permissions for /boot/grub2
drwx------. 6 root root 4096 Mar 27 09:58 grub2
permissions for grub.cfg
-rw-r--r--. 1 root root 4323 Mar 27 09:58 /boot/grub2/grub.cfg
cat of /etc/grub.d/01_users
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
source \${prefix}/user.cfg
if [ -n \${GRUB2_PASSWORD} ]; then
set superusers="alr"
export superusers
password_pbkdf2 alr \${GRUB2_PASSWORD}
fi
fi
EOF
I ran 'grub2-setpassword' to generate the password in the user.cfg and
then ran 'grub2-mkconfig -o /boot/grub2/grub.cfg' to make a new grub
config file. I then run the scan as root with the following command:
oscap xccdf eval --profile stig-rhel7-server-upstream --oval-results \
--results-arf `hostname`-`date +$F%H%M`-arf-scan-oval-results.xml \
--report `hostname`-`date +$F%H%M`-scan-xccdf-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Let me know how you want the html output provided; the report is 3M,
which I don't think is appropriate for pushing out to the distro.
Thanks.
-Al
On 3/23/17 10:19 PM, Gabe Alford wrote:
> Can you provide the HTML output at all? Also permissions of
> /boot/grub2 and grub.cfg? What superusers to you have configured?
>
> On Thursday, March 23, 2017, Albert Roberson <[email protected]
> <mailto:[email protected]>> wrote:
>
> I hope it is obvious that i meant to type that i am logged in as
> "root" when i run the scan.
>
> Thanks.
>
> On Mar 23, 2017 10:30 AM, "Al Roberson" <[email protected]
> <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote:
>
> I am logged in as rut when I run the scan.
>
>
> On 3/22/17 6:02 PM, Shawn Wells wrote:
> >
> > On 3/22/17 3:23 PM, Al Roberson wrote:
> >> Ahhhh. I see said the blind man.
> >>
> >> In the Ovals details section of the scan report, Items
> found violating are:
> >>
> >> /boot/grub2/grub.cfg does not exist
> >>
> >>
> >> This file definitely exists. Not sure about the specific
> check it is
> >> doing for the files existence.
> > Default permissions on grub.cfg block non-root access. Are
> you running
> > oscap through sudo or root?
> >
> > _______________________________________________
> > scap-security-guide mailing list --
> [email protected]
>
> <javascript:_e(%7B%7D,'cvml','[email protected]');>
> > To unsubscribe send an email to
> [email protected]
>
> <javascript:_e(%7B%7D,'cvml','[email protected]');>
>
>
>
> _______________________________________________
> scap-security-guide mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
