Escalating it !
https://access.redhat.com/support/cases/#/case/02019325 Dan White | d_e_wh...@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes) On Jan 23, 2018, at 02:56 PM, Dan White <d_e_wh...@icloud.com> wrote: Something is very wrong here [root@jump-linux7 ~]# cat /etc/grub.d/01_users # ORIGINAL #!/bin/sh -e cat << EOF if [ -f \${prefix}/user.cfg ]; then source \${prefix}/user.cfg if [ -n "\${GRUB2_PASSWORD}" ]; then set superusers="root" export superusers password_pbkdf2 root \${GRUB2_PASSWORD} fi fi EOF Then I have the output of "grub2-setpassword" : [root@jump-linux7 ~]# cat /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.yadda-yadda-yadda So, I copy the hash into /etc/grub.d/01_users : [root@jump-linux7 ~]# cat /etc/grub.d/01_users #!/bin/sh -e cat << EOF if [ -f \${prefix}/user.cfg ]; then source \${prefix}/user.cfg if [ -n "\${GRUB2_PASSWORD}" ]; then set superusers="root" export superusers password_pbkdf2 root grub.pbkdf2.sha512.10000.yadda-yadda-yadda fi fi EOF And then run grub2-mkconfig -o /boot/grub2/grub.cfg Checking "/boot/grub2/grub.cfg", I find [root@jump-linux7 ~]# less /boot/grub2/grub.cfg ... ### BEGIN /etc/grub.d/00_tuned ### set tuned_params="" set tuned_initrd="" ### END /etc/grub.d/00_tuned ### ### BEGIN /etc/grub.d/01_users ### if [ -f ${prefix}/user.cfg ]; then source ${prefix}/user.cfg if [ -n "${GRUB2_PASSWORD}" ]; then set superusers="root" export superusers password_pbkdf2 root grub.pbkdf2.sha512.10000.yadda-yadda-yadda fi fi ### END /etc/grub.d/01_users ### ... But : Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password Result: fail Identifiers: CCE-27309-4 What the heck ?! Dan White | d_e_wh...@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes) On Jan 23, 2018, at 02:27 PM, Dan White <d_e_wh...@icloud.com> wrote: Running "grub2-mkconfig -o /boot/grub2/grub.cfg" without making any other changes made no difference Guess I need to tinker with the /etc/grub.d/01_users configuration file. Dan White | d_e_wh...@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes) On Jan 23, 2018, at 11:16 AM, Dan White <d_e_wh...@icloud.com> wrote: That helps me trouble shoot. Thanks. I will keep y’all informed. I think I will open a support ticket with Red Hat to attack this from the opposite direction. "Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us." Bill Waterson (Calvin & Hobbes) On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato <ws...@redhat.com> wrote: On 23/01/18 13:29, Dan White wrote: Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding against the Boot Loader Password. I set it according to this RHEL 7 System Administrator's Guide page and this Red Hat Solutions page, but the test fails. Details from the report: ----------------------------------------------------------------------------- Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password This rule specifically checks if '/etc/grub2/grub.cfg' has superusers and password_pbkdf2 configured. superusers should be root, admin or aministrator, and password key derivation function used should be 'grub.pbkdf2.sha512'. Make sure you have these configured, I couldn't find details about superuser and derivation function in pointed guides. Result: fail Time: 2018-01-22T14:52:15 Severity: high Identifiers and References: Identifiers: CCE-27309-4 References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-000080-GPOS-00048, RHEL-07-010480, 1.5.3, 3.4.5 Description : The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file. Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: $ grub2-mkpasswd-pbkdf2 When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash): password_pbkdf2 superusers-account password-hash NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running: grub2-mkconfig -o /boot/grub2/grub.cfg NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file. Rationale Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html ----------------------------------------------------------------------------- The link from the.Rationale returns a "404", and there is no mention in the current RHEL 7 System Administrator's Guide about tinkering with the /etc/grub.d/01_users configuration file other than to say it was necessary in versions prior to RHEL 7.2 Does the check need to be updated or do I need to do something other than stated in the Red Hat Documentation ? And y'all have a typo :) that I highlighted in red on the third line of the description. Dan White | d_e_wh...@icloud.com ------------------------------------------------ “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” (Bill Waterson: Calvin & Hobbes) _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list -- Watson Sato Security Technologies | Red Hat, Inc _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list