From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-681941-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id CB38D1387FD
	for <garchives@archives.gentoo.org>; Sun, 30 Mar 2014 18:29:42 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 534DAE0AC0;
	Sun, 30 Mar 2014 18:29:42 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id BAF18E0AC0
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Mar 2014 18:29:41 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id BDEF733FBFB
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Mar 2014 18:29:40 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id 66D46188F3
	for <gentoo-commits@lists.gentoo.org>; Sun, 30 Mar 2014 18:29:39 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1396204167.e85228a786ea2041715e8e2193d93411261f1950.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/SCAP/gentoo-oval.xml xml/SCAP/gentoo-xccdf.xml
X-VCS-Directories: xml/SCAP/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: e85228a786ea2041715e8e2193d93411261f1950
X-VCS-Branch: master
Date: Sun, 30 Mar 2014 18:29:39 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: d563dfa5-6ea2-434d-b5ed-095a43415831
X-Archives-Hash: a3e747050cd8072ac020291436819818

commit:     e85228a786ea2041715e8e2193d93411261f1950
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 30 18:29:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 30 18:29:27 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=e85228a7

Check grub.conf with password md5 hash

---
 xml/SCAP/gentoo-oval.xml  | 62 +++++++++++++++++++++++++++++++++++++++++++++++
 xml/SCAP/gentoo-xccdf.xml | 11 +++++++++
 2 files changed, 73 insertions(+)

diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 7f6e674..f873701 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -562,6 +562,25 @@
     </criteria>
   </definition>
 
+  <definition id="oval:org.gentoo.dev.swift:def:34" version="1" class="compliance">
+    <metadata>
+      <title>/boot/grub/grub.conf has a password set</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        If /boot/grub/grub.conf exists, then it must have a password set.
+      </description>
+    </metadata>
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="/boot/grub exists" />
+        <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="/boot/grub/grub.conf does not exist" />
+      </criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="GRUB Legacy configuration has a password set" />
+    </criteria>
+  </definition>
+
 </definitions>
 
 <tests>
@@ -848,6 +867,27 @@
     <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
   </lin-def:partition_test>
 
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:35"
+    version="1" check="all" check_existence="none_exist"
+    comment="/boot/grub/grub.conf does not exist">
+    <!-- The /boot/grub/grub.conf file -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" />
+  </unix-def:file_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36"
+    comment="The grub.conf file has a password --md5 entry"
+    version="1" check="at least one" check_existence="at_least_one_exists">
+    <!-- The /boot/grub/grub.conf file content -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
+  </ind-def:textfilecontent54_test>
+
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:37"
+    version="1" check="all" check_existence="all_exist"
+    comment="/boot/grub exists">
+    <!-- The /boot/grub location exists -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
+  </unix-def:file_test>
 
 </tests>
 
@@ -974,6 +1014,23 @@
     <lin-def:mount_point>/proc</lin-def:mount_point>
   </lin-def:partition_object>
 
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:22"
+    version="1" comment="The /boot/grub/grub.conf file">
+    <unix-def:filepath>/boot/grub/grub.conf</unix-def:filepath>
+  </unix-def:file_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23"
+    version="1" comment="The /boot/grub/grub.conf content">
+    <ind-def:filepath>/boot/grub/grub.conf</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:24"
+    version="1" comment="The /boot/grub location">
+    <unix-def:filepath>/boot/grub</unix-def:filepath>
+  </unix-def:file_object>
+
 </objects>
 
 <states>
@@ -1048,6 +1105,11 @@
     <lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options>
   </lin-def:partition_state>
 
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15"
+    version="1" comment="Has a password --md5 entry">
+    <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>
+  </ind-def:textfilecontent54_state>
+
 </states>
 
 <variables>

diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 3c3afcd..732bde3 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -103,6 +103,8 @@
     <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
     <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
+    <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Default server setup settings</title>
@@ -1513,6 +1515,15 @@ grub&gt; <h:b>quit</h:b></h:pre>
           using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
 	  </h:p>
         </description>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
+	  <title>Grub legacy has a password entry with md5 hash</title>
+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
+	    Edit /boot/grub/grub.conf and set a password entry with md5 hash
+	  </fixtext>
+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="gentoo-oval.xml" />
+	  </check>
+	</Rule>
       </Group>
       <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">
         <title>Password protect LILO</title>