Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Review 71961 - this seems broken :) #129

Open
aaronlippold opened this issue Nov 22, 2019 · 2 comments
Open

Review 71961 - this seems broken :) #129

aaronlippold opened this issue Nov 22, 2019 · 2 comments
Assignees
@djhaynes
Labels
bug

Comments

@aaronlippold
Copy link
Member

× V-71961: Systems with a Basic Input/Output System (BIOS) must require
authentication upon booting into single-user and maintenance modes. (3 failed)
✔ There must be only one grub2 superuser, and it must have the value ["root"] length should cmp == 1
× There must be only one grub2 superuser, and it must have the value ["root"] first should cmp == ["root"]

 expected: ["root"]
      got: "root"

 (compared using `cmp` matcher)

 ×  The grub2 superuser password entry must begin with 'password_pbkdf2' length should be >= 1
 expected: >= 1
      got:    0
 ×  The grub2 superuser account password should be encrypted with pbkdf2. should match /password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 expected "#\n# DO NOT EDIT THIS FILE\n#\n# It is automatically generated by grub2-mkconfig using templates\n# ...  $prefix/custom.cfg ]; then\n  source $prefix/custom.cfg;\nfi\n### END /etc/grub.d/41_custom ###\n" to match /password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 Diff:
 @@ -1,2 +1,157 @@
 -/password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 +#
 +# DO NOT EDIT THIS FILE
 +#
 +# It is automatically generated by grub2-mkconfig using templates
 +# from /etc/grub.d and settings from /etc/default/grub
 +#
 +
 +### BEGIN /etc/grub.d/00_header ###
 +set pager=1
 +
 +if [ -s $prefix/grubenv ]; then
 +  load_env
 +fi
 +if [ "${next_entry}" ] ; then
 +   set default="${next_entry}"
 +   set next_entry=
 +   save_env next_entry
 +   set boot_once=true
 +else
 +   set default="${saved_entry}"
 +fi
 +
 +if [ x"${feature_menuentry_id}" = xy ]; then
 +  menuentry_id_option="--id"
 +else
 +  menuentry_id_option=""
 +fi
 +
 +export menuentry_id_option
 +
 +if [ "${prev_saved_entry}" ]; then
 +  set saved_entry="${prev_saved_entry}"
 +  save_env saved_entry
 +  set prev_saved_entry=
 +  save_env prev_saved_entry
 +  set boot_once=true
 +fi
 +
 +function savedefault {
 +  if [ -z "${boot_once}" ]; then
 +    saved_entry="${chosen}"
 +    save_env saved_entry
 +  fi
 +}
 +
 +function load_video {
 +  if [ x$feature_all_video_module = xy ]; then
 +    insmod all_video
 +  else
 +    insmod efi_gop
 +    insmod efi_uga
 +    insmod ieee1275_fb
 +    insmod vbe
 +    insmod vga
 +    insmod video_bochs
 +    insmod video_cirrus
 +  fi
 +}
 +
 +terminal_output console
 +if [ x$feature_timeout_style = xy ] ; then
 +  set timeout_style=menu
 +  set timeout=5
 +# Fallback normal timeout code in case the timeout_style feature is
 +# unavailable.
 +else
 +  set timeout=5
 +fi
 +### END /etc/grub.d/00_header ###
 +
 +### BEGIN /etc/grub.d/00_tuned ###
 +set tuned_params=""
 +set tuned_initrd=""
 +### END /etc/grub.d/00_tuned ###
 +
 +### BEGIN /etc/grub.d/01_users ###
 +if [ -f ${prefix}/user.cfg ]; then
 +  source ${prefix}/user.cfg
 +  if [ -n "${GRUB2_PASSWORD}" ]; then
 +    set superusers="root"
 +    export superusers
 +    password_pbkdf2 root ${GRUB2_PASSWORD}
 +  fi
 +fi
 +### END /etc/grub.d/01_users ###
 +
 +### BEGIN /etc/grub.d/10_linux ###
 +menuentry 'CentOS Linux (3.10.0-1062.4.3.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1062.el7.x86_64-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +	load_video
 +	set gfxpayload=keep
 +	insmod gzio
 +	insmod part_msdos
 +	insmod xfs
 +	set root='hd0,msdos1'
 +	if [ x$feature_platform_search_hint = xy ]; then
 +	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +	else
 +	  search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +	fi
 +	linux16 /vmlinuz-3.10.0-1062.4.3.el7.x86_64 root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +	initrd16 /initramfs-3.10.0-1062.4.3.el7.x86_64.img
 +}
 +menuentry 'CentOS Linux (3.10.0-1062.1.2.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1062.el7.x86_64-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +	load_video
 +	set gfxpayload=keep
 +	insmod gzio
 +	insmod part_msdos
 +	insmod xfs
 +	set root='hd0,msdos1'
 +	if [ x$feature_platform_search_hint = xy ]; then
 +	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +	else
 +	  search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +	fi
 +	linux16 /vmlinuz-3.10.0-1062.1.2.el7.x86_64 root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +	initrd16 /initramfs-3.10.0-1062.1.2.el7.x86_64.img
 +}
 +menuentry 'CentOS Linux (0-rescue-db95a22b243d4c30b1683d28b27424dc) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-db95a22b243d4c30b1683d28b27424dc-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +	load_video
 +	insmod gzio
 +	insmod part_msdos
 +	insmod xfs
 +	set root='hd0,msdos1'
 +	if [ x$feature_platform_search_hint = xy ]; then
 +	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +	else
 +	  search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +	fi
 +	linux16 /vmlinuz-0-rescue-db95a22b243d4c30b1683d28b27424dc root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +	initrd16 /initramfs-0-rescue-db95a22b243d4c30b1683d28b27424dc.img
 +}
 +
 +### END /etc/grub.d/10_linux ###
 +
 +### BEGIN /etc/grub.d/20_linux_xen ###
 +### END /etc/grub.d/20_linux_xen ###
 +
 +### BEGIN /etc/grub.d/20_ppc_terminfo ###
 +### END /etc/grub.d/20_ppc_terminfo ###
 +
 +### BEGIN /etc/grub.d/30_os-prober ###
 +### END /etc/grub.d/30_os-prober ###
 +
 +### BEGIN /etc/grub.d/40_custom ###
 +# This file provides an easy way to add custom menu entries.  Simply type the
 +# menu entries you want to add after this comment.  Be careful not to change
 +# the 'exec tail' line above.
 +### END /etc/grub.d/40_custom ###
 +
 +### BEGIN /etc/grub.d/41_custom ###
 +if [ -f  ${config_directory}/custom.cfg ]; then
 +  source ${config_directory}/custom.cfg
 +elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
 +  source $prefix/custom.cfg;
 +fi
 +### END /etc/grub.d/41_custom ###
@cpoma
Copy link

cpoma commented Nov 22, 2019
edited
Loading

Yes - I have a working copy of this on the high side - the issue is that 40_custom will actually based on the OpenSCAP recommendations want the user to be named "bootuser". The template for 01_users by default uses root and a variable to define the password.

And example real /boot/grub2/grub.cfg might look like this (I took out part for brevity):

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
.
.
.
.
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
set tuned_initrd=""
### END /etc/grub.d/00_tuned ###

### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
  fi
fi
### END /etc/grub.d/01_users ###
.
.
.
.
.
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
# V-71963 - Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
set superusers="bootuser"
# Password1234
password_pbkdf2 bootuser grub.pbkdf2.sha512.10000.8A72B2427C84D0ADAED74EF9D284EDFD70E6C40BCD40A9339321FFAD1170E2000D49443A624B394BEDFC543D51BFF9160974BBA64872FAF86E4A35B85A72673F.8B4D9C7DA7873B267341E6B1B0291DCE2F9BFCAE997D481B5905BFBF6C3F4FD474DF9AE5E93FBDC7B7FACF73329A86EDE1E57BE6AAC8441BF0F26B2E46BDDBFC


### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

Then - /boot/grub2/user.cfg will look like:

[root@node ec2-user]# cat /boot/grub2/user.cfg
#!/bin/sh
#
#
# V-71963 - Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
# Password1234
#
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.8A72B2427C84D0ADAED74EF9D284EDFD70E6C40BCD40A9339321FFAD1170E2000D49443A624B394BEDFC543D51BFF9160974BBA64872FAF86E4A35B85A72673F.8B4D9C7DA7873B267341E6B1B0291DCE2F9BFCAE997D481B5905BFBF6C3F4FD474DF9AE5E93FBDC7B7FACF73329A86EDE1E57BE6AAC8441BF0F26B2E46BDDBFC

So - maybe the proposed V-71961 Test could look like:

 tag "fix_id": "F-78313r2_fix"
  describe.one do
    grub_superusers.each do |user|
       describe file(grub_main_cfg) do
         its('content') { should match %r{^\s*password_pbkdf2\s+#{user} } }
       end
    end
  end

  grub_user_boot_files.each do |user_cfg_file|
    next if !file(user_cfg_file).exist?
    describe file(user_cfg_file) do
      its('content') { should match %r{^GRUB2_PASSWORD\=grub\.pbkdf2\.sha512} }
    end
  end

@ljkimmel
Copy link
Contributor

It appears that V-71961 was updated back on Nov. 8, 2019 to accept only one user as input. At the time attributes were still in use and the attribute was updated to utilize only one user. Some time later attributes were migrated to inputs but the change for this datatype was not reflected there. The input for 'grub_superuser' is defined as an Array.

The code tries to compare the string 'root' to the string-interpretation of the array '["root"]'. Changing the input datatype to string and setting to 'root' seems to generally fix the problem.

I think the STIG is clear here in that the USER (singular) is to be "root". We don't want to allow for the input of a list of users. In fact, since the direction is so clear I'd say that it shouldn't take an input at all and 'root' should be hardcoded in the control.

Otherwise, it appears to me that the actual code of the control is fairly solid.

ljkimmel pushed a commit to ljkimmel/inspec-profile-disa_stig-el7 that referenced this issue Mar 25, 2020
Addressing issue simp#129
43dbe1f 
Removed 'grub_superuser' as an input. The STIG guidance is clear that
this is the only allowable account so there is no reason to allow it
to be tailored.

Updated V-71961 to remove reference to the 'grub_superuser' input and
hardcode "grub_superuser = 'root'".

Signed-off-by: Lesley Kimmel <[email protected]>
ljkimmel pushed a commit to ljkimmel/inspec-profile-disa_stig-el7 that referenced this issue Mar 26, 2020
Addressing issue simp#129
06e4852 
Set the input 'grub_superuser' to type String with value 'root' in
inspec.yml as this is what dependent controls expect.

Signed-off-by: Lesley Kimmel <[email protected]>
trevor-vaughan added a commit that referenced this issue Mar 30, 2020
@ljkimmel @trevor-vaughan
Addressing issue #129 (#148)
17d42b7 
Set the input 'grub_superuser' to type String with value 'root' in
inspec.yml as this is what dependent controls expect.

Signed-off-by: Lesley Kimmel <[email protected]>

Co-authored-by: Lesley Kimmel <[email protected]>
Co-authored-by: Trevor Vaughan <[email protected]>
@Andy-Adrian Andy-Adrian removed this from Org Triage Apr 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@djhaynes djhaynes

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@djhaynes @aaronlippold @ljkimmel @cpoma