summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkos Chandras <mchandras@suse.de>2017-12-13 12:23:56 +0000
committerMarkos Chandras <mchandras@suse.de>2017-12-13 12:38:30 +0000
commita0810a9ca1d568c052d75b91b65159e21b764789 (patch)
treecb1a25326aec12c9f23045dcb9ca546745982c36
parent46a94c72518f83d27b25a5fa960dde7130956215 (diff)
tasks: auth: Use standard Grub2 authentication mechanism
GRUB_PASSWORD is not understood by vanilla grub2 installations. As such, we can use the recommended method by setting the superusers environment variable and using the password_pbkdf2 command Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09 Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security Closes-Bug: 1735709
Notes
Notes (review): Code-Review+2: Major Hayden <major@mhtx.net> Code-Review+2: Jesse Pretorius (odyssey4me) <jesse.pretorius@rackspace.co.uk> Workflow+1: Jesse Pretorius (odyssey4me) <jesse.pretorius@rackspace.co.uk> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 15 Dec 2017 15:16:15 +0000 Reviewed-on: https://review.openstack.org/527682 Project: openstack/ansible-hardening Branch: refs/heads/master
-rw-r--r--tasks/rhel7stig/auth.yml19
-rw-r--r--vars/debian.yml1
-rw-r--r--vars/main.yml3
-rw-r--r--vars/redhat.yml1
-rw-r--r--vars/suse.yml1
5 files changed, 14 insertions, 11 deletions
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index 3687af1..5332079 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -165,22 +165,25 @@
165 165
166# NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task 166# NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
167# should be skipped on those systems. 167# should be skipped on those systems.
168- name: Check if GRUB defaults file exists 168- name: Check if GRUB2 custom file exists
169 stat: 169 stat:
170 path: "{{ grub_defaults_file }}" 170 path: "{{ grub_custom_file }}"
171 register: grub_defaults_file_check 171 register: grub_custom_file_check
172 check_mode: no 172 check_mode: no
173 tags: 173 tags:
174 - always 174 - always
175 175
176- name: Set a GRUB 2 password for single-user/maintenance modes 176- name: Set a GRUB 2 password for single-user/maintenance modes
177 lineinfile: 177 blockinfile:
178 dest: "{{ grub_defaults_file }}" 178 path: "{{ grub_custom_file }}"
179 regexp: '^(#)?GRUB_PASSWORD' 179 insertbefore: EOF
180 line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"' 180 marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
181 block: |
182 set superusers="root"
183 password_pbkdf2 root {{ security_grub_password_hash }}
181 state: present 184 state: present
182 when: 185 when:
183 - grub_defaults_file_check.stat.exists | bool 186 - grub_custom_file_check.stat.exists | bool
184 - security_require_grub_authentication | bool 187 - security_require_grub_authentication | bool
185 notify: 188 notify:
186 - update grub config 189 - update grub config
diff --git a/vars/debian.yml b/vars/debian.yml
index 7a82883..e89dffc 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -30,7 +30,6 @@ pam_postlogin_file: /etc/pam.d/login
30vsftpd_conf_file: /etc/vsftpd.conf 30vsftpd_conf_file: /etc/vsftpd.conf
31grub_conf_file: /boot/grub/grub.cfg 31grub_conf_file: /boot/grub/grub.cfg
32grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg 32grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
33grub_defaults_file: /etc/default/grub
34aide_cron_job_path: /etc/cron.daily/aide 33aide_cron_job_path: /etc/cron.daily/aide
35aide_database_file: /var/lib/aide/aide.db 34aide_database_file: /var/lib/aide/aide.db
36aide_database_out_file: /var/lib/aide/aide.db.new 35aide_database_out_file: /var/lib/aide/aide.db.new
diff --git a/vars/main.yml b/vars/main.yml
index 08e7ede..ae7ad8a 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -20,6 +20,9 @@
20# - vars/redhat.yml 20# - vars/redhat.yml
21# - vars/ubuntu.yml 21# - vars/ubuntu.yml
22 22
23## grub custom configuration
24grub_custom_file: /etc/grub.d/40_custom
25
23## auditd configuration 26## auditd configuration
24auditd_config: 27auditd_config:
25 - parameter: disk_full_action 28 - parameter: disk_full_action
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 0e1c666..9949e87 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -26,7 +26,6 @@ pam_postlogin_file: /etc/pam.d/postlogin
26vsftpd_conf_file: /etc/vsftpd/vsftpd.conf 26vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
27grub_conf_file: /boot/grub2/grub.cfg 27grub_conf_file: /boot/grub2/grub.cfg
28grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" 28grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
29grub_defaults_file: /etc/sysconfig/grub
30aide_cron_job_path: /etc/cron.d/aide 29aide_cron_job_path: /etc/cron.d/aide
31aide_database_file: /var/lib/aide/aide.db.gz 30aide_database_file: /var/lib/aide/aide.db.gz
32aide_database_out_file: /var/lib/aide/aide.db.new.gz 31aide_database_out_file: /var/lib/aide/aide.db.new.gz
diff --git a/vars/suse.yml b/vars/suse.yml
index 0d68027..f9ec6f3 100644
--- a/vars/suse.yml
+++ b/vars/suse.yml
@@ -28,7 +28,6 @@ grub_conf_file: /boot/grub2/grub.cfg
28# create the EFI distro directory. Since this information is not available on 28# create the EFI distro directory. Since this information is not available on
29# Ansible, we have to improvise a bit... 29# Ansible, we have to improvise a bit...
30grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg" 30grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
31grub_defaults_file: /etc/default/grub
32aide_cron_job_path: /etc/cron.daily/aide 31aide_cron_job_path: /etc/cron.daily/aide
33aide_database_file: /var/lib/aide/aide.db 32aide_database_file: /var/lib/aide/aide.db
34aide_database_out_file: /var/lib/aide/aide.db.new 33aide_database_out_file: /var/lib/aide/aide.db.new