Re: [PATCH] [RHEL/6] When checking GRUB bootloader security ("password" directive being present in grub.conf configuration file) succeed only in case there's uncommented occurrence present

Shawn Wells Wed, 05 Mar 2014 09:24:37 -0800

On 3/5/14, 12:13 PM, Jan Lieskovsky wrote:

Hello folks,


   another reasonable change originally pointed out by Tomas Heinrich
for USGCB content, but applicable also against SSG content.

The current bootloader_password.xml OVAL check implementation checks
for presence of:

   password --encrypted .*

string in /etc/grub.conf configuration file. But without having the heading /
starting anchor defined (IOW explicitly allowing only whitespace characters
from the beginning of the pattern match string). Therefore it would return
success for all three of the following cases (which is wrong):

   password --encrypted .*
   #password --encrypted .*
   #\tpassword --encrypted .*

Therefore add starting / heading anchor requirement (in the form of ^[\s]*)
which ensures:

   password --encrypted .*         will still pass, but
   #password --encrypted .*        and
   #\tpassword --encrypted .*      will both fail.

Proposed change briefly tested and seems to be working properly.

Please review.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team

0001-RHEL-6-When-checking-GRUB-bootloader-security-passwo.patch


 From 0a29eb7e7be27191ead7110ee5674ca7156c9f03 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<[email protected]>
Date: Wed, 5 Mar 2014 17:53:35 +0100
Subject: [PATCH] [RHEL/6] When checking GRUB bootloader security ("password"
  directive being present in grub.conf configuration file) succeed only in case
  there's uncommented occurrence present (IOW add heading anchor ensuring
  occurrences "in-the-middle-of-string" wouldn't meet the requirement)

Signed-off-by: Jan Lieskovsky<[email protected]>
---
  RHEL/6/input/checks/bootloader_password.xml | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/RHEL/6/input/checks/bootloader_password.xml 
b/RHEL/6/input/checks/bootloader_password.xml
index 6545c4d..201c369 100644
--- a/RHEL/6/input/checks/bootloader_password.xml
+++ b/RHEL/6/input/checks/bootloader_password.xml
@@ -18,7 +18,7 @@
    <ind:textfilecontent54_object id="object_bootloader_password" version="1">
      <ind:path>/etc</ind:path>
      <ind:filename>grub.conf</ind:filename>
-    <ind:pattern operation="pattern 
match">password[\s]+--encrypted[\s]+.*</ind:pattern>
+    <ind:pattern operation="pattern 
match">^[\s]*password[\s]+--encrypted[\s]+.*</ind:pattern>
      <ind:instance datatype="int">1</ind:instance>
    </ind:textfilecontent54_object>
  </def-group>
-- 1.8.3.1

Completely sane. I'm sure there are other regex's like this within theOVAL code...


ack.

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Re: [PATCH] [RHEL/6] When checking GRUB bootloader security ("password" directive being present in grub.conf configuration file) succeed only in case there's uncommented occurrence present

Reply via email to