
|
+ admin, or administrator and different from any other existing user name.
|
|
|
|
warnings:
|
|
- general: |-
|
|
|
|
From 7ee002478c778fd271aa2c289e74d14aa2853355 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 14:15:28 +0200
|
|
Subject: [PATCH 06/20] Add fixtext for grub2_admin_username
|
|
|
|
---
|
|
.../non-uefi/grub2_admin_username/rule.yml | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
index 0c824434e07..a813b417a00 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
@@ -73,3 +73,14 @@ warnings:
|
|
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
|
|
|
platform: machine
|
|
+
|
|
+fixtext: |-
|
|
+ Configure the system to require a grub bootloader password for the grub superuser account.
|
|
+
|
|
+ Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|
+
|
|
+ set superusers="<unique_user_id>"
|
|
+ export superusers
|
|
+
|
|
+ Once the superuser account has been added, update the grub.cfg file by running:
|
|
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
|
From 9f5a6d48ef97180e7720dc066c83409633c80899 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 15:04:21 +0200
|
|
Subject: [PATCH 07/20] Align OCIL with OVAL in grub2_password
|
|
|
|
---
|
|
.../non-uefi/grub2_password/rule.yml | 35 ++++++-------------
|
|
1 file changed, 10 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
index ad515a65ee7..268f48a16c1 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
@@ -77,33 +77,18 @@ references:
|
|
stigid@sle15: SLES-15-010190
|
|
stigid@ubuntu2004: UBTU-20-010009
|
|
|
|
-ocil_clause: 'it does not'
|
|
+ocil_clause: 'it does not produce any output'
|
|
|
|
ocil: |-
|
|
- To verify the boot loader superuser password has been set, run the following
|
|
- command:
|
|
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
|
|
- <pre>sudo grep "boot" {{{ grub2_boot_path }}}/grub.cfg</pre>
|
|
- {{% else %}}
|
|
- <pre>sudo grep "superusers" /etc/grub2.cfg</pre>
|
|
- {{% endif %}}
|
|
- The output should show the following:
|
|
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
|
|
- To verify the boot loader superuser account password has been set,
|
|
- and the password encrypted, run the following command:
|
|
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
|
|
- <pre>sudo cat /etc/grub.d/40_custom</pre>
|
|
- The output should be similar to:
|
|
- <pre>set superusers="boot"
|
|
- password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088</pre>
|
|
- {{% else %}}
|
|
- <pre>sudo cat {{{ grub2_boot_path }}}/user.cfg</pre>
|
|
- The output should be similar to:
|
|
- <pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
|
|
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
|
|
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
|
|
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
|
|
- {{% endif %}}
|
|
+ First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or
|
|
+ {{{ grub2_boot_path }}}/grub.cfg.
|
|
+ Run the following commands:
|
|
+ <pre>$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
|
|
+ $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
|
|
+ </pre>
|
|
+
|
|
+ Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg.
|
|
+ <pre>$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' {{{ grub2_boot_path }}}/grub.cfg</pre>
|
|
|
|
warnings:
|
|
- general: |-
|
|
|
|
From 1bd446ee0efb4cefeaaca7a1808e7de703f2b1be Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 15:04:34 +0200
|
|
Subject: [PATCH 08/20] Add fixtext for grub2_password
|
|
|
|
Adopted from the RHEL 8 STIG spreadsheet.
|
|
---
|
|
.../non-uefi/grub2_password/rule.yml | 17 +++++++++++++++++
|
|
1 file changed, 17 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
index 268f48a16c1..4a7e0694884 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
@@ -99,3 +99,20 @@ warnings:
|
|
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
|
|
|
platform: machine
|
|
+
|
|
+fixtext: |-
|
|
+ Configure the system to require a grub bootloader password for the grub superuser account.
|
|
+
|
|
+ Generate an encrypted grub2 password for the grub superuser account with the following command:
|
|
+
|
|
+ $ sudo grub2-setpassword
|
|
+ Enter password:
|
|
+ Confirm password:
|
|
+
|
|
+ Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|
+
|
|
+ set superusers="[someuniquestringhere]"
|
|
+ export superusers
|
|
+
|
|
+ Once the superuser account has been added, update the grub.cfg file by running:
|
|
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
|
From 85cc9f300c860e456996fa8cf7aec2532bb88a08 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 15:54:12 +0200
|
|
Subject: [PATCH 09/20] Fix a typo
|
|
|
|
---
|
|
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
index 17b4918c5f5..fcf9031fa93 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
@@ -15,7 +15,7 @@ description: |-
|
|
admin, or administrator for the grub2 superuser account.
|
|
<br /><br />
|
|
Change the superuser to a different username (The default is 'root').
|
|
- <pre>$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users</pre>
|
|
+ <pre>$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users</pre>
|
|
<br /><br />
|
|
Once the superuser account has been added,
|
|
update the
|
|
|
|
From e3d765df471350cbcc629d67439902b8189cde14 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 15:54:44 +0200
|
|
Subject: [PATCH 10/20] Align OCIL with OVAL in grub2_uefi_admin_username
|
|
|
|
---
|
|
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
index fcf9031fa93..c76d086c5f2 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
@@ -64,12 +64,12 @@ ocil_clause: 'it does not'
|
|
ocil: |-
|
|
To verify the boot loader superuser account has been set, run the following
|
|
command:
|
|
- <pre>sudo grep -A1 "superusers" /etc/grub2-efi.cfg</pre>
|
|
+ <pre>sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
|
|
The output should show the following:
|
|
<pre>set superusers="<b>superusers-account</b>"
|
|
export superusers</pre>
|
|
where superusers-account is the actual account name different from common names like root,
|
|
- admin, or administrator.
|
|
+ admin, or administrator and different from any other existing user name.
|
|
|
|
warnings:
|
|
- general: |-
|
|
|
|
From d8cb9ec4ae23535a04ae5715c9dfbf94126082f0 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 15:54:57 +0200
|
|
Subject: [PATCH 11/20] Add fixtext in grub2_uefi_admin_username
|
|
|
|
---
|
|
.../uefi/grub2_uefi_admin_username/rule.yml | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
index c76d086c5f2..2a4556c1659 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
@@ -80,3 +80,16 @@ warnings:
|
|
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
|
|
|
platform: machine
|
|
+
|
|
+fixtext: |-
|
|
+ Configure the system to require a grub bootloader password for the grub superuser account.
|
|
+
|
|
+ Select a password-protected superuser account with unique name, and modify the
|
|
+ "/etc/grub.d/01_users" configuration file to reflect the account name change.
|
|
+
|
|
+ Add or edit the following line in /etc/grub.d/01_users:
|
|
+
|
|
+ set superusers=<unique user id>
|
|
+
|
|
+ Once the superuser account has been added, update the grub.cfg file by running:
|
|
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
|
From 73a5e86cbfc77fa8344499347c074b5f04e32a0e Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 17:55:09 +0200
|
|
Subject: [PATCH 12/20] Align OCIL with OVAL in grub2_uefi_password
|
|
|
|
---
|
|
.../uefi/grub2_uefi_password/rule.yml | 30 +++----------------
|
|
1 file changed, 4 insertions(+), 26 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
index 4579b1ff2e7..ee4f6c1470a 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
@@ -77,39 +77,17 @@ references:
|
|
stigid@sle15: SLES-15-010200
|
|
stigid@ubuntu2004: UBTU-20-010009
|
|
|
|
-ocil_clause: 'it does not'
|
|
+ocil_clause: 'no password is set'
|
|
|
|
ocil: |-
|
|
- To verify the boot loader superuser password has been set, run the following
|
|
- command:
|
|
- {{% if product in ["sle12", "sle15", "ubuntu2004"] %}}
|
|
- <pre>sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom</pre>
|
|
- {{% else %}}
|
|
- <pre>sudo grep "password" /etc/grub2-efi.cfg</pre>
|
|
- {{% endif %}}
|
|
- The output should show the following:
|
|
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
|
|
- To verify the boot loader superuser account password has been set,
|
|
- and the password encrypted, run the following command:
|
|
- {{% if product in ["sle12", "sle15"] %}}
|
|
- <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
|
|
- The output should be similar to:
|
|
- <pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
|
|
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
|
|
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
|
|
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
|
|
- {{% elif "ubuntu" in product %}}
|
|
- <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
|
|
- The output should contain something similar to:
|
|
- <pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
|
|
- {{% else %}}
|
|
- <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
|
|
+ To verify the boot loader superuser password has been set, run the following command:
|
|
+ $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" {{{ grub2_uefi_boot_path }}}/user.cfg
|
|
The output should be similar to:
|
|
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
|
|
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
|
|
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
|
|
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
|
|
- {{% endif %}}
|
|
+
|
|
|
|
warnings:
|
|
- general: |-
|
|
|
|
From 5332d2961da8f14965d9b6b32ea0d4f5a7c2b817 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 25 Apr 2022 17:55:31 +0200
|
|
Subject: [PATCH 13/20] Add fixtext in grub2_uefi_password
|
|
|
|
---
|
|
.../uefi/grub2_uefi_password/rule.yml | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
index ee4f6c1470a..4ed65d5f68d 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
@@ -98,3 +98,18 @@ warnings:
|
|
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
|
|
|
|
platform: machine
|
|
+
|
|
+fixtext: |-
|
|
+ Configure {{{ full_name }}} to use a secure UEFI boot loader password.
|
|
+
|
|
+ Run the following command:
|
|
+ $ sudo grub2-setpassword
|
|
+
|
|
+ When prompted, enter the password that was selected.
|
|
+ Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
|
|
+
|
|
+ set superusers="boot"
|
|
+ password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
|
|
+
|
|
+ Then, update the grub.cfg file by running:
|
|
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
|
|
From f1fae705e533ec0f4d4e83518f581dadd1552e2c Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Tue, 26 Apr 2022 08:43:08 +0200
|
|
Subject: [PATCH 14/20] Fix a typo
|
|
|
|
---
|
|
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
index a813b417a00..88551a068bf 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
@@ -52,7 +52,7 @@ references:
|
|
stigid@rhel7: RHEL-07-010483
|
|
stigid@rhel8: RHEL-08-010149
|
|
|
|
-ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
|
|
+ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name'
|
|
|
|
ocil: |-
|
|
To verify the boot loader superuser account has been set, run the following
|
|
|
|
From 5f6cbfc9440e029526b86e448b51ab39e6bf6c35 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Tue, 3 May 2022 10:07:51 +0200
|
|
Subject: [PATCH 15/20] Add an update operation to macro grub_command
|
|
|
|
---
|
|
shared/macros/general.jinja | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/shared/macros/general.jinja b/shared/macros/general.jinja
|
|
index 3802ea40eea..df4c696d3ca 100644
|
|
--- a/shared/macros/general.jinja
|
|
+++ b/shared/macros/general.jinja
|
|
@@ -1071,17 +1071,17 @@ p+i+n+u+g+s+b+acl+xattrs+sha512
|
|
|
|
|
|
{{#
|
|
-Macro to generate a command to modify (add or remove) kernel command line argument in a GRUB 2 bootloader.
|
|
+Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader.
|
|
Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.)
|
|
Part of the grub2_bootloader_argument(_absent) templates.
|
|
|
|
-:param action: What to do with the argument, either "add" or "remove".
|
|
+:param action: What to do with the argument, must be one of: "update", "add", "remove".
|
|
:type action str:
|
|
:param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit".
|
|
:type arg_name_value str:
|
|
|
|
#}}
|
|
-{{% macro grub_command(action, arg_name_value) -%}}
|
|
+{{% macro grub_command(action, arg_name_value=None) -%}}
|
|
{{%- if 'ubuntu' in product -%}}
|
|
{{%- set grub_helper_executable = "update-grub" -%}}
|
|
{{%- set grub_helper_args = [] -%}}
|
|
@@ -1090,7 +1090,9 @@ Part of the grub2_bootloader_argument(_absent) templates.
|
|
{{%- set grub_helper_args = ["-o " + grub2_boot_path + "/grub2.cfg"] -%}}
|
|
{{%- else -%}}
|
|
{{%- set grub_helper_executable = "grubby" -%}}
|
|
- {{%- if action == "add" -%}}
|
|
+ {{%- if action == "update" -%}}
|
|
+ {{%- set grub_helper_args = ["--update-kernel=ALL"] -%}}
|
|
+ {{%- elif action == "add" -%}}
|
|
{{%- set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ arg_name_value ] -%}}
|
|
{{%- elif action == "remove" -%}}
|
|
{{%- set grub_helper_args = ["--update-kernel=ALL", "--remove-args=" ~ arg_name_value ] -%}}
|
|
|
|
From 591cc74770433614595326a514e459a4efb7f491 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Tue, 3 May 2022 10:08:54 +0200
|
|
Subject: [PATCH 16/20] Use grub_command macro in rules in
|
|
SRG-OS-000080-GPOS-00048
|
|
|
|
---
|
|
.../non-uefi/grub2_admin_username/rule.yml | 5 +++--
|
|
.../bootloader-grub2/non-uefi/grub2_password/rule.yml | 9 +++------
|
|
.../uefi/grub2_uefi_admin_username/rule.yml | 5 +++--
|
|
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 9 +++------
|
|
4 files changed, 12 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
index 88551a068bf..5557664f8be 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
@@ -20,7 +20,7 @@ description: |-
|
|
Once the superuser account has been added,
|
|
update the
|
|
<tt>grub.cfg</tt> file by running:
|
|
- <pre>grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
|
|
+ <pre>{{{ grub_command("update") }}}</pre>
|
|
|
|
rationale: |-
|
|
Having a non-default grub superuser username makes password-guessing attacks less effective.
|
|
@@ -83,4 +83,5 @@ fixtext: |-
|
|
export superusers
|
|
|
|
Once the superuser account has been added, update the grub.cfg file by running:
|
|
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
+
|
|
+ $ sudo {{{ grub_command("update") }}}
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
index 4a7e0694884..43c63b56ffc 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
@@ -28,11 +28,7 @@ description: |-
|
|
Once the superuser password has been added,
|
|
update the
|
|
<tt>grub.cfg</tt> file by running:
|
|
- {{% if "ubuntu" in product %}}
|
|
- <pre>update-grub</pre>
|
|
- {{% elif product in ["sle12", "sle15"] %}}
|
|
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
|
|
- {{% endif %}}
|
|
+ <pre>{{{ grub_command("update") }}}</pre>
|
|
{{% endif %}}
|
|
|
|
rationale: |-
|
|
@@ -115,4 +111,5 @@ fixtext: |-
|
|
export superusers
|
|
|
|
Once the superuser account has been added, update the grub.cfg file by running:
|
|
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
+
|
|
+ $ sudo {{{ grub_command("update") }}}
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
index 2a4556c1659..bd07ab2ee29 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
@@ -20,7 +20,7 @@ description: |-
|
|
Once the superuser account has been added,
|
|
update the
|
|
<tt>grub.cfg</tt> file by running:
|
|
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
|
|
+ <pre>{{{ grub_command("update") }}}</pre>
|
|
|
|
rationale: |-
|
|
Having a non-default grub superuser username makes password-guessing attacks less effective.
|
|
@@ -92,4 +92,5 @@ fixtext: |-
|
|
set superusers=<unique user id>
|
|
|
|
Once the superuser account has been added, update the grub.cfg file by running:
|
|
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
+
|
|
+ $ sudo {{{ grub_command("update") }}}
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
index 4ed65d5f68d..98144a9e651 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
@@ -28,11 +28,7 @@ description: |-
|
|
Once the superuser password has been added,
|
|
update the
|
|
<tt>grub.cfg</tt> file by running:
|
|
- {{% if "ubuntu" in product %}}
|
|
- <pre>update-grub</pre>
|
|
- {{% elif product in ["sle12", "sle15"] %}}
|
|
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
|
|
- {{% endif %}}
|
|
+ <pre>{{{ grub_command("update") }}}</pre>
|
|
{{% endif %}}
|
|
|
|
rationale: |-
|
|
@@ -112,4 +108,5 @@ fixtext: |-
|
|
password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
|
|
|
|
Then, update the grub.cfg file by running:
|
|
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
|
|
+
|
|
+ $ sudo {{{ grub_command("update") }}}
|
|
|
|
From b2fce574abb7cf4bf72058023646178cd574ff90 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Tue, 3 May 2022 10:09:14 +0200
|
|
Subject: [PATCH 17/20] Update OCIL
|
|
|
|
---
|
|
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
|
|
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
|
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
index 5557664f8be..ccf7ca74932 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
@@ -79,7 +79,7 @@ fixtext: |-
|
|
|
|
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|
|
|
- set superusers="<unique_user_id>"
|
|
+ set superusers="superusers-account"
|
|
export superusers
|
|
|
|
Once the superuser account has been added, update the grub.cfg file by running:
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
index bd07ab2ee29..61e2e4e066f 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
@@ -59,7 +59,7 @@ references:
|
|
stigid@rhel7: RHEL-07-010492
|
|
stigid@rhel8: RHEL-08-010141
|
|
|
|
-ocil_clause: 'it does not'
|
|
+ocil_clause: 'superuser account is not set or is set to an existing name or to a common name'
|
|
|
|
ocil: |-
|
|
To verify the boot loader superuser account has been set, run the following
|
|
@@ -89,7 +89,7 @@ fixtext: |-
|
|
|
|
Add or edit the following line in /etc/grub.d/01_users:
|
|
|
|
- set superusers=<unique user id>
|
|
+ set superusers="superusers-account"
|
|
|
|
Once the superuser account has been added, update the grub.cfg file by running:
|
|
|
|
|
|
From 1cefb7749a4ec5fabd27a53e15096ab44a566a16 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Tue, 3 May 2022 10:19:19 +0200
|
|
Subject: [PATCH 18/20] Use a unique account name for the superusers account
|
|
|
|
---
|
|
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
index 98144a9e651..58fb77ab98f 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
|
|
@@ -103,9 +103,10 @@ fixtext: |-
|
|
|
|
When prompted, enter the password that was selected.
|
|
Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
|
|
+ Use a unique account name for the superusers account.
|
|
|
|
- set superusers="boot"
|
|
- password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
|
|
+ set superusers="superusers-account"
|
|
+ password_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash
|
|
|
|
Then, update the grub.cfg file by running:
|
|
|
|
|
|
From 1cbaba853c2dbff8cd9ba55117d6f46fd5e9ab58 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Fri, 6 May 2022 13:51:29 +0200
|
|
Subject: [PATCH 19/20] Apply suggestions from code review
|
|
|
|
Co-authored-by: Matthew Burket <m@tthewburket.com>
|
|
---
|
|
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
|
|
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
index ccf7ca74932..7a9f397f744 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
@@ -75,7 +75,7 @@ warnings:
|
|
platform: machine
|
|
|
|
fixtext: |-
|
|
- Configure the system to require a grub bootloader password for the grub superuser account.
|
|
+ Configure the system to have a unique username for the grub superuser account.
|
|
|
|
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
index 61e2e4e066f..8d6ebad550c 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
@@ -82,7 +82,7 @@ warnings:
|
|
platform: machine
|
|
|
|
fixtext: |-
|
|
- Configure the system to require a grub bootloader password for the grub superuser account.
|
|
+ Configure the system to have a unique username for the grub superuser account.
|
|
|
|
Select a password-protected superuser account with unique name, and modify the
|
|
"/etc/grub.d/01_users" configuration file to reflect the account name change.
|
|
|
|
From e73fefa9548264d24959284fd2447ef0bc474d6b Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
|
Date: Mon, 9 May 2022 08:33:54 +0200
|
|
Subject: [PATCH 20/20] Replace the system by full name
|
|
|
|
---
|
|
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
|
|
.../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +-
|
|
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
|
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
index 7a9f397f744..14bdfd57a6d 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
|
|
@@ -75,7 +75,7 @@ warnings:
|
|
platform: machine
|
|
|
|
fixtext: |-
|
|
- Configure the system to have a unique username for the grub superuser account.
|
|
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
|
|
|
|
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
index 43c63b56ffc..211d8b28a84 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
|
|
@@ -97,7 +97,7 @@ warnings:
|
|
platform: machine
|
|
|
|
fixtext: |-
|
|
- Configure the system to require a grub bootloader password for the grub superuser account.
|
|
+ Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.
|
|
|
|
Generate an encrypted grub2 password for the grub superuser account with the following command:
|
|
|
|
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
index 8d6ebad550c..d36dbcbb187 100644
|
|
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
|
|
@@ -82,7 +82,7 @@ warnings:
|
|
platform: machine
|
|
|
|
fixtext: |-
|
|
- Configure the system to have a unique username for the grub superuser account.
|
|
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
|
|
|
|
Select a password-protected superuser account with unique name, and modify the
|
|
"/etc/grub.d/01_users" configuration file to reflect the account name change.
|