​Hello Greg, the OVAL check from that PR works like this: The whole bootloader_password check is PASS if /boot/grub2/grub.cfg does not exist, otherwise (if it exists) both of the following checks MUST pass: "check both files to account for procedure change in documenation" AND "make sure a superuser is defined in /boot/grub2/grub.cfg".
The "check both files to account for procedure change in documenation" is even more granular (it consists of two parts) and it will report pass only if one or both of the following checks pass: "make sure a password is defined in /boot/grub2/user.cfg" OR "make sure a password is defined in /boot/grub2/grub.cfg" You can find all the checks in <criterion> element in the bootloader_password.xml OVAL file. To see the specific definition of a test performed for a check just look for the string defined in the test_ref attribute (in <criterion> element). Rationale about these checks can be found here: https://github.com/OpenSCAP/scap-security-guide/issues/2618 or in the official documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password Best Regards, Matus On Tue, Mar 6, 2018 at 2:57 AM, Greg Silverman <[email protected]> wrote: > We have been using OSCAP 1.31. In that version, this rule, > xccdf_org.ssgproject.content_rule_bootloader_password, is checked by > searching the grub.cfg file for the hash of the password, instead of > checking for the existence of user.cfg and its contents containing the > hash. I see in https://github.com/OpenSCAP/scap-security-guide/pull/2619/ > files that there is a change related to checking user.cfg. I cannot quite > tell what it is doing. Is it saying that checking the user.cfg file is > sufficient? > > > > Thanks, > > > > Greg Silverman > > Veritas Technologies > > Mountain View, CA > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list >
_______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
