search

simp / inspec-profile-disa_stig-el7

InSpec Profile for the EL7 DISA STIG
Apache License 2.0
22 stars 46 forks source link

V-71961 grub2 Configuration File #67

Closed Bialogs closed 4 years ago

Bialogs commented 5 years ago

Update control based on discussion in #61

Closes #61

trevor-vaughan commented 5 years ago

Just to discuss this further, the text appears to be:

The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To do so, select a superuser account and password and add them into the /etc/grub.d/01_users configuration file.

Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command:

$ grub2-mkpasswd-pbkdf2

When prompted, enter the password that was selected and insert the returned password hash into the /etc/grub.d/01_users configuration file immediately after the superuser account. (Use the output from grub2-mkpasswd-pbkdf2 as the value of password-hash):

password_pbkdf2 superusers-account password-hash

NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the grub.cfg file by running:

grub2-mkconfig -o /boot/grub2/grub.cfg

NOTE: Do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.

So, more may need to be done here.

  1. We need to make sure that the superuser is explicitly not root
  2. We need to make sure that the superuser password is not the root password (no idea how we do this, may just need to mark it as 'todo' or something)

The prose seems to indicate a singular superuser account so we may need upstream clarification on more than one particularly since I don't think that there's really any significant monitoring/auditing when you use multiple accounts.

aaronlippold commented 5 years ago

I would say we fail it and then make part of the test say the user should_not cmp 'root' so it is clear in the reporting.

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Mon, Mar 11, 2019 at 4:15 PM Trevor Vaughan notifications@github.com wrote:

@trevor-vaughan commented on this pull request.

In attributes.yml https://github.com/simp/inspec-profile-disa_stig-el7/pull/67#discussion_r264410395 :

@@ -217,8 +217,8 @@ exempt_home_users: []

main grub boot config file

grub_main_cfg: '/boot/grub2/grub.cfg'

-# superusers for grub boot ( array ) -grub_superusers: ['root']

Soooo....it turns out that it's specifically not recommended to use root, 'admin, or administrator` as your superuser name.

Should that be marked as a warning and/or failure?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/simp/inspec-profile-disa_stig-el7/pull/67#discussion_r264410395, or mute the thread https://github.com/notifications/unsubscribe-auth/ABauaGBiKomR8lLDrJdngF4QTbiI4Fm_ks5vVrlrgaJpZM4bc5e_ .

aaronlippold commented 4 years ago

@djhaynes @trevor-vaughan This is what Trevor was mentioning:

NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

So we need to make a call - I think this makes it clear that we should actually make it NOTROOT in the inputs and put a NOTE in the README that this needs to follow the recommendation above.

aaronlippold commented 4 years ago

At the very least - inspec does allow us to throw a warn right? We could - in the interest of moving forward - pass the test with root for now AND throw a warn message referencing this guidance. In the end - most folks will choose to ignore this and just use root so we should at least shake a finger at them but not outright FAIL?

trevor-vaughan commented 4 years ago

@aaronlippold Well, if we take the 'shake a finger' approach, then we might as well do that for all of the checks. I mean, a lot of people turn a LOT of them off.

That's why inspec is nice, you can go tell it to do something else if you really want to and you can do it pretty easily.

Specifically, everything in the STIG is "unless your ISSO says it's OK".

djhaynes commented 4 years ago

What needs to be done in order to resolve this PR?

aaronlippold commented 4 years ago

I would just say we make it a non-root account name. Just to align with the recommendation. But in the end, it should be an input that we allow the user to set.

aaronlippold commented 4 years ago

@trevor-vaughan where did this text come from?

NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.
aaronlippold commented 4 years ago

Ok. So the above Note came from RHEL8 guidance which we can implement when we get to RHEL8. For RHEL7 at this current revision, the test should test for the guidance. For now, let's just go with the strait guidance and we can make the adjustment in RHEL8. If we want, we can put this 'recommendation' as feedback in the test but still pass the test. But even that will cause confusion from a testing POV. I would say we just keep it simple on this and move this conversation to the RHEL8 baseline.

Bialogs commented 4 years ago

LGTM.