search

simp / inspec-profile-disa_stig-el7

InSpec Profile for the EL7 DISA STIG
Apache License 2.0
22 stars 46 forks source link

Review 71961 - this seems broken :) #129

Open aaronlippold opened 4 years ago

aaronlippold commented 4 years ago

× V-71961: Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. (3 failed) ✔ There must be only one grub2 superuser, and it must have the value ["root"] length should cmp == 1 × There must be only one grub2 superuser, and it must have the value ["root"] first should cmp == ["root"]

 expected: ["root"]
      got: "root"

 (compared using `cmp` matcher)

 ×  The grub2 superuser password entry must begin with 'password_pbkdf2' length should be >= 1
 expected: >= 1
      got:    0
 ×  The grub2 superuser account password should be encrypted with pbkdf2. should match /password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 expected "#\n# DO NOT EDIT THIS FILE\n#\n# It is automatically generated by grub2-mkconfig using templates\n# ...  $prefix/custom.cfg ]; then\n  source $prefix/custom.cfg;\nfi\n### END /etc/grub.d/41_custom ###\n" to match /password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 Diff:
 @@ -1,2 +1,157 @@
 -/password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 +#
 +# DO NOT EDIT THIS FILE
 +#
 +# It is automatically generated by grub2-mkconfig using templates
 +# from /etc/grub.d and settings from /etc/default/grub
 +#
 +
 +### BEGIN /etc/grub.d/00_header ###
 +set pager=1
 +
 +if [ -s $prefix/grubenv ]; then
 +  load_env
 +fi
 +if [ "${next_entry}" ] ; then
 +   set default="${next_entry}"
 +   set next_entry=
 +   save_env next_entry
 +   set boot_once=true
 +else
 +   set default="${saved_entry}"
 +fi
 +
 +if [ x"${feature_menuentry_id}" = xy ]; then
 +  menuentry_id_option="--id"
 +else
 +  menuentry_id_option=""
 +fi
 +
 +export menuentry_id_option
 +
 +if [ "${prev_saved_entry}" ]; then
 +  set saved_entry="${prev_saved_entry}"
 +  save_env saved_entry
 +  set prev_saved_entry=
 +  save_env prev_saved_entry
 +  set boot_once=true
 +fi
 +
 +function savedefault {
 +  if [ -z "${boot_once}" ]; then
 +    saved_entry="${chosen}"
 +    save_env saved_entry
 +  fi
 +}
 +
 +function load_video {
 +  if [ x$feature_all_video_module = xy ]; then
 +    insmod all_video
 +  else
 +    insmod efi_gop
 +    insmod efi_uga
 +    insmod ieee1275_fb
 +    insmod vbe
 +    insmod vga
 +    insmod video_bochs
 +    insmod video_cirrus
 +  fi
 +}
 +
 +terminal_output console
 +if [ x$feature_timeout_style = xy ] ; then
 +  set timeout_style=menu
 +  set timeout=5
 +# Fallback normal timeout code in case the timeout_style feature is
 +# unavailable.
 +else
 +  set timeout=5
 +fi
 +### END /etc/grub.d/00_header ###
 +
 +### BEGIN /etc/grub.d/00_tuned ###
 +set tuned_params=""
 +set tuned_initrd=""
 +### END /etc/grub.d/00_tuned ###
 +
 +### BEGIN /etc/grub.d/01_users ###
 +if [ -f ${prefix}/user.cfg ]; then
 +  source ${prefix}/user.cfg
 +  if [ -n "${GRUB2_PASSWORD}" ]; then
 +    set superusers="root"
 +    export superusers
 +    password_pbkdf2 root ${GRUB2_PASSWORD}
 +  fi
 +fi
 +### END /etc/grub.d/01_users ###
 +
 +### BEGIN /etc/grub.d/10_linux ###
 +menuentry 'CentOS Linux (3.10.0-1062.4.3.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1062.el7.x86_64-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +  load_video
 +  set gfxpayload=keep
 +  insmod gzio
 +  insmod part_msdos
 +  insmod xfs
 +  set root='hd0,msdos1'
 +  if [ x$feature_platform_search_hint = xy ]; then
 +    search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +  else
 +    search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +  fi
 +  linux16 /vmlinuz-3.10.0-1062.4.3.el7.x86_64 root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +  initrd16 /initramfs-3.10.0-1062.4.3.el7.x86_64.img
 +}
 +menuentry 'CentOS Linux (3.10.0-1062.1.2.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1062.el7.x86_64-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +  load_video
 +  set gfxpayload=keep
 +  insmod gzio
 +  insmod part_msdos
 +  insmod xfs
 +  set root='hd0,msdos1'
 +  if [ x$feature_platform_search_hint = xy ]; then
 +    search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +  else
 +    search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +  fi
 +  linux16 /vmlinuz-3.10.0-1062.1.2.el7.x86_64 root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +  initrd16 /initramfs-3.10.0-1062.1.2.el7.x86_64.img
 +}
 +menuentry 'CentOS Linux (0-rescue-db95a22b243d4c30b1683d28b27424dc) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-db95a22b243d4c30b1683d28b27424dc-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +  load_video
 +  insmod gzio
 +  insmod part_msdos
 +  insmod xfs
 +  set root='hd0,msdos1'
 +  if [ x$feature_platform_search_hint = xy ]; then
 +    search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +  else
 +    search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +  fi
 +  linux16 /vmlinuz-0-rescue-db95a22b243d4c30b1683d28b27424dc root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +  initrd16 /initramfs-0-rescue-db95a22b243d4c30b1683d28b27424dc.img
 +}
 +
 +### END /etc/grub.d/10_linux ###
 +
 +### BEGIN /etc/grub.d/20_linux_xen ###
 +### END /etc/grub.d/20_linux_xen ###
 +
 +### BEGIN /etc/grub.d/20_ppc_terminfo ###
 +### END /etc/grub.d/20_ppc_terminfo ###
 +
 +### BEGIN /etc/grub.d/30_os-prober ###
 +### END /etc/grub.d/30_os-prober ###
 +
 +### BEGIN /etc/grub.d/40_custom ###
 +# This file provides an easy way to add custom menu entries.  Simply type the
 +# menu entries you want to add after this comment.  Be careful not to change
 +# the 'exec tail' line above.
 +### END /etc/grub.d/40_custom ###
 +
 +### BEGIN /etc/grub.d/41_custom ###
 +if [ -f  ${config_directory}/custom.cfg ]; then
 +  source ${config_directory}/custom.cfg
 +elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
 +  source $prefix/custom.cfg;
 +fi
 +### END /etc/grub.d/41_custom ###
cpoma commented 4 years ago

Yes - I have a working copy of this on the high side - the issue is that 40_custom will actually based on the OpenSCAP recommendations want the user to be named "bootuser". The template for 01_users by default uses root and a variable to define the password.

And example real /boot/grub2/grub.cfg might look like this (I took out part for brevity):

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub2-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
.
.
.
.
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/00_tuned ###
set tuned_params=""
set tuned_initrd=""
### END /etc/grub.d/00_tuned ###

### BEGIN /etc/grub.d/01_users ###
if [ -f ${prefix}/user.cfg ]; then
  source ${prefix}/user.cfg
  if [ -n "${GRUB2_PASSWORD}" ]; then
    set superusers="root"
    export superusers
    password_pbkdf2 root ${GRUB2_PASSWORD}
  fi
fi
### END /etc/grub.d/01_users ###
.
.
.
.
.
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/20_ppc_terminfo ###
### END /etc/grub.d/20_ppc_terminfo ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/40_custom ###
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
# V-71963 - Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
set superusers="bootuser"
# Password1234
password_pbkdf2 bootuser grub.pbkdf2.sha512.10000.8A72B2427C84D0ADAED74EF9D284EDFD70E6C40BCD40A9339321FFAD1170E2000D49443A624B394BEDFC543D51BFF9160974BBA64872FAF86E4A35B85A72673F.8B4D9C7DA7873B267341E6B1B0291DCE2F9BFCAE997D481B5905BFBF6C3F4FD474DF9AE5E93FBDC7B7FACF73329A86EDE1E57BE6AAC8441BF0F26B2E46BDDBFC

### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###

Then - /boot/grub2/user.cfg will look like:

[root@node ec2-user]# cat /boot/grub2/user.cfg
#!/bin/sh
#
#
# V-71963 - Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
# Password1234
#
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.8A72B2427C84D0ADAED74EF9D284EDFD70E6C40BCD40A9339321FFAD1170E2000D49443A624B394BEDFC543D51BFF9160974BBA64872FAF86E4A35B85A72673F.8B4D9C7DA7873B267341E6B1B0291DCE2F9BFCAE997D481B5905BFBF6C3F4FD474DF9AE5E93FBDC7B7FACF73329A86EDE1E57BE6AAC8441BF0F26B2E46BDDBFC

So - maybe the proposed V-71961 Test could look like:

 tag "fix_id": "F-78313r2_fix"
  describe.one do
    grub_superusers.each do |user|
       describe file(grub_main_cfg) do
         its('content') { should match %r{^\s*password_pbkdf2\s+#{user} } }
       end
    end
  end

  grub_user_boot_files.each do |user_cfg_file|
    next if !file(user_cfg_file).exist?
    describe file(user_cfg_file) do
      its('content') { should match %r{^GRUB2_PASSWORD\=grub\.pbkdf2\.sha512} }
    end
  end
ljkimmel commented 4 years ago

It appears that V-71961 was updated back on Nov. 8, 2019 to accept only one user as input. At the time attributes were still in use and the attribute was updated to utilize only one user. Some time later attributes were migrated to inputs but the change for this datatype was not reflected there. The input for 'grub_superuser' is defined as an Array.

The code tries to compare the string 'root' to the string-interpretation of the array '["root"]'. Changing the input datatype to string and setting to 'root' seems to generally fix the problem.

I think the STIG is clear here in that the USER (singular) is to be "root". We don't want to allow for the input of a list of users. In fact, since the direction is so clear I'd say that it shouldn't take an input at all and 'root' should be hardcoded in the control.

Otherwise, it appears to me that the actual code of the control is fairly solid.