tasks: auth: Use standard Grub2 authentication mechanism

GRUB_PASSWORD is not understood by vanilla grub2 installations. As such,
we can use the recommended method by setting the superusers
environment variable and using the password_pbkdf2 command

Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09
Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security
Closes-Bug: 1735709
This commit is contained in:
Markos Chandras 2017-12-13 12:23:56 +00:00
parent 46a94c7251
commit a0810a9ca1
5 changed files with 14 additions and 11 deletions

View File

@ -165,22 +165,25 @@
# NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
# should be skipped on those systems.
- name: Check if GRUB defaults file exists
- name: Check if GRUB2 custom file exists
stat:
path: "{{ grub_defaults_file }}"
register: grub_defaults_file_check
path: "{{ grub_custom_file }}"
register: grub_custom_file_check
check_mode: no
tags:
- always
- name: Set a GRUB 2 password for single-user/maintenance modes
lineinfile:
dest: "{{ grub_defaults_file }}"
regexp: '^(#)?GRUB_PASSWORD'
line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"'
blockinfile:
path: "{{ grub_custom_file }}"
insertbefore: EOF
marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
block: |
set superusers="root"
password_pbkdf2 root {{ security_grub_password_hash }}
state: present
when:
- grub_defaults_file_check.stat.exists | bool
- grub_custom_file_check.stat.exists | bool
- security_require_grub_authentication | bool
notify:
- update grub config

View File

@ -30,7 +30,6 @@ pam_postlogin_file: /etc/pam.d/login
vsftpd_conf_file: /etc/vsftpd.conf
grub_conf_file: /boot/grub/grub.cfg
grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
grub_defaults_file: /etc/default/grub
aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new

View File

@ -20,6 +20,9 @@
# - vars/redhat.yml
# - vars/ubuntu.yml
## grub custom configuration
grub_custom_file: /etc/grub.d/40_custom
## auditd configuration
auditd_config:
- parameter: disk_full_action

View File

@ -26,7 +26,6 @@ pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
grub_defaults_file: /etc/sysconfig/grub
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz

View File

@ -28,7 +28,6 @@ grub_conf_file: /boot/grub2/grub.cfg
# create the EFI distro directory. Since this information is not available on
# Ansible, we have to improvise a bit...
grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
grub_defaults_file: /etc/default/grub
aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new