<div dir="ltr"><div class="gmail_default" style="font-size:small">Hello Greg, </div><div class="gmail_default" style="font-size:small">the OVAL check from that PR works like this: The whole bootloader_password check is PASS if /boot/grub2/grub.cfg does not exist, otherwise (if it exists) both of the following checks MUST pass: "check both files to account for procedure change in documenation" AND "make sure a superuser is defined in /boot/grub2/grub.cfg". </div><div class="gmail_default" style="font-size:small">The "check both files to account for procedure change in documenation" is even more granular (it consists of two parts) and it will report pass only if one or both of the following checks pass: "make sure a password is defined in /boot/grub2/user.cfg" OR "make sure a password is defined in /boot/grub2/grub.cfg" You can find all the checks in <criterion> element in the bootloader_password.xml OVAL file. To see the specific definition of a test performed for a check just look for the string defined in the test_ref attribute (in <criterion> element). </div><div class="gmail_default" style="font-size:small"> </div><div class="gmail_default" style="font-size:small">Rationale about these checks can be found here: <a href="https://github.com/OpenSCAP/scap-security-guide/issues/2618">https://github.com/OpenSCAP/scap-security-guide/issues/2618</a> </div><div class="gmail_default" style="font-size:small">or in the official documentation: <a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password</a> </div><div class="gmail_default" style="font-size:small">Best Regards, </div><div class="gmail_default" style="font-size:small">Matus </div></div><div class="gmail_extra"> <div class="gmail_quote">On Tue, Mar 6, 2018 at 2:57 AM, Greg Silverman <<a href="mailto:Greg.Silverman@veritas.com" target="_blank">Greg.Silverman@veritas.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div link="#0563C1" vlink="#954F72" lang="EN-US"> <div class="m_3319174363693725183WordSection1"> We have been using OSCAP 1.31. In that version, this rule, xccdf_org.ssgproject.content_rule_bootloader_password, is checked by searching the grub.cfg file for the hash of the password, instead of checking for the existence of user.cfg and its contents containing the hash. I see in <a href="https://github.com/OpenSCAP/scap-security-guide/pull/2619/files" target="_blank"> https://github.com/OpenSCAP/scap-security-guide/pull/2619/files</a> that there is a change related to checking user.cfg. I cannot quite tell what it is doing. Is it saying that checking the user.cfg file is sufficient? Thanks, Greg Silverman Veritas Technologies Mountain View, CA </div> </div> _______________________________________________ Open-scap-list mailing list <a href="mailto:Open-scap-list@redhat.com">Open-scap-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/open-scap-list" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/open-scap-list</a> </blockquote></div> </div>