That helps me trouble shoot. Thanks. I will keep y’all informed. I think I will open a support ticket with Red Hat to attack this from the opposite direction.
"Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us." Bill Waterson (Calvin & Hobbes) > On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato <ws...@redhat.com> wrote: > >> On 23/01/18 13:29, Dan White wrote: >> Scanning some RHEL 7 VM's with the latest/greatest, I am getting a finding >> against the Boot Loader Password. >> >> I set it according to this RHEL 7 System Administrator's Guide page and this >> Red Hat Solutions page, but the test fails. >> >> Details from the report: >> ----------------------------------------------------------------------------- >> Rule ID: xccdf_org.ssgproject.content_rule_bootloader_password > This rule specifically checks if '/etc/grub2/grub.cfg' has superusers and > password_pbkdf2 configured. > superusers should be root, admin or aministrator, and password key derivation > function used should be 'grub.pbkdf2.sha512'. > Make sure you have these configured, I couldn't find details about superuser > and derivation function in pointed guides. >> >> Result: fail >> >> Time: 2018-01-22T14:52:15 >> >> Severity: high >> >> Identifiers and References: >> Identifiers: CCE-27309-4 >> References: IA-2(1), IA-5(e), AC-3, 213, SRG-OS-000080-GPOS-00048, >> RHEL-07-010480, 1.5.3, 3.4.5 >> >> Description : >> The grub2 boot loader should have a superuser account and password >> protection enabled to protect boot-time settings. >> To do so, select a superuser account and password and add them into the >> /etc/grub.d/01_users configuration file. >> Since plaintext passwords are a security risk, generate a hash for the >> pasword by running the following command: >> >> $ grub2-mkpasswd-pbkdf2 >> >> When prompted, enter the password that was selected and insert the returned >> password hash into the /etc/grub.d/01_users configuration file immediately >> after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as >> the value of password-hash): >> >> password_pbkdf2 superusers-account password-hash >> >> NOTE: It is recommended not to use common administrator account names like >> root, admin, or administrator for the grub2 superuser account. >> >> To meet FISMA Moderate, the bootloader superuser account and password MUST >> differ from the root account and password. Once the superuser account and >> password have been added, update the grub.cfg file by running: >> >> grub2-mkconfig -o /boot/grub2/grub.cfg >> >> NOTE: Do NOT manually add the superuser account and password to the grub.cfg >> file as the grub2-mkconfig command overwrites this file. >> >> Rationale >> Password protection on the boot loader configuration ensures users with >> physical access cannot trivially alter important bootloader settings. These >> include which kernel to use, and whether to enter single-user mode. For more >> information on how to configure the grub2 superuser account and password, >> please refer to >> >> https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html >> ----------------------------------------------------------------------------- >> >> The link from the.Rationale returns a "404", and there is no mention in the >> current RHEL 7 System Administrator's Guide about tinkering with the >> /etc/grub.d/01_users configuration file other than to say it was necessary >> in versions prior to RHEL 7.2 >> >> Does the check need to be updated or do I need to do something other than >> stated in the Red Hat Documentation ? >> And y'all have a typo :) that I highlighted in red on the third line of the >> description. >> >> Dan White | d_e_wh...@icloud.com >> ------------------------------------------------ >> “Sometimes I think the surest sign that intelligent life exists elsewhere in >> the universe is that none of it has tried to contact us.” (Bill Waterson: >> Calvin & Hobbes) >> >> >> _______________________________________________ >> Open-scap-list mailing list >> Open-scap-list@redhat.com >> https://www.redhat.com/mailman/listinfo/open-scap-list > > -- > Watson Sato > Security Technologies | Red Hat, Inc
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
