subject:"Re\: \[Open\-scap\] RHEL 7 GRUB2 boot password"

Re: [Open-scap] RHEL 7 GRUB2 boot password

2018-01-25 Thread Dan White

So then the description should be updated from

NOTE: It is recommended not to use common administrator account names like 
root, admin, or administrator for the grub2 superuser account.

to something like 

Do not use root, admin, or administrator for the grub2 superuser account.  The 
check will fail. 

Would you agree ?
Does an issue/bug need to be created for this to happen ?

"Sometimes I think the surest sign that intelligent life exists elsewhere in 
the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)

> On Jan 25, 2018, at 4:26 AM, Watson Yuuma Sato  wrote:
> 
>> On 24/01/18 21:05, Dan White wrote:
>> "superusers should be root, admin or administrator"
>> 
>> Are you sure it shouldn't be "superusers should NOT be root, admin or 
>> administrator" ?
> 
> You are correct, the superuser should not be root, admin nor administrator.
>> 
>> I changed mine from "root" to "grub.root",
>> made sure the full hash was in /etc/grub.d/01_users,
>> re-ran grub2-mkconfig 
>> and then the oscap scan passed.
>> 
>> I can say for certain that the superuser should not be "root"
>> What else shouldn't it be ?
> Current check only cares about the users mentioned above.
> -- 
> Watson Sato
> Security Technologies | Red Hat, Inc
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] RHEL 7 GRUB2 boot password

2018-01-24 Thread Dan White


"superusers should be root, admin or administrator"



Are you sure it shouldn't be "superusers should NOT be root, admin or 
administrator" ?



I changed mine from "root" to "grub.root",
made sure the full hash was in /etc/grub.d/01_users,
re-ran grub2-mkconfig 

and then the oscap scan passed.



I can say for certain that the superuser should not be "root"

What else shouldn't it be ?



Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato  wrote:


On 23/01/18 13:29, Dan White wrote:

Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding 
against the Boot Loader Password.



I set it according to this RHEL 7 System Administrator's Guide page and this 
Red Hat Solutions page, but the test fails.



Details from the report:

-
Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password

This rule specifically checks if '/etc/grub2/grub.cfg'  has superusers and 
password_pbkdf2 configured.
superusers should be root, admin or aministrator, and password key derivation 
function used should be 'grub.pbkdf2.sha512'.
Make sure you have these configured, I couldn't find details about superuser 
and derivation function in pointed guides.



Result: fail



Time:  2018-01-22T14:52:15



Severity:  high



Identifiers and References:
   Identifiers: CCE-27309-4
   References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-80-GPOS-00048, 
RHEL-07-010480, 1.5.3, 3.4.5



Description :
The grub2 boot loader should have a superuser account and password protection 
enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the 
/etc/grub.d/01_users configuration file.
Since plaintext passwords are a security risk, generate a hash for the pasword 
by running the following command:



  $ grub2-mkpasswd-pbkdf2



When prompted, enter the password that was selected and insert the returned 
password hash into the /etc/grub.d/01_users configuration file immediately 
after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the 
value of password-hash):



  password_pbkdf2 superusers-account password-hash



NOTE: It is recommended not to use common administrator account names like 
root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST 
differ from the root account and password. Once the superuser account and 
password have been added, update the grub.cfg file by running:

  grub2-mkconfig -o /boot/grub2/grub.cfg

NOTE: Do NOT manually add the superuser account and password to the grub.cfg 
file as the grub2-mkconfig command overwrites this file.

Rationale
Password protection on the boot loader configuration ensures users with 
physical access cannot trivially alter important bootloader settings. These 
include which kernel to use, and whether to enter single-user mode. For more 
information on how to configure the grub2 superuser account and password, 
please refer to

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html
-


The link from the.Rationale returns a "404", and there is no mention in the 
current RHEL 7 System Administrator's Guide about tinkering with the /etc/grub.d/01_users 
configuration file other than to say it was necessary in versions prior to RHEL 7.2



Does the check need to be updated or do I need to do something other than 
stated in the Red Hat Documentation ?

And y'all have a typo :) that I highlighted in red on the third line of the 
description.



Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)




___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list





--
Watson Sato
Security Technologies | Red Hat, Inc___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] RHEL 7 GRUB2 boot password

2018-01-23 Thread Dan White


Something is very wrong here



[root@jump-linux7 ~]# cat /etc/grub.d/01_users # ORIGINAL
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
EOF



Then I have the output of "grub2-setpassword" :



[root@jump-linux7 ~]# cat /boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.1.yadda-yadda-yadda



So, I copy the hash into /etc/grub.d/01_users :



[root@jump-linux7 ~]# cat /etc/grub.d/01_users
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root grub.pbkdf2.sha512.1.yadda-yadda-yadda
  fi
fi
EOF



And then run

grub2-mkconfig -o /boot/grub2/grub.cfg



Checking "/boot/grub2/grub.cfg", I find


[root@jump-linux7 ~]# less /boot/grub2/grub.cfg
...
### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
set tuned_initrd=""
### END /etc/grub.d/00_tuned ###

### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root grub.pbkdf2.sha512.1.yadda-yadda-yadda
  fi
fi
### END /etc/grub.d/01_users ###
...



But :

Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password
Result: fail
Identifiers: CCE-27309-4


What the heck ?!



Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

On Jan 23, 2018, at 02:27 PM, Dan White  wrote:


Running "grub2-mkconfig -o /boot/grub2/grub.cfg" without making any other 
changes made no difference

Guess I need to tinker with the /etc/grub.d/01_users configuration file.



Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

On Jan 23, 2018, at 11:16 AM, Dan White  wrote:


That helps me trouble shoot. 
Thanks. 
I will keep y’all informed. 
I think I will open a support ticket with Red Hat to attack this from the 
opposite direction. 



"Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us."

Bill Waterson (Calvin & Hobbes)


On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato  wrote:


On 23/01/18 13:29, Dan White wrote:

Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding 
against the Boot Loader Password.



I set it according to this RHEL 7 System Administrator's Guide page and this 
Red Hat Solutions page, but the test fails.



Details from the report:

-
Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password

This rule specifically checks if '/etc/grub2/grub.cfg'  has superusers and 
password_pbkdf2 configured.
superusers should be root, admin or aministrator, and password key derivation 
function used should be 'grub.pbkdf2.sha512'.
Make sure you have these configured, I couldn't find details about superuser 
and derivation function in pointed guides.



Result: fail



Time:  2018-01-22T14:52:15



Severity:  high



Identifiers and References:
   Identifiers: CCE-27309-4
   References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-80-GPOS-00048, 
RHEL-07-010480, 1.5.3, 3.4.5



Description :
The grub2 boot loader should have a superuser account and password protection 
enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the 
/etc/grub.d/01_users configuration file.
Since plaintext passwords are a security risk, generate a hash for the pasword 
by running the following command:



  $ grub2-mkpasswd-pbkdf2



When prompted, enter the password that was selected and insert the returned 
password hash into the /etc/grub.d/01_users configuration file immediately 
after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the 
value of password-hash):



  password_pbkdf2 superusers-account password-hash



NOTE: It is recommended not to use common administrator account names like 
root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST 
differ from the root account and password. Once the superuser account and 
password have been added, update the grub.cfg file by running:

  grub2-mkconfig -o /boot/grub2/grub.cfg

NOTE: Do NOT manually add the superuser account and password to the

Re: [Open-scap] RHEL 7 GRUB2 boot password

2018-01-23 Thread Dan White


Running "grub2-mkconfig -o /boot/grub2/grub.cfg" without making any other 
changes made no difference

Guess I need to tinker with the /etc/grub.d/01_users configuration file.



Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)

On Jan 23, 2018, at 11:16 AM, Dan White  wrote:


That helps me trouble shoot. 
Thanks. 
I will keep y’all informed. 
I think I will open a support ticket with Red Hat to attack this from the 
opposite direction. 



"Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us."

Bill Waterson (Calvin & Hobbes)


On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato  wrote:


On 23/01/18 13:29, Dan White wrote:

Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding 
against the Boot Loader Password.



I set it according to this RHEL 7 System Administrator's Guide page and this 
Red Hat Solutions page, but the test fails.



Details from the report:

-
Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password

This rule specifically checks if '/etc/grub2/grub.cfg'  has superusers and 
password_pbkdf2 configured.
superusers should be root, admin or aministrator, and password key derivation 
function used should be 'grub.pbkdf2.sha512'.
Make sure you have these configured, I couldn't find details about superuser 
and derivation function in pointed guides.



Result: fail



Time:  2018-01-22T14:52:15



Severity:  high



Identifiers and References:
   Identifiers: CCE-27309-4
   References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-80-GPOS-00048, 
RHEL-07-010480, 1.5.3, 3.4.5



Description :
The grub2 boot loader should have a superuser account and password protection 
enabled to protect boot-time settings.
To do so, select a superuser account and password and add them into the 
/etc/grub.d/01_users configuration file.
Since plaintext passwords are a security risk, generate a hash for the pasword 
by running the following command:



  $ grub2-mkpasswd-pbkdf2



When prompted, enter the password that was selected and insert the returned 
password hash into the /etc/grub.d/01_users configuration file immediately 
after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the 
value of password-hash):



  password_pbkdf2 superusers-account password-hash



NOTE: It is recommended not to use common administrator account names like 
root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST 
differ from the root account and password. Once the superuser account and 
password have been added, update the grub.cfg file by running:

  grub2-mkconfig -o /boot/grub2/grub.cfg

NOTE: Do NOT manually add the superuser account and password to the grub.cfg 
file as the grub2-mkconfig command overwrites this file.

Rationale
Password protection on the boot loader configuration ensures users with 
physical access cannot trivially alter important bootloader settings. These 
include which kernel to use, and whether to enter single-user mode. For more 
information on how to configure the grub2 superuser account and password, 
please refer to

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html
-


The link from the.Rationale returns a "404", and there is no mention in the 
current RHEL 7 System Administrator's Guide about tinkering with the /etc/grub.d/01_users 
configuration file other than to say it was necessary in versions prior to RHEL 7.2



Does the check need to be updated or do I need to do something other than 
stated in the Red Hat Documentation ?

And y'all have a typo :) that I highlighted in red on the third line of the 
description.



Dan White | d_e_wh...@icloud.com

“Sometimes I think the surest sign that intelligent life exists elsewhere in the 
universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & 
Hobbes)




___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list





--
Watson Sato
Security Technologies | Red Hat, Inc
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] RHEL 7 GRUB2 boot password

Re: [Open-scap] RHEL 7 GRUB2 boot password

Re: [Open-scap] RHEL 7 GRUB2 boot password

Re: [Open-scap] RHEL 7 GRUB2 boot password

4 matches

Site Navigation

Mail list logo

Footer information