In https://access.redhat.com/knowledge/solutions/68828 Redhat says: Select a password and then generate a hash from it by running: # grub-crypt --sha-512 Insert the following line into /etc/grub.conf immediately after the header comments. (Use the output from grub-crypt as the value of password-hash)
password --encrypted password-hash It should look like below.
default=0 timeout=5 password --encrypted password-hash splashimage=(hd0,0)/grub/splash.xpm.gz
Verify the permissions on /etc/grub.conf (which is a symlink to ../boot/grub/grub.conf): # chown root:root /etc/grub.conf # chmod 600 /etc/grub.conf grub-crypt utility is now shipped with three types of password encryption. --md5 Use MD5 to encrypt the password --sha-256 Use SHA-256 to encrypt the password --sha-512 Use SHA-512 to encrypt the password (default)
Signed-off-by: Joe Nall joe@nall.com --- rhel6/src/input/checks/bootloader_password.xml | 2 +- rhel6/src/input/system/accounts/physical.xml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/rhel6/src/input/checks/bootloader_password.xml b/rhel6/src/input/checks/bootloader_password.xml index 8074097..ceff1b7 100644 --- a/rhel6/src/input/checks/bootloader_password.xml +++ b/rhel6/src/input/checks/bootloader_password.xml @@ -18,7 +18,7 @@ <ind:textfilecontent54_object id="object_bootloader_password" version="1"> ind:path/etc</ind:path> ind:filenamegrub.conf</ind:filename> - <ind:pattern operation="pattern match">password[\s]+--md5[\s]+.*</ind:pattern> + <ind:pattern operation="pattern match">password[\s]+--encrypted[\s]+.*</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/rhel6/src/input/system/accounts/physical.xml b/rhel6/src/input/system/accounts/physical.xml index 5c3a488..a8db13b 100644 --- a/rhel6/src/input/system/accounts/physical.xml +++ b/rhel6/src/input/system/accounts/physical.xml @@ -70,11 +70,11 @@ this file. <description>The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running: -<pre># grub-md5-crypt</pre> +<pre># grub-crypt --sha-512</pre> Insert the following line into <tt>/etc/grub.conf</tt> immediately -after the header comments. (Use the output from <tt>grub-md5-crypt</tt> as the +after the header comments. (Use the output from <tt>grub-crypt</tt> as the value of <b>password-hash</b>): -<pre>password --md5 <b>password-hash</b></pre> +<pre>password --encrypted <b>password-hash</b></pre> </description> <rationale> Password protection on the boot loader configuration ensures that
On 5/29/12 9:09 PM, Joe Nall wrote:
-<ind:pattern operation="pattern match">password[\s]+--md5[\s]+.*</ind:pattern> +<ind:pattern operation="pattern match">password[\s]+--encrypted[\s]+.*</ind:pattern>
Much love for updating the OVAL check for this, in addition to the prose fix! Applied your patch locally and ran a quick scan, all checks out.
Ack to your patch.
scap-security-guide@lists.fedorahosted.org