Set grub2 password [+Docs]

This patch allows deployers to optionally set a GRUB 2 password for accessing
single-user and maintenance runlevels. Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I33d1ef4dec72d196deaca142169675aa5077740b

defaults/main.yml

@@ -548,6 +548,10 @@ security_enable_firewalld: no                                # RHEL-07-040290
 security_enable_firewalld_rate_limit: no                     # RHEL-07-040250
 security_enable_firewalld_rate_limit_per_minute: 25
 security_enable_firewalld_rate_limit_burst: 100
+# Require authentication in GRUB to boot into single-user or maintenance modes.
+security_require_grub_authentication: no                     # RHEL-07-010460 / RHEL-07-010470
+# The default password for grub authentication is 'secrete'.
+security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these

doc/metadata/rhel7/RHEL-07-010460.rst

@@ -1,7 +1,28 @@
 ---
 id: RHEL-07-010460
-status: not implemented
+status: opt-in
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Although the STIG requires that GRUB 2 asks for a password whenever a user
+attempts to enter single-user or maintenance mode, this change might be
+disruptive in an emergency situation. Therefore, this change is not applied by
+default.
+
+Deployers that wish to opt in for this change should set two Ansible variables:
+
+.. code-block:: yaml
+
+    security_require_grub_authentication: yes
+    security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC...
+
+The default password set in the security role is 'secrete', but deployers
+should set a much more secure password for production environments. Use the
+``grub2-mkpasswd-pbkdf2`` command to create a password hash string and use it
+as the value for the Ansible variable ``security_grub_password_hash``.
+
+.. warning::
+
+    This change must be tested in a non-production environment first. Requiring
+    authentication in GRUB 2 without proper communication to users could cause
+    extensive delays in emergency situations.

doc/metadata/rhel7/RHEL-07-010470.rst

@@ -1,7 +1,10 @@
 ---
 id: RHEL-07-010470
-status: not implemented
+status: opt-in
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role for RHEL-07-010460 will also apply changes to
+systems that use UEFI. For more details, refer to the following documentation:
+
+* :ref:`stig-RHEL-07-010460`

handlers/main.yml

@@ -81,7 +81,7 @@
 # change, which breaks V-38583.
 - name: set bootloader file permissions after updating grub config
   file:
-    path: "{{ grub_conf_file }}"
+    path: "{{ grub_config_file_boot }}"
     mode: 0644
 
 - name: dconf update

tasks/main.yml

@@ -36,10 +36,15 @@
     tags:
       - always
 
+  - name: Check to see if we're booting with EFI/UEFI
+    set_fact:
+      booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
+
   - name: Set facts
     set_fact:
       check_mode: "{{ noop_result | skipped }}"
       linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
+      grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
     tags:
       - always
 

tasks/rhel7stig/auth.yml

@@ -294,6 +294,22 @@
     - RHEL-07-010401
     - RHEL-07-010402
 
+- name: Set a GRUB 2 password for single-user/maintenance modes
+  lineinfile:
+    dest: "{{ grub_defaults_file }}"
+    regexp: '^(#)?GRUB_PASSWORD'
+    line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"'
+    state: present
+  when:
+    - security_require_grub_authentication | bool
+  notify:
+    - update grub config
+  tags:
+    - auth
+    - high
+    - RHEL-07-010460
+    - RHEL-07-010470
+
 - name: Get all accounts with UID 0
   shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
   changed_when: False

tests/test.yml

@@ -88,3 +88,4 @@
     security_disable_account_if_password_expires: yes
     security_rhel7_initialize_aide: yes
     security_rhel7_automatic_package_updates: yes
+    security_require_grub_authentication: yes

vars/redhat.yml

@@ -24,6 +24,8 @@ pam_auth_file: /etc/pam.d/system-auth
 pam_password_file: /etc/pam.d/password-auth
 vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
 grub_conf_file: /boot/grub2/grub.cfg
+grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
+grub_defaults_file: /etc/sysconfig/grub
 aide_cron_job_path: /etc/cron.d/aide
 aide_database_file: /var/lib/aide/aide.db.gz
 chrony_conf_file: /etc/chrony.conf
@@ -35,7 +37,7 @@ chrony_service: chronyd
 clamav_service: 'clamd@scan'
 
 # Commands
-grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
+grub_update_cmd: "grub2-mkconfig -o {{ grub_config_file_boot }}"
 ssh_keysign_path: /usr/libexec/openssh
 
 # RHEL 6 STIG: Packages to add/remove

vars/ubuntu.yml

@@ -27,6 +27,8 @@ pam_auth_file: /etc/pam.d/common-auth
 pam_password_file: /etc/pam.d/common-password
 vsftpd_conf_file: /etc/vsftpd.conf
 grub_conf_file: /boot/grub/grub.cfg
+grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
+grub_defaults_file: /etc/default/grub
 aide_cron_job_path: /etc/cron.daily/aide
 aide_database_file: /var/lib/aide/aide.db
 chrony_conf_file: /etc/chrony/chrony.conf