[PATCH] [RHEL/6] When checking GRUB bootloader security ("password" directive being present in grub.conf configuration file) succeed only in case there's uncommented occurrence present
11:13 a.m.
Hello folks,
another reasonable change originally pointed out by Tomas Heinrich
for USGCB content, but applicable also against SSG content.
The current bootloader_password.xml OVAL check implementation checks
for presence of:
password --encrypted .*
string in /etc/grub.conf configuration file. But without having the heading /
starting anchor defined (IOW explicitly allowing only whitespace characters
from the beginning of the pattern match string). Therefore it would return
success for all three of the following cases (which is wrong):
password --encrypted .*
#password --encrypted .*
#\tpassword --encrypted .*
Therefore add starting / heading anchor requirement (in the form of ^[\s]*)
which ensures:
password --encrypted .* will still pass, but
#password --encrypted .* and
#\tpassword --encrypted .* will both fail.
Proposed change briefly tested and seems to be working properly.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
11:16 a.m.
On 3/5/14, 12:13 PM, Jan Lieskovsky wrote:
Hello folks,
another reasonable change originally pointed out by Tomas Heinrich
for USGCB content, but applicable also against SSG content.
The current bootloader_password.xml OVAL check implementation checks
for presence of:
password --encrypted .*
string in /etc/grub.conf configuration file. But without having the heading /
starting anchor defined (IOW explicitly allowing only whitespace characters
from the beginning of the pattern match string). Therefore it would return
success for all three of the following cases (which is wrong):
password --encrypted .*
#password --encrypted .*
#\tpassword --encrypted .*
Therefore add starting / heading anchor requirement (in the form of ^[\s]*)
which ensures:
password --encrypted .* will still pass, but
#password --encrypted .* and
#\tpassword --encrypted .* will both fail.
Proposed change briefly tested and seems to be working properly.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-When-checking-GRUB-bootloader-security-passwo.patch
From 0a29eb7e7be27191ead7110ee5674ca7156c9f03 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky<jlieskov(a)redhat.com>
Date: Wed, 5 Mar 2014 17:53:35 +0100
Subject: [PATCH] [RHEL/6] When checking GRUB bootloader security ("password"
directive being present in grub.conf configuration file) succeed only in case
there's uncommented occurrence present (IOW add heading anchor ensuring
occurrences "in-the-middle-of-string" wouldn't meet the requirement)
Signed-off-by: Jan Lieskovsky<jlieskov(a)redhat.com>
---
RHEL/6/input/checks/bootloader_password.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/RHEL/6/input/checks/bootloader_password.xml
b/RHEL/6/input/checks/bootloader_password.xml
index 6545c4d..201c369 100644
--- a/RHEL/6/input/checks/bootloader_password.xml
+++ b/RHEL/6/input/checks/bootloader_password.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_bootloader_password"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>grub.conf</ind:filename>
- <ind:pattern operation="pattern
match">password[\s]+--encrypted[\s]+.*</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*password[\s]+--encrypted[\s]+.*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
-- 1.8.3.1
Completely sane. I'm sure there are other regex's like this
within the
OVAL code...
ack.
11:51 a.m.
New subject: [PATCH] [RHEL/6] When checking GRUB bootloader security ("password" directive being present in grub.conf configuration file) succeed only in case there's uncommented occurrence present
----- Original Message -----
From: "Shawn Wells" <shawn(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Wednesday, March 5, 2014 6:16:55 PM
Subject: Re: [PATCH] [RHEL/6] When checking GRUB bootloader
security ("password" directive being present in grub.conf
configuration file) succeed only in case there's uncommented occurrence present
On 3/5/14, 12:13 PM, Jan Lieskovsky wrote:
Hello folks,
another reasonable change originally pointed out by Tomas Heinrich
for USGCB content, but applicable also against SSG content.
The current bootloader_password.xml OVAL check implementation checks
for presence of:
password --encrypted .*
string in /etc/grub.conf configuration file. But without having the heading /
starting anchor defined (IOW explicitly allowing only whitespace characters
from the beginning of the pattern match string). Therefore it would return
success for all three of the following cases (which is wrong):
password --encrypted .*
#password --encrypted .*
#\tpassword --encrypted .*
Therefore add starting / heading anchor requirement (in the form of ^[\s]*)
which ensures:
password --encrypted .* will still pass, but
#password --encrypted .* and
#\tpassword --encrypted .* will both fail.
Proposed change briefly tested and seems to be working properly.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-When-checking-GRUB-bootloader-security-passwo.patch
From 0a29eb7e7be27191ead7110ee5674ca7156c9f03 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlieskov(a)redhat.com> Date: Wed, 5 Mar 2014 17:53:35
+0100
Subject: [PATCH] [RHEL/6] When checking GRUB bootloader security ("password"
directive being present in grub.conf configuration file) succeed only in
case
there's uncommented occurrence present (IOW add heading anchor ensuring
occurrences "in-the-middle-of-string" wouldn't meet the requirement)
Signed-off-by: Jan Lieskovsky <jlieskov(a)redhat.com> ---
RHEL/6/input/checks/bootloader_password.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/RHEL/6/input/checks/bootloader_password.xml
b/RHEL/6/input/checks/bootloader_password.xml
index 6545c4d..201c369 100644
--- a/RHEL/6/input/checks/bootloader_password.xml
+++ b/RHEL/6/input/checks/bootloader_password.xml
@@ -18,7 +18,7 @@
<ind:textfilecontent54_object id="object_bootloader_password"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>grub.conf</ind:filename>
- <ind:pattern operation="pattern
match">password[\s]+--encrypted[\s]+.*</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*password[\s]+--encrypted[\s]+.*</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
--
1.8.3.1
Completely sane. I'm sure there are other regex's like this within the OVAL
code...
ack.
Thanks, Shawn. Based on:
scap-security-guide]$ grep -A3 -B3 -rHn conf * | grep pattern | grep checks >
/tmp/out
search looks you are truly right (at first look there seems to be 30 another cases like
this -
details in attached file [some have starting ^, but don't count with possible
pre-spaces.
Needs check if the underlying config file format allows them]).
Unless someone beats me to it, will go through them case-by-case tomorrow and propose
fixes
where appropriate / applicable (but at least the cups based ones seems to be proper
candidates.
Further testing will tell more though).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
3713
days inactive
3713
days old
scap-security-guide@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Jan Lieskovsky -
Shawn Wells