[Open-scap] CCE-27309-4, xccdf_org.ssgproject.content_rule_bootloader_password for RHEL 7 question

Matus Marhefka mmarhefk at redhat.com
Tue Mar 13 11:31:43 UTC 2018 

​Hello Greg,

the OVAL check from that PR works like this:
The whole bootloader_password check is PASS if /boot/grub2/grub.cfg does
not exist, otherwise (if it exists) both of the following checks MUST pass:
"check both files to account for procedure change in documenation" AND "make
sure a superuser is defined in /boot/grub2/grub.cfg".

The "check both files to account for procedure change in documenation" is
even more granular (it consists of two parts) and it will report pass only
if one or both of the following checks pass:
"make sure a password is defined in /boot/grub2/user.cfg" OR "make sure a
password is defined in /boot/grub2/grub.cfg"

You can find all the checks in <criterion> element in the
bootloader_password.xml OVAL file. To see the specific definition of a test
performed for a check just look for the string defined in the test_ref
attribute (in <criterion> element).

Rationale about these checks can be found here:
https://github.com/OpenSCAP/scap-security-guide/issues/2618
or in the official documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sec-protecting_grub_2_with_a_password

Best Regards,
Matus

On Tue, Mar 6, 2018 at 2:57 AM, Greg Silverman <Greg.Silverman at veritas.com>
wrote:

> We have been using OSCAP 1.31. In that version, this rule,
> xccdf_org.ssgproject.content_rule_bootloader_password,  is checked by
> searching the grub.cfg file for the hash of the password, instead of
> checking for the existence of user.cfg and its contents containing the
> hash. I see in https://github.com/OpenSCAP/scap-security-guide/pull/2619/
> files that there is a change related to checking user.cfg. I cannot quite
> tell what it is doing. Is it saying that checking the user.cfg file is
> sufficient?
>
>
>
> Thanks,
>
>
>
> Greg Silverman
>
> Veritas Technologies
>
> Mountain View, CA
>
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/open-scap-list/attachments/20180313/c1153f9d/attachment.htm>

More information about the Open-scap-list mailing list