summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkos Chandras <mchandras@suse.de>2018-01-10 16:08:57 +0000
committerMarkos Chandras <mchandras@suse.de>2018-01-10 16:50:19 +0000
commit65dce4045a75e4a8533b51ffb2d47e4dcd9114a1 (patch)
treece98d7703f86334db580cc603fe4a8717225f056
parent8025799fe68370cab9bb5c20a5baaf1cf5ff8996 (diff)
tasks: auth: Pass --unrestricted to Linux Grub2 entries
The password protection aims to only prevent users from editing the menu entries not from booting the system altogether. Fedora is patching the 10_linux file to use '--unrestricted' so all users can boot the system. As such, we apply a similar patch to the rest of the distros. Change-Id: I1390a330ea1f0b48e71fdcb548614d5582fffbd4 Link: http://pkgs.fedoraproject.org/cgit/rpms/grub2.git/tree/0109-Don-t-require-a-password-to-boot-entries-generated-b.patch Link: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html#Authentication-and-authorisation Closes-Bug: 1735709
Notes
Notes (review): Code-Review+2: Major Hayden <major@mhtx.net> Code-Review+2: Jesse Pretorius (odyssey4me) <jesse.pretorius@rackspace.co.uk> Workflow+1: Jesse Pretorius (odyssey4me) <jesse.pretorius@rackspace.co.uk> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 12 Jan 2018 13:53:53 +0000 Reviewed-on: https://review.openstack.org/532574 Project: openstack/ansible-hardening Branch: refs/heads/master
-rw-r--r--tasks/rhel7stig/auth.yml29
-rw-r--r--vars/main.yml2
2 files changed, 21 insertions, 10 deletions
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index e048c65..4888b9c 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -174,19 +174,28 @@
174 - always 174 - always
175 175
176- name: Set a GRUB 2 password for single-user/maintenance modes 176- name: Set a GRUB 2 password for single-user/maintenance modes
177 blockinfile: 177 block:
178 path: "{{ grub_custom_file }}" 178 - blockinfile:
179 insertbefore: EOF 179 path: "{{ grub_custom_file }}"
180 marker: "# {mark} MANAGED BY ANSIBLE-HARDENING" 180 insertbefore: EOF
181 block: | 181 marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
182 set superusers="root" 182 block: |
183 password_pbkdf2 root {{ security_grub_password_hash }} 183 set superusers="root"
184 state: present 184 password_pbkdf2 root {{ security_grub_password_hash }}
185 state: present
186 notify:
187 - update grub config
188 - lineinfile:
189 path: "{{ grub_linux_file }}"
190 regexp: '^CLASS=.*'
191 line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
192 state: present
193 backrefs: yes
194 notify:
195 - update grub config
185 when: 196 when:
186 - grub_custom_file_check.stat.exists | bool 197 - grub_custom_file_check.stat.exists | bool
187 - security_require_grub_authentication | bool 198 - security_require_grub_authentication | bool
188 notify:
189 - update grub config
190 tags: 199 tags:
191 - auth 200 - auth
192 - high 201 - high
diff --git a/vars/main.yml b/vars/main.yml
index ae7ad8a..1a0326f 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -22,6 +22,8 @@
22 22
23## grub custom configuration 23## grub custom configuration
24grub_custom_file: /etc/grub.d/40_custom 24grub_custom_file: /etc/grub.d/40_custom
25## grub main linux configuration
26grub_linux_file: /etc/grub.d/10_linux
25 27
26## auditd configuration 28## auditd configuration
27auditd_config: 29auditd_config: