rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity
scap-security-guide/scap-security-guide-0.1.63-...

810 lines
38 KiB
Diff
Raw Blame History

From a59040cec2adf8f81fc5784e4273e1701ca21995 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 11:45:20 +0200
Subject: [PATCH 01/20] Update OCIL for require_emergency_target_auth
Extends the OCIL text according to the OVAL check.
---
.../require_emergency_target_auth/rule.yml | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index cc0a2c53017..1d5febf54c7 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -53,7 +53,7 @@ ocil: |-
To check if authentication is required for emergency mode, run the following command:
<pre>$ grep sulogin /usr/lib/systemd/system/emergency.service</pre>
The output should be similar to the following, and the line must begin with
- {{% if product in ["fedora", "rhel8", "rhel9", "ol8"] -%}}
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
<pre>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency</pre>
{{%- else -%}}
@@ -61,4 +61,20 @@ ocil: |-
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
{{%- endif %}}
+ Then, check if the emergency target requires the emergency service:
+ Run the following command:
+ <pre>$ sudo grep Requires /usr/lib/systemd/system/emergency.target</pre>
+ The output should be the following:
+ <pre>Requires=emergency.service</pre>
+
+ Then, check if there is no custom emergency target configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r emergency.target /etc/systemd/system/</pre>
+ The output should be empty.
+
+ Then, check if there is no custom emergency service configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r emergency.service /etc/systemd/system/</pre>
+ The output should be empty.
+
platform: machine
From 16c898ce4b960e33088b025f1ea0a8e432ae01a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 11:46:19 +0200
Subject: [PATCH 02/20] Add fixtext to require_emergency_target_auth
---
.../require_emergency_target_auth/rule.yml | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
index 1d5febf54c7..c4860915b67 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml
@@ -78,3 +78,13 @@ ocil: |-
The output should be empty.
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to require authentication for system emergency mode.
+
+ Add or edit the following line in "/usr/lib/systemd/system/emergency.service":
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
+ {{%- else -%}}
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}}
From 836497f3b9c9b1a206023f7aa16d2df8a025ece3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 13:43:16 +0200
Subject: [PATCH 03/20] Align OCIL with OVAL for require_singleuser_auth
---
.../require_singleuser_auth/rule.yml | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 8d7a4fa7b74..cbd048aad0a 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -70,4 +70,22 @@ ocil: |-
<pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
{{%- endif %}}
+ {{% if product not in ["ol8", "rhel8"] %}}
+ Then, verify that the rescue service is in the runlevel1.target.
+ Run the following command:
+ <pre>$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target</pre>
+ The output should be the following:
+ <pre>Requires=sysinit.target rescue.service</pre>
+
+ Then, check if there is no custom runlevel1 target configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r "^runlevel1.target$" /etc/systemd/system</pre>
+ There should be no output.
+
+ Then, check if there is no custom rescue service configured in systemd configuration.
+ Run the following command:
+ <pre>$ sudo grep -r "^rescue.service$" /etc/systemd/system</pre>
+ There should be no output.
+ {{% endif %}}
+
platform: machine
From 11715c35c9cdbfdc7ed4c30a8612a125ec3c77e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 13:43:30 +0200
Subject: [PATCH 04/20] Add fixtext to require_singleuser_auth
---
.../require_singleuser_auth/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index cbd048aad0a..3a0cad455cc 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -89,3 +89,20 @@ ocil: |-
{{% endif %}}
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to require authentication in single user mode.
+
+ {{% if init_system == "systemd" -%}}
+ Add or update the following line in "/usr/lib/systemd/system/rescue.service":
+ {{% if product in ["fedora", "rhel8", "rhel9", "ol8", "sle12", "sle15"] -%}}
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ {{%- elif product in ["rhel7"] -%}}
+ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- else -%}}
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}}
+ {{%- else -%}}
+ Add or update the following line in "/etc/sysconfig/init":
+ SINGLE=/sbin/sulogin
+ {{%- endif %}}
From ad14aee19d11dc99ead242535281d56791bfc213 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 14:15:12 +0200
Subject: [PATCH 05/20] Update OCIL in grub2_admin_username
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index a43d5fcc038..0c824434e07 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -52,17 +52,17 @@ references:
stigid@rhel7: RHEL-07-010483
stigid@rhel8: RHEL-08-010149
-ocil_clause: 'it does not'
+ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
command:
- <pre>sudo grep -A1 "superusers" /etc/grub2.cfg</pre>
+ <pre>sudo grep -A1 "superusers" {{{ grub2_boot_path + "/grub.cfg" }}}</pre>
The output should show the following:
<pre>set superusers="<b>superusers-account</b>"
export superusers</pre>
where superusers-account is the actual account name different from common names like root,
- admin, or administrator.
+ admin, or administrator and different from any other existing user name.
warnings:
- general: |-
From 7ee002478c778fd271aa2c289e74d14aa2853355 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 14:15:28 +0200
Subject: [PATCH 06/20] Add fixtext for grub2_admin_username
---
.../non-uefi/grub2_admin_username/rule.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 0c824434e07..a813b417a00 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -73,3 +73,14 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
+
+ set superusers="<unique_user_id>"
+ export superusers
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 9f5a6d48ef97180e7720dc066c83409633c80899 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:04:21 +0200
Subject: [PATCH 07/20] Align OCIL with OVAL in grub2_password
---
.../non-uefi/grub2_password/rule.yml | 35 ++++++-------------
1 file changed, 10 insertions(+), 25 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index ad515a65ee7..268f48a16c1 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -77,33 +77,18 @@ references:
stigid@sle15: SLES-15-010190
stigid@ubuntu2004: UBTU-20-010009
-ocil_clause: 'it does not'
+ocil_clause: 'it does not produce any output'
ocil: |-
- To verify the boot loader superuser password has been set, run the following
- command:
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
- <pre>sudo grep "boot" {{{ grub2_boot_path }}}/grub.cfg</pre>
- {{% else %}}
- <pre>sudo grep "superusers" /etc/grub2.cfg</pre>
- {{% endif %}}
- The output should show the following:
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
- To verify the boot loader superuser account password has been set,
- and the password encrypted, run the following command:
- {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
- <pre>sudo cat /etc/grub.d/40_custom</pre>
- The output should be similar to:
- <pre>set superusers="boot"
- password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088</pre>
- {{% else %}}
- <pre>sudo cat {{{ grub2_boot_path }}}/user.cfg</pre>
- The output should be similar to:
- <pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% endif %}}
+ First, check whether the password is defined in either {{{ grub2_boot_path }}}/user.cfg or
+ {{{ grub2_boot_path }}}/grub.cfg.
+ Run the following commands:
+ <pre>$ sudo grep '^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/user.cfg
+ $ sudo grep '^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$' {{{ grub2_boot_path }}}/grub.cfg
+ </pre>
+
+ Second, check that a superuser is defined in {{{ grub2_boot_path }}}/grub.cfg.
+ <pre>$ sudo grep '^[\s]*set[\s]+superusers=("?)[a-zA-Z_]+\1$' {{{ grub2_boot_path }}}/grub.cfg</pre>
warnings:
- general: |-
From 1bd446ee0efb4cefeaaca7a1808e7de703f2b1be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:04:34 +0200
Subject: [PATCH 08/20] Add fixtext for grub2_password
Adopted from the RHEL 8 STIG spreadsheet.
---
.../non-uefi/grub2_password/rule.yml | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 268f48a16c1..4a7e0694884 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -99,3 +99,20 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Generate an encrypted grub2 password for the grub superuser account with the following command:
+
+ $ sudo grub2-setpassword
+ Enter password:
+ Confirm password:
+
+ Edit the /etc/grub.d/40_custom file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
+
+ set superusers="[someuniquestringhere]"
+ export superusers
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 85cc9f300c860e456996fa8cf7aec2532bb88a08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:12 +0200
Subject: [PATCH 09/20] Fix a typo
---
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 17b4918c5f5..fcf9031fa93 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -15,7 +15,7 @@ description: |-
admin, or administrator for the grub2 superuser account.
<br /><br />
Change the superuser to a different username (The default is 'root').
- <pre>$ sed -i 's/\(set superuser=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</pre>
+ <pre>$ sed -i 's/\(set superusers=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</pre>
<br /><br />
Once the superuser account has been added,
update the
From e3d765df471350cbcc629d67439902b8189cde14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:44 +0200
Subject: [PATCH 10/20] Align OCIL with OVAL in grub2_uefi_admin_username
---
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index fcf9031fa93..c76d086c5f2 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -64,12 +64,12 @@ ocil_clause: 'it does not'
ocil: |-
To verify the boot loader superuser account has been set, run the following
command:
- <pre>sudo grep -A1 "superusers" /etc/grub2-efi.cfg</pre>
+ <pre>sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should show the following:
<pre>set superusers="<b>superusers-account</b>"
export superusers</pre>
where superusers-account is the actual account name different from common names like root,
- admin, or administrator.
+ admin, or administrator and different from any other existing user name.
warnings:
- general: |-
From d8cb9ec4ae23535a04ae5715c9dfbf94126082f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 15:54:57 +0200
Subject: [PATCH 11/20] Add fixtext in grub2_uefi_admin_username
---
.../uefi/grub2_uefi_admin_username/rule.yml | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index c76d086c5f2..2a4556c1659 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -80,3 +80,16 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure the system to require a grub bootloader password for the grub superuser account.
+
+ Select a password-protected superuser account with unique name, and modify the
+ "/etc/grub.d/01_users" configuration file to reflect the account name change.
+
+ Add or edit the following line in /etc/grub.d/01_users:
+
+ set superusers=<unique user id>
+
+ Once the superuser account has been added, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From 73a5e86cbfc77fa8344499347c074b5f04e32a0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 17:55:09 +0200
Subject: [PATCH 12/20] Align OCIL with OVAL in grub2_uefi_password
---
.../uefi/grub2_uefi_password/rule.yml | 30 +++----------------
1 file changed, 4 insertions(+), 26 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4579b1ff2e7..ee4f6c1470a 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -77,39 +77,17 @@ references:
stigid@sle15: SLES-15-010200
stigid@ubuntu2004: UBTU-20-010009
-ocil_clause: 'it does not'
+ocil_clause: 'no password is set'
ocil: |-
- To verify the boot loader superuser password has been set, run the following
- command:
- {{% if product in ["sle12", "sle15", "ubuntu2004"] %}}
- <pre>sudo grep -A1 "superusers\|password" /etc/grub.d/40_custom</pre>
- {{% else %}}
- <pre>sudo grep "password" /etc/grub2-efi.cfg</pre>
- {{% endif %}}
- The output should show the following:
- <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
- To verify the boot loader superuser account password has been set,
- and the password encrypted, run the following command:
- {{% if product in ["sle12", "sle15"] %}}
- <pre>sudo cat {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- The output should be similar to:
- <pre>password_pbkdf2 superuser grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
- 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
- 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
- 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% elif "ubuntu" in product %}}
- <pre>grep -i password {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- The output should contain something similar to:
- <pre>password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG</pre>
- {{% else %}}
- <pre>sudo cat {{{ grub2_uefi_boot_path}}}/user.cfg</pre>
+ To verify the boot loader superuser password has been set, run the following command:
+ $ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" {{{ grub2_uefi_boot_path }}}/user.cfg
The output should be similar to:
<pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
- {{% endif %}}
+
warnings:
- general: |-
From 5332d2961da8f14965d9b6b32ea0d4f5a7c2b817 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 25 Apr 2022 17:55:31 +0200
Subject: [PATCH 13/20] Add fixtext in grub2_uefi_password
---
.../uefi/grub2_uefi_password/rule.yml | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index ee4f6c1470a..4ed65d5f68d 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -98,3 +98,18 @@ warnings:
<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.
platform: machine
+
+fixtext: |-
+ Configure {{{ full_name }}} to use a secure UEFI boot loader password.
+
+ Run the following command:
+ $ sudo grub2-setpassword
+
+ When prompted, enter the password that was selected.
+ Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
+
+ set superusers="boot"
+ password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
+
+ Then, update the grub.cfg file by running:
+ $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
From f1fae705e533ec0f4d4e83518f581dadd1552e2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 26 Apr 2022 08:43:08 +0200
Subject: [PATCH 14/20] Fix a typo
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index a813b417a00..88551a068bf 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -52,7 +52,7 @@ references:
stigid@rhel7: RHEL-07-010483
stigid@rhel8: RHEL-08-010149
-ocil_clause: 'superusers-account is not set or is set to root, admin, administrator or any other existing user name'
+ocil_clause: 'superuser account is not set or is set to root, admin, administrator or any other existing user name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
From 5f6cbfc9440e029526b86e448b51ab39e6bf6c35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:07:51 +0200
Subject: [PATCH 15/20] Add an update operation to macro grub_command
---
shared/macros/general.jinja | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/shared/macros/general.jinja b/shared/macros/general.jinja
index 3802ea40eea..df4c696d3ca 100644
--- a/shared/macros/general.jinja
+++ b/shared/macros/general.jinja
@@ -1071,17 +1071,17 @@ p+i+n+u+g+s+b+acl+xattrs+sha512
{{#
-Macro to generate a command to modify (add or remove) kernel command line argument in a GRUB 2 bootloader.
+Macro to generate a command to modify GRUB 2 configuration or add or remove kernel command line argument in a GRUB 2 bootloader.
Generates a correct command based on the product (grubby, grub2-mkconfig, update-grub, etc.)
Part of the grub2_bootloader_argument(_absent) templates.
-:param action: What to do with the argument, either "add" or "remove".
+:param action: What to do with the argument, must be one of: "update", "add", "remove".
:type action str:
:param arg_name: :type arg_name str: :param arg_name_value: If action is "add", it's kernel command line argument concatenated with the value of this argument using an equal sign, eg. "audit=1". If action is "remove", it's only the kernel command line argument name, eg. "audit".
:type arg_name_value str:
#}}
-{{% macro grub_command(action, arg_name_value) -%}}
+{{% macro grub_command(action, arg_name_value=None) -%}}
{{%- if 'ubuntu' in product -%}}
{{%- set grub_helper_executable = "update-grub" -%}}
{{%- set grub_helper_args = [] -%}}
@@ -1090,7 +1090,9 @@ Part of the grub2_bootloader_argument(_absent) templates.
{{%- set grub_helper_args = ["-o " + grub2_boot_path + "/grub2.cfg"] -%}}
{{%- else -%}}
{{%- set grub_helper_executable = "grubby" -%}}
- {{%- if action == "add" -%}}
+ {{%- if action == "update" -%}}
+ {{%- set grub_helper_args = ["--update-kernel=ALL"] -%}}
+ {{%- elif action == "add" -%}}
{{%- set grub_helper_args = ["--update-kernel=ALL", "--args=" ~ arg_name_value ] -%}}
{{%- elif action == "remove" -%}}
{{%- set grub_helper_args = ["--update-kernel=ALL", "--remove-args=" ~ arg_name_value ] -%}}
From 591cc74770433614595326a514e459a4efb7f491 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:08:54 +0200
Subject: [PATCH 16/20] Use grub_command macro in rules in
SRG-OS-000080-GPOS-00048
---
.../non-uefi/grub2_admin_username/rule.yml | 5 +++--
.../bootloader-grub2/non-uefi/grub2_password/rule.yml | 9 +++------
.../uefi/grub2_uefi_admin_username/rule.yml | 5 +++--
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 9 +++------
4 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 88551a068bf..5557664f8be 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>
+ <pre>{{{ grub_command("update") }}}</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
@@ -83,4 +83,5 @@ fixtext: |-
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 4a7e0694884..43c63b56ffc 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -28,11 +28,7 @@ description: |-
Once the superuser password has been added,
update the
<tt>grub.cfg</tt> file by running:
- {{% if "ubuntu" in product %}}
- <pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- {{% endif %}}
+ <pre>{{{ grub_command("update") }}}</pre>
{{% endif %}}
rationale: |-
@@ -115,4 +111,5 @@ fixtext: |-
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 2a4556c1659..bd07ab2ee29 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -20,7 +20,7 @@ description: |-
Once the superuser account has been added,
update the
<tt>grub.cfg</tt> file by running:
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
+ <pre>{{{ grub_command("update") }}}</pre>
rationale: |-
Having a non-default grub superuser username makes password-guessing attacks less effective.
@@ -92,4 +92,5 @@ fixtext: |-
set superusers=<unique user id>
Once the superuser account has been added, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 4ed65d5f68d..98144a9e651 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -28,11 +28,7 @@ description: |-
Once the superuser password has been added,
update the
<tt>grub.cfg</tt> file by running:
- {{% if "ubuntu" in product %}}
- <pre>update-grub</pre>
- {{% elif product in ["sle12", "sle15"] %}}
- <pre>grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
- {{% endif %}}
+ <pre>{{{ grub_command("update") }}}</pre>
{{% endif %}}
rationale: |-
@@ -112,4 +108,5 @@ fixtext: |-
password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
Then, update the grub.cfg file by running:
- $ sudo grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
+
+ $ sudo {{{ grub_command("update") }}}
From b2fce574abb7cf4bf72058023646178cd574ff90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:09:14 +0200
Subject: [PATCH 17/20] Update OCIL
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 5557664f8be..ccf7ca74932 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -79,7 +79,7 @@ fixtext: |-
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
- set superusers="<unique_user_id>"
+ set superusers="superusers-account"
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index bd07ab2ee29..61e2e4e066f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -59,7 +59,7 @@ references:
stigid@rhel7: RHEL-07-010492
stigid@rhel8: RHEL-08-010141
-ocil_clause: 'it does not'
+ocil_clause: 'superuser account is not set or is set to an existing name or to a common name'
ocil: |-
To verify the boot loader superuser account has been set, run the following
@@ -89,7 +89,7 @@ fixtext: |-
Add or edit the following line in /etc/grub.d/01_users:
- set superusers=<unique user id>
+ set superusers="superusers-account"
Once the superuser account has been added, update the grub.cfg file by running:
From 1cefb7749a4ec5fabd27a53e15096ab44a566a16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 3 May 2022 10:19:19 +0200
Subject: [PATCH 18/20] Use a unique account name for the superusers account
---
.../bootloader-grub2/uefi/grub2_uefi_password/rule.yml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
index 98144a9e651..58fb77ab98f 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml
@@ -103,9 +103,10 @@ fixtext: |-
When prompted, enter the password that was selected.
Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following content:
+ Use a unique account name for the superusers account.
- set superusers="boot"
- password_pbkdf2 boot grub.pbkdf2.sha512.$password_hash
+ set superusers="superusers-account"
+ password_pbkdf2 superusers-account grub.pbkdf2.sha512.$password_hash
Then, update the grub.cfg file by running:
From 1cbaba853c2dbff8cd9ba55117d6f46fd5e9ab58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 6 May 2022 13:51:29 +0200
Subject: [PATCH 19/20] Apply suggestions from code review
Co-authored-by: Matthew Burket <m@tthewburket.com>
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index ccf7ca74932..7a9f397f744 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -75,7 +75,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure the system to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 61e2e4e066f..8d6ebad550c 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -82,7 +82,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure the system to have a unique username for the grub superuser account.
Select a password-protected superuser account with unique name, and modify the
"/etc/grub.d/01_users" configuration file to reflect the account name change.
From e73fefa9548264d24959284fd2447ef0bc474d6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Mon, 9 May 2022 08:33:54 +0200
Subject: [PATCH 20/20] Replace the system by full name
---
.../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 2 +-
.../system/bootloader-grub2/non-uefi/grub2_password/rule.yml | 2 +-
.../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
index 7a9f397f744..14bdfd57a6d 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml
@@ -75,7 +75,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to have a unique username for the grub superuser account.
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
index 43c63b56ffc..211d8b28a84 100644
--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -97,7 +97,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to require a grub bootloader password for the grub superuser account.
+ Configure {{{ full_name }}} to require a grub bootloader password for the grub superuser account.
Generate an encrypted grub2 password for the grub superuser account with the following command:
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
index 8d6ebad550c..d36dbcbb187 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml
@@ -82,7 +82,7 @@ warnings:
platform: machine
fixtext: |-
- Configure the system to have a unique username for the grub superuser account.
+ Configure {{{ full_name }}} to have a unique username for the grub superuser account.
Select a password-protected superuser account with unique name, and modify the
"/etc/grub.d/01_users" configuration file to reflect the account name change.
Reference in New Issue View Git Blame Copy Permalink