SV-257787

controls/SV-257787.rb

@@ -5,18 +5,18 @@
 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.'
   desc 'check', 'Verify the boot loader superuser password has been set and run the following command:
 
-$ sudo grep "superusers" /etc/grub2.cfg 
+$ sudo grep "superusers" /etc/grub2.cfg
 
-password_pbkdf2  superusers-account   ${GRUB2_PASSWORD}  
+password_pbkdf2  superusers-account   ${GRUB2_PASSWORD}
 
 To verify the boot loader superuser account password has been set, and the password encrypted, run the following command:
 
-$ sudo cat /boot/grub2/user.cfg 
+$ sudo cat /boot/grub2/user.cfg
 
 GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
-0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 
+0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
 
 If a "GRUB2_PASSWORD" is not set, this is a finding.'
   desc 'fix', 'Configure RHEL 9 to require a grub bootloader password for the grub superuser account.
@@ -38,4 +38,11 @@
   tag 'documentable'
   tag cci: ['CCI-000213']
   tag nist: ['AC-3']
+
+  describe file("/boot/grub2/user.cfg") do
+    its("content") { should match(/^\s*GRUB2_PASSWORD=grub.pbkdf2.sha512.\s*.+$/) }
+  end
+  describe file("/etc/grub2.cfg") do
+    its("content") { should match(/^password_pbkdf2\s*superusers-account\s*\$\{GRUB2_PASSWORD\}$/) }
+  end
 end