That helps me trouble shoot. 
I will keep y’all informed. 
I think I will open a support ticket with Red Hat to attack this from the 
opposite direction. 

"Sometimes I think the surest sign that intelligent life exists elsewhere in 
the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)

> On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato <> wrote:
>> On 23/01/18 13:29, Dan White wrote:
>> Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding 
>> against the Boot Loader Password.
>> I set it according to this RHEL 7 System Administrator's Guide page and this 
>> Red Hat Solutions page, but the test fails.
>> Details from the report:
>> -----------------------------------------------------------------------------
>> Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password
> This rule specifically checks if '/etc/grub2/grub.cfg'  has superusers and 
> password_pbkdf2 configured.
> superusers should be root, admin or aministrator, and password key derivation 
> function used should be 'grub.pbkdf2.sha512'.
> Make sure you have these configured, I couldn't find details about superuser 
> and derivation function in pointed guides.
>> Result: fail
>> Time:  2018-01-22T14:52:15
>> Severity:  high
>> Identifiers and References: 
>>    Identifiers: CCE-27309-4
>>    References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-000080-GPOS-00048, 
>> RHEL-07-010480, 1.5.3, 3.4.5
>> Description :
>> The grub2 boot loader should have a superuser account and password 
>> protection enabled to protect boot-time settings.
>> To do so, select a superuser account and password and add them into the 
>> /etc/grub.d/01_users configuration file.
>> Since plaintext passwords are a security risk, generate a hash for the 
>> pasword by running the following command:
>>           $ grub2-mkpasswd-pbkdf2
>> When prompted, enter the password that was selected and insert the returned 
>> password hash into the /etc/grub.d/01_users configuration file immediately 
>> after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as 
>> the value of password-hash):
>>           password_pbkdf2 superusers-account password-hash
>> NOTE: It is recommended not to use common administrator account names like 
>> root, admin, or administrator for the grub2 superuser account.
>> To meet FISMA Moderate, the bootloader superuser account and password MUST 
>> differ from the root account and password. Once the superuser account and 
>> password have been added, update the grub.cfg file by running:
>>           grub2-mkconfig -o /boot/grub2/grub.cfg
>> NOTE: Do NOT manually add the superuser account and password to the grub.cfg 
>> file as the grub2-mkconfig command overwrites this file.
>> Rationale 
>> Password protection on the boot loader configuration ensures users with 
>> physical access cannot trivially alter important bootloader settings. These 
>> include which kernel to use, and whether to enter single-user mode. For more 
>> information on how to configure the grub2 superuser account and password, 
>> please refer to
>> -----------------------------------------------------------------------------
>> The link from the.Rationale returns a "404", and there is no mention in the 
>> current RHEL 7 System Administrator's Guide about tinkering with the 
>> /etc/grub.d/01_users configuration file other than to say it was necessary 
>> in versions prior to RHEL 7.2
>> Does the check need to be updated or do I need to do something other than 
>> stated in the Red Hat Documentation ?
>> And y'all have a typo :) that I highlighted in red on the third line of the 
>> description.
>> Dan White |
>> ------------------------------------------------
>> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
>> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
>> Calvin & Hobbes)
>> _______________________________________________
>> Open-scap-list mailing list
> -- 
> Watson Sato
> Security Technologies | Red Hat, Inc
Open-scap-list mailing list

Reply via email to