"superusers should be root, admin or administrator"
Are you sure it shouldn't be "superusers should NOT be root, admin or
administrator" ?
I changed mine from "root" to "grub.root",
made sure the full hash was in /etc/grub.d/01_users,
re-ran grub2-mkconfig
and then the oscap scan passed.
I can say for certain that the superuser should not be "root"
What else shouldn't it be ?
Dan White | d_e_wh...@icloud.com
------------------------------------------------
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.” (Bill Waterson: Calvin &
Hobbes)
On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato <ws...@redhat.com> wrote:
On 23/01/18 13:29, Dan White wrote:
Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding
against the Boot Loader Password.
I set it according to this RHEL 7 System Administrator's Guide page and this
Red Hat Solutions page, but the test fails.
Details from the report:
-----------------------------------------------------------------------------
Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password
This rule specifically checks if '/etc/grub2/grub.cfg' has superusers and
password_pbkdf2 configured.
superusers should be root, admin or aministrator, and password key derivation
function used should be 'grub.pbkdf2.sha512'.
Make sure you have these configured, I couldn't find details about superuser
and derivation function in pointed guides.
Result: fail
Time: 2018-01-22T14:52:15
Severity: high
Identifiers and References:
Identifiers: CCE-27309-4
References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-000080-GPOS-00048,
RHEL-07-010480, 1.5.3, 3.4.5
Description :
The grub2 boot loader should have a superuser account and password protection
enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the
/etc/grub.d/01_users configuration file.
Since plaintext passwords are a security risk, generate a hash for the pasword
by running the following command:
$ grub2-mkpasswd-pbkdf2
When prompted, enter the password that was selected and insert the returned
password hash into the /etc/grub.d/01_users configuration file immediately
after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the
value of password-hash):
password_pbkdf2 superusers-account password-hash
NOTE: It is recommended not to use common administrator account names like
root, admin, or administrator for the grub2 superuser account.
To meet FISMA Moderate, the bootloader superuser account and password MUST
differ from the root account and password. Once the superuser account and
password have been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/grub2/grub.cfg
NOTE: Do NOT manually add the superuser account and password to the grub.cfg
file as the grub2-mkconfig command overwrites this file.
Rationale
Password protection on the boot loader configuration ensures users with
physical access cannot trivially alter important bootloader settings. These
include which kernel to use, and whether to enter single-user mode. For more
information on how to configure the grub2 superuser account and password,
please refer to
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html
-----------------------------------------------------------------------------
The link from the.Rationale returns a "404", and there is no mention in the
current RHEL 7 System Administrator's Guide about tinkering with the /etc/grub.d/01_users
configuration file other than to say it was necessary in versions prior to RHEL 7.2
Does the check need to be updated or do I need to do something other than
stated in the Red Hat Documentation ?
And y'all have a typo :) that I highlighted in red on the third line of the
description.
Dan White | d_e_wh...@icloud.com
------------------------------------------------
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.” (Bill Waterson: Calvin &
Hobbes)
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
