Is anyone experiencing this issue? If not, what are the specific steps people are using to get the scan to pass this particular check?
Thanks for all the attention thus far. -Al On Mon, Mar 27, 2017 at 2:02 PM, Al Roberson <[email protected]> wrote: > permissions for /boot/grub2 > > drwx------. 6 root root 4096 Mar 27 09:58 grub2 > > > permissions for grub.cfg > > -rw-r--r--. 1 root root 4323 Mar 27 09:58 /boot/grub2/grub.cfg > > > cat of /etc/grub.d/01_users > > #!/bin/sh -e > cat << EOF > if [ -f \${prefix}/user.cfg ]; then > source \${prefix}/user.cfg > if [ -n \${GRUB2_PASSWORD} ]; then > set superusers="alr" > export superusers > password_pbkdf2 alr \${GRUB2_PASSWORD} > fi > fi > EOF > > I ran 'grub2-setpassword' to generate the password in the user.cfg and > then ran 'grub2-mkconfig -o /boot/grub2/grub.cfg' to make a new grub config > file. I then run the scan as root with the following command: > > oscap xccdf eval --profile stig-rhel7-server-upstream --oval-results \ > > --results-arf `hostname`-`date +$F%H%M`-arf-scan-oval-results.xml \ > > --report `hostname`-`date +$F%H%M`-scan-xccdf-report.html \ > > /usr/share/xml/scap/ssg/ > content/ssg-rhel7-xccdf.xml > > > Let me know how you want the html output provided; the report is 3M, which > I don't think is appropriate for pushing out to the distro. > > Thanks. > > -Al > > On 3/23/17 10:19 PM, Gabe Alford wrote: > > Can you provide the HTML output at all? Also permissions of /boot/grub2 > and grub.cfg? What superusers to you have configured? > > On Thursday, March 23, 2017, Albert Roberson <[email protected]> wrote: > >> I hope it is obvious that i meant to type that i am logged in as "root" >> when i run the scan. >> >> Thanks. >> >> On Mar 23, 2017 10:30 AM, "Al Roberson" <[email protected]> wrote: >> >>> I am logged in as rut when I run the scan. >>> >>> >>> On 3/22/17 6:02 PM, Shawn Wells wrote: >>> > >>> > On 3/22/17 3:23 PM, Al Roberson wrote: >>> >> Ahhhh. I see said the blind man. >>> >> >>> >> In the Ovals details section of the scan report, Items found >>> violating are: >>> >> >>> >> /boot/grub2/grub.cfg does not exist >>> >> >>> >> >>> >> This file definitely exists. Not sure about the specific check it is >>> >> doing for the files existence. >>> > Default permissions on grub.cfg block non-root access. Are you running >>> > oscap through sudo or root? >>> > >>> > _______________________________________________ >>> > scap-security-guide mailing list -- [email protected] >>> rahosted.org >>> > To unsubscribe send an email to scap-security-guide-leave@list >>> s.fedorahosted.org >>> >>> > > _______________________________________________ > scap-security-guide mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > > >
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
