----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Wednesday, March 5, 2014 6:16:55 PM > Subject: Re: [PATCH] [RHEL/6] When checking GRUB bootloader security > ("password" directive being present in grub.conf > configuration file) succeed only in case there's uncommented occurrence > present > > On 3/5/14, 12:13 PM, Jan Lieskovsky wrote: > > > > Hello folks, > > another reasonable change originally pointed out by Tomas Heinrich > for USGCB content, but applicable also against SSG content. > > The current bootloader_password.xml OVAL check implementation checks > for presence of: > > password --encrypted .* > > string in /etc/grub.conf configuration file. But without having the heading / > starting anchor defined (IOW explicitly allowing only whitespace characters > from the beginning of the pattern match string). Therefore it would return > success for all three of the following cases (which is wrong): > > password --encrypted .* > #password --encrypted .* > #\tpassword --encrypted .* > > Therefore add starting / heading anchor requirement (in the form of ^[\s]*) > which ensures: > > password --encrypted .* will still pass, but > #password --encrypted .* and > #\tpassword --encrypted .* will both fail. > > Proposed change briefly tested and seems to be working properly. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-RHEL-6-When-checking-GRUB-bootloader-security-passwo.patch > From 0a29eb7e7be27191ead7110ee5674ca7156c9f03 Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Wed, 5 Mar 2014 17:53:35 > +0100 > Subject: [PATCH] [RHEL/6] When checking GRUB bootloader security ("password" > directive being present in grub.conf configuration file) succeed only in > case > there's uncommented occurrence present (IOW add heading anchor ensuring > occurrences "in-the-middle-of-string" wouldn't meet the requirement) > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > RHEL/6/input/checks/bootloader_password.xml | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/RHEL/6/input/checks/bootloader_password.xml > b/RHEL/6/input/checks/bootloader_password.xml > index 6545c4d..201c369 100644 > --- a/RHEL/6/input/checks/bootloader_password.xml > +++ b/RHEL/6/input/checks/bootloader_password.xml > @@ -18,7 +18,7 @@ > <ind:textfilecontent54_object id="object_bootloader_password" version="1"> > <ind:path>/etc</ind:path> > <ind:filename>grub.conf</ind:filename> > - <ind:pattern operation="pattern > match">password[\s]+--encrypted[\s]+.*</ind:pattern> > + <ind:pattern operation="pattern > match">^[\s]*password[\s]+--encrypted[\s]+.*</ind:pattern> > <ind:instance datatype="int">1</ind:instance> > </ind:textfilecontent54_object> > </def-group> > -- > 1.8.3.1 > Completely sane. I'm sure there are other regex's like this within the OVAL > code... > > ack.
Thanks, Shawn. Based on: scap-security-guide]$ grep -A3 -B3 -rHn conf * | grep pattern | grep checks > /tmp/out search looks you are truly right (at first look there seems to be 30 another cases like this - details in attached file [some have starting ^, but don't count with possible pre-spaces. Needs check if the underlying config file format allows them]). Unless someone beats me to it, will go through them case-by-case tomorrow and propose fixes where appropriate / applicable (but at least the cups based ones seems to be proper candidates. Further testing will tell more though). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >
Fedora/input/checks/disable_prelink.xml-27- <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern> RHEL/6/input/checks/logwatch_configured_splithosts.xml-21- <ind:pattern operation="pattern match">^[\s]SplitHosts[\s]*=[\s]*yes[\s]*$</ind:pattern> RHEL/6/input/checks/auditd_data_retention_num_logs.xml-24- <ind:pattern operation="pattern match">^num_logs\s*=\s*(\d+)\s*$</ind:pattern> RHEL/6/input/checks/auditd_data_retention_max_log_file_action.xml-24- <ind:pattern operation="pattern match">^max_log_file_action\s*=\s*(\S+)\s*$</ind:pattern> RHEL/6/input/checks/auditd_data_retention_max_log_file.xml-24- <ind:pattern operation="pattern match">^max_log_file\s*=\s*(\d+)\s*$</ind:pattern> RHEL/6/input/checks/logwatch_configured_hostlimit.xml-22- <ind:pattern operation="pattern match">^[\s]HostLimit[\s]*=[\s]*no[\s]*$</ind:pattern> RHEL/6/input/checks/auditd_data_retention_action_mail_acct.xml-22- <ind:pattern operation="pattern match">^action_mail_acct\s*=\s*(\S+)\s*$</ind:pattern> RHEL/6/input/checks/auditd_data_retention_admin_space_left_action.xml-25- <ind:pattern operation="pattern match">^admin_space_left_action\s*=\s*(\S+)\s*$</ind:pattern> RHEL/6/input/checks/network_ipv6_privacy_extensions.xml-28- <ind:filename operation="pattern match">ifcfg-.*</ind:filename> RHEL/6/input/checks/network_ipv6_privacy_extensions.xml-29- <ind:pattern operation="pattern match">^IPV6_PRIVACY=rfc3041$</ind:pattern> RHEL/6/input/checks/disable_prelink.xml-22- <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern> RHEL/6/input/checks/rsyslog_nolisten.xml-25- <ind:pattern operation="pattern match">^\$(?:Input(?:TCP|RELP)|UDP)ServerRun</ind:pattern> RHEL/6/input/checks/network_ipv6_static_address.xml-28- <ind:filename operation="pattern match">ifcfg-.*</ind:filename> RHEL/6/input/checks/network_ipv6_static_address.xml-29- <ind:pattern operation="pattern match">^IPV6ADDR=.+$</ind:pattern> RHEL/6/input/checks/cups_disable_browsing.xml-31- <ind:pattern operation="pattern match">Browsing[\s]+(?:Off|No)</ind:pattern> RHEL/6/input/checks/cups_disable_browsing.xml-42- <ind:pattern operation="pattern match">BrowseAllow[\s]+(?!none)</ind:pattern> RHEL/6/input/checks/auditd_data_retention_space_left_action.xml-24- <ind:pattern operation="pattern match">^space_left_action\s*=\s*(\S+)\s*$</ind:pattern> RHEL/6/input/checks/network_ipv6_disable_rpc.xml-27- <ind:pattern operation="pattern match">^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$</ind:pattern> RHEL/6/input/checks/network_ipv6_disable_rpc.xml-41- <ind:pattern operation="pattern match">^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$</ind:pattern> RHEL/6/input/checks/cups_disable_printserver.xml-30- <ind:pattern operation="pattern match">Port[\s]+(\d)+</ind:pattern> RHEL/6/input/checks/cups_disable_printserver.xml-41- <ind:pattern operation="pattern match">Listen[\s]+(?:localhost|127\.0\.0\.1):(\d)+</ind:pattern> RHEL/6/input/checks/network_ipv6_default_gateway.xml-28- <ind:filename operation="pattern match">ifcfg-.*</ind:filename> RHEL/6/input/checks/network_ipv6_default_gateway.xml-29- <ind:pattern operation="pattern match">^IPV6_DEFAULTGW=.+$</ind:pattern> RHEL/6/input/checks/iptables_sshd_disabled.xml-26- <ind:pattern operation="pattern match">^-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT$</ind:pattern> RHEL/6/input/checks/iptables_sshd_disabled.xml-38- <ind:pattern operation="pattern match">^-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT$</ind:pattern> RHEL/6/input/checks/audit_rules_networkconfig_modification.xml-36- <ind:pattern operation="pattern match">^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+[-\w]+\s*$</ind:pattern> RHEL/6/input/checks/audit_rules_networkconfig_modification.xml-41- <ind:pattern operation="pattern match">^\-w\s+/etc/issue\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$</ind:pattern> RHEL/6/input/checks/audit_rules_networkconfig_modification.xml-46- <ind:pattern operation="pattern match">^\-w\s+/etc/issue\.net\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$</ind:pattern> RHEL/6/input/checks/audit_rules_networkconfig_modification.xml-51- <ind:pattern operation="pattern match">^\-w\s+/etc/hosts\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$</ind:pattern> RHEL/6/input/checks/audit_rules_networkconfig_modification.xml:56: <ind:pattern operation="pattern match">^\-w\s+/etc/sysconfig/network\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$</ind:pattern>
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
