From e85228a786ea2041715e8e2193d93411261f1950 Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Sun, 30 Mar 2014 20:29:27 +0200
Subject: Check grub.conf with password md5 hash

---
 xml/SCAP/gentoo-oval.xml  | 62 +++++++++++++++++++++++++++++++++++++++++++++++
 xml/SCAP/gentoo-xccdf.xml | 11 +++++++++
 2 files changed, 73 insertions(+)

diff --git a/xml/SCAP/gentoo-oval.xml b/xml/SCAP/gentoo-oval.xml
index 7f6e674..f873701 100644
--- a/xml/SCAP/gentoo-oval.xml
+++ b/xml/SCAP/gentoo-oval.xml
@@ -562,6 +562,25 @@
     </criteria>
   </definition>
 
+  <definition id="oval:org.gentoo.dev.swift:def:34" version="1" class="compliance">
+    <metadata>
+      <title>/boot/grub/grub.conf has a password set</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        If /boot/grub/grub.conf exists, then it must have a password set.
+      </description>
+    </metadata>
+    <criteria operator="OR">
+      <criteria operator="AND">
+        <criterion test_ref="oval:org.gentoo.dev.swift:tst:37" comment="/boot/grub exists" />
+        <criterion test_ref="oval:org.gentoo.dev.swift:tst:35" comment="/boot/grub/grub.conf does not exist" />
+      </criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:36" comment="GRUB Legacy configuration has a password set" />
+    </criteria>
+  </definition>
+
 </definitions>
 
 <tests>
@@ -848,6 +867,27 @@
     <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:14" />
   </lin-def:partition_test>
 
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:35"
+    version="1" check="all" check_existence="none_exist"
+    comment="/boot/grub/grub.conf does not exist">
+    <!-- The /boot/grub/grub.conf file -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:22" />
+  </unix-def:file_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:36"
+    comment="The grub.conf file has a password --md5 entry"
+    version="1" check="at least one" check_existence="at_least_one_exists">
+    <!-- The /boot/grub/grub.conf file content -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:23" />
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15" />
+  </ind-def:textfilecontent54_test>
+
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:37"
+    version="1" check="all" check_existence="all_exist"
+    comment="/boot/grub exists">
+    <!-- The /boot/grub location exists -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:24" />
+  </unix-def:file_test>
 
 </tests>
 
@@ -974,6 +1014,23 @@
     <lin-def:mount_point>/proc</lin-def:mount_point>
   </lin-def:partition_object>
 
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:22"
+    version="1" comment="The /boot/grub/grub.conf file">
+    <unix-def:filepath>/boot/grub/grub.conf</unix-def:filepath>
+  </unix-def:file_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:23"
+    version="1" comment="The /boot/grub/grub.conf content">
+    <ind-def:filepath>/boot/grub/grub.conf</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^([^#\n]*)(?#.*)?$</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:24"
+    version="1" comment="The /boot/grub location">
+    <unix-def:filepath>/boot/grub</unix-def:filepath>
+  </unix-def:file_object>
+
 </objects>
 
 <states>
@@ -1048,6 +1105,11 @@
     <lin-def:mount_options entity_check="at least one" operation="pattern match">hidepid=[12]</lin-def:mount_options>
   </lin-def:partition_state>
 
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15"
+    version="1" comment="Has a password --md5 entry">
+    <ind-def:subexpression datatype="string" operation="pattern match" entity_check="all">[\s]*password --md5 [\S]+</ind-def:subexpression>
+  </ind-def:textfilecontent54_state>
+
 </states>
 
 <variables>
diff --git a/xml/SCAP/gentoo-xccdf.xml b/xml/SCAP/gentoo-xccdf.xml
index 3c3afcd..732bde3 100644
--- a/xml/SCAP/gentoo-xccdf.xml
+++ b/xml/SCAP/gentoo-xccdf.xml
@@ -103,6 +103,8 @@
     <select idref="xccdf_org.gentoo.dev.swift_rule_securetty-limitentries" selected="true" />
     <!-- Make sure /proc is mounted with hidepid=1 or hidepid=2 -->
     <select idref="xccdf_org.gentoo.dev.swift_rule_proc-hidepid" selected="true" />
+    <!-- Make sure /boot/grub/grub.conf has a password entry with md5 hash -->
+    <select idref="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="true" />
   </Profile>
   <Profile id="xccdf_org.gentoo.dev.swift_profile_default" extends="xccdf_org.gentoo.dev.swift_profile_default-oval">
     <title>Default server setup settings</title>
@@ -1513,6 +1515,15 @@ grub&gt; <h:b>quit</h:b></h:pre>
           using <h:code>password --md5 $1$18u.M0$J8VbOsGXuoG9Fh3n7ZkqY.</h:code>.
 	  </h:p>
         </description>
+        <Rule id="xccdf_org.gentoo.dev.swift_rule_grubconf-password-md5" selected="false" severity="low" weight="6.9">
+	  <title>Grub legacy has a password entry with md5 hash</title>
+	  <fixtext fixref="xccdf_org.gentoo.dev.swift_fix_grubconf-password-md5">
+	    Edit /boot/grub/grub.conf and set a password entry with md5 hash
+	  </fixtext>
+	  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+	    <check-content-ref name="oval:org.gentoo.dev.swift:def:34" href="gentoo-oval.xml" />
+	  </check>
+	</Rule>
       </Group>
       <Group id="xccdf_org.gentoo.dev.swift_group_system-bootloader-lilopass">
         <title>Password protect LILO</title>
-- 
cgit v1.2.3-65-gdbad