<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">That helps me trouble shoot. <div>Thanks. </div><div>I will keep y’all informed. </div><div>I think I will open a support ticket with Red Hat to attack this from the opposite direction. </div><div><br></div><div><div id="AppleMailSignature"><p style="margin: 0px; font-size: 12px; font-family: Helvetica;"><span style="font-size: 12pt;">"Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us."</span></p>
<p style="margin: 0px; font-size: 12px; font-family: Helvetica;"><span style="font-size: 12pt;">Bill Waterson (Calvin & Hobbes)</span></p></div><div><br>On Jan 23, 2018, at 10:10 AM, Watson Yuuma Sato <<a href="mailto:wsato@redhat.com">wsato@redhat.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div class="moz-cite-prefix">On 23/01/18 13:29, Dan White wrote:<br>
</div>
<blockquote type="cite" cite="mid:51c09bdb-2f77-4919-9525-bcab882cdc7b@me.com">
<div>Scanning some RHEL 7 VM's with the latest/greatest, I am
getting a finding against the Boot Loader Password.<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>I set it according to <a data-mce-href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password" href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password" moz-do-not-send="true">this RHEL 7 System Administrator's
Guide page</a> and <a data-mce-href="https://access.redhat.com/solutions/2253401" href="https://access.redhat.com/solutions/2253401" moz-do-not-send="true">this Red Hat Solutions page</a>, but
the test fails.<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>Details from the report:<br data-mce-bogus="1">
</div>
<div>
-----------------------------------------------------------------------------</div>
<div>Rule ID:
xccdf_org.ssgproject.content_rule_bootloader_password<br>
</div>
</blockquote>
This rule specifically checks if '/etc/grub2/grub.cfg' has
superusers and password_pbkdf2 configured.<br>
superusers should be root, admin or aministrator, and password key
derivation function used should be 'grub.pbkdf2.sha512'.<br>
Make sure you have these configured, I couldn't find details about
superuser and derivation function in pointed guides.<br>
<blockquote type="cite" cite="mid:51c09bdb-2f77-4919-9525-bcab882cdc7b@me.com">
<div><br data-mce-bogus="1">
</div>
<div>Result: fail<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Time: 2018-01-22T14:52:15<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Severity: high<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Identifiers and References: <br>
Identifiers: CCE-27309-4<br>
References: IA-2(1), IA-5(e), AC-3, 213,
SRG-OS-000080-GPOS-00048, RHEL-07-010480, 1.5.3, 3.4.5<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Description :<br>
The grub2 boot loader should have a superuser account and
password protection enabled to protect boot-time settings.<br>
To do so, select a superuser account and password and add them
into the /etc/grub.d/01_users configuration file.<br>
Since plaintext passwords are a security risk, generate a hash
for the <span style="color: rgb(255, 41, 104);" data-mce-style="color: #ff2968;">pasword</span> by running the
following command:<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div> $ grub2-mkpasswd-pbkdf2<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>When prompted, enter the password that was selected and
insert the returned password hash into the /etc/grub.d/01_users
configuration file immediately after the superuser account. (Use
the output from grub2-mkpasswd-pbkdf2 as the value of
password-hash):<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div> password_pbkdf2 superusers-account password-hash<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>NOTE: It is recommended not to use common administrator
account names like root, admin, or administrator for the grub2
superuser account.<br>
<br>
To meet FISMA Moderate, the bootloader superuser account and
password MUST differ from the root account and password. Once
the superuser account and password have been added, update the
grub.cfg file by running:<br>
<br>
grub2-mkconfig -o /boot/grub2/grub.cfg<br>
<br>
NOTE: Do NOT manually add the superuser account and password to
the grub.cfg file as the grub2-mkconfig command overwrites this
file.<br>
<br>
Rationale <br>
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter important
bootloader settings. These include which kernel to use, and
whether to enter single-user mode. For more information on how
to configure the grub2 superuser account and password, please
refer to<br>
<br>
<a class="moz-txt-link-freetext" href="https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html">https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html</a><br>
-----------------------------------------------------------------------------</div>
<div><br data-mce-bogus="1">
</div>
<div>The link from the.Rationale returns a "404", and there is no
mention in the current RHEL 7 System Administrator's Guide about
tinkering with the /etc/grub.d/01_users configuration file other
than to say it was necessary in versions prior to RHEL 7.2<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Does the check need to be updated or do I need to do
something other than stated in the Red Hat Documentation ?<br data-mce-bogus="1">
</div>
<div>And y'all have a typo :) that I highlighted in red on the
third line of the description.<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div class="x-apple-signature">Dan White | <a class="moz-txt-link-abbreviated" href="mailto:d_e_white@icloud.com">d_e_white@icloud.com</a><br>
------------------------------------------------<br>
“Sometimes I think the surest sign that intelligent life exists
elsewhere in the universe is that none of it has tried to
contact us.” (Bill Waterson: Calvin & Hobbes)</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Open-scap-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Open-scap-list@redhat.com">Open-scap-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/open-scap-list">https://www.redhat.com/mailman/listinfo/open-scap-list</a></pre>
</blockquote>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Watson Sato
Security Technologies | Red Hat, Inc</pre>
</div></blockquote></div></body></html>