On 23/01/18 20:56, Dan White wrote:
Something is very wrong here
[root@jump-linux7 ~]# cat /etc/grub.d/01_users # ORIGINAL
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root \${GRUB2_PASSWORD}
fi
fi
EOF
Then I have the output of "grub2-setpassword" :
[root@jump-linux7 ~]# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.yadda-yadda-yadda
So, I copy the hash into /etc/grub.d/01_users :
[root@jump-linux7 ~]# cat /etc/grub.d/01_users
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root grub.pbkdf2.sha512.10000.yadda-yadda-yadda
fi
fi
EOF
And then run
grub2-mkconfig -o /boot/grub2/grub.cfg
Checking "/boot/grub2/grub.cfg", I find
[root@jump-linux7 ~]# less /boot/grub2/grub.cfg
...
### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
set tuned_initrd=""
### END /etc/grub.d/00_tuned ###
### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
source ${prefix}/user.cfg
if [ -n "${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root grub.pbkdf2.sha512.10000.yadda-yadda-yadda
fi
fi
### END /etc/grub.d/01_users ###
...
But :
*Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password*
*Result: fail*
*Identifiers: CCE-27309-4*
What the heck ?!
Indeed, the configuration file seems to be ok.
Can you run the evaluation with option --oval-results and check
"ssg-rhel7-oval.xml.result.xml" for results of
"rule_bootloader_password" and determine what is resulting in fail?
Or, if possible, attach snippet or file so we can take a look.
This way we can identify what definition or object is causing the fail.
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
Open-scap-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/open-scap-list
