diff --git a/defaults/main.yml b/defaults/main.yml index 927d3ac2..6f12206b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -548,6 +548,10 @@ security_enable_firewalld: no # RHEL-07-040290 security_enable_firewalld_rate_limit: no # RHEL-07-040250 security_enable_firewalld_rate_limit_per_minute: 25 security_enable_firewalld_rate_limit_burst: 100 +# Require authentication in GRUB to boot into single-user or maintenance modes. +security_require_grub_authentication: no # RHEL-07-010460 / RHEL-07-010470 +# The default password for grub authentication is 'secrete'. +security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B ## Packages (packages) # Remove packages from the system as required by the STIG. Set any of these diff --git a/doc/metadata/rhel7/RHEL-07-010460.rst b/doc/metadata/rhel7/RHEL-07-010460.rst index 34710c35..5c8af522 100644 --- a/doc/metadata/rhel7/RHEL-07-010460.rst +++ b/doc/metadata/rhel7/RHEL-07-010460.rst @@ -1,7 +1,28 @@ --- id: RHEL-07-010460 -status: not implemented +status: opt-in tag: misc --- -This STIG requirement is not yet implemented. +Although the STIG requires that GRUB 2 asks for a password whenever a user +attempts to enter single-user or maintenance mode, this change might be +disruptive in an emergency situation. Therefore, this change is not applied by +default. + +Deployers that wish to opt in for this change should set two Ansible variables: + +.. code-block:: yaml + + security_require_grub_authentication: yes + security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC... + +The default password set in the security role is 'secrete', but deployers +should set a much more secure password for production environments. Use the +``grub2-mkpasswd-pbkdf2`` command to create a password hash string and use it +as the value for the Ansible variable ``security_grub_password_hash``. + +.. warning:: + + This change must be tested in a non-production environment first. Requiring + authentication in GRUB 2 without proper communication to users could cause + extensive delays in emergency situations. diff --git a/doc/metadata/rhel7/RHEL-07-010470.rst b/doc/metadata/rhel7/RHEL-07-010470.rst index 023c68eb..e41ea284 100644 --- a/doc/metadata/rhel7/RHEL-07-010470.rst +++ b/doc/metadata/rhel7/RHEL-07-010470.rst @@ -1,7 +1,10 @@ --- id: RHEL-07-010470 -status: not implemented +status: opt-in tag: misc --- -This STIG requirement is not yet implemented. +The tasks in the security role for RHEL-07-010460 will also apply changes to +systems that use UEFI. For more details, refer to the following documentation: + +* :ref:`stig-RHEL-07-010460` diff --git a/handlers/main.yml b/handlers/main.yml index 2f164012..c033fa99 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -81,7 +81,7 @@ # change, which breaks V-38583. - name: set bootloader file permissions after updating grub config file: - path: "{{ grub_conf_file }}" + path: "{{ grub_config_file_boot }}" mode: 0644 - name: dconf update diff --git a/tasks/main.yml b/tasks/main.yml index 5f98253f..d8ed6b7f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,10 +36,15 @@ tags: - always + - name: Check to see if we're booting with EFI/UEFI + set_fact: + booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}" + - name: Set facts set_fact: check_mode: "{{ noop_result | skipped }}" linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}" + grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}" tags: - always diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 2fe9a49d..36390780 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -294,6 +294,22 @@ - RHEL-07-010401 - RHEL-07-010402 +- name: Set a GRUB 2 password for single-user/maintenance modes + lineinfile: + dest: "{{ grub_defaults_file }}" + regexp: '^(#)?GRUB_PASSWORD' + line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"' + state: present + when: + - security_require_grub_authentication | bool + notify: + - update grub config + tags: + - auth + - high + - RHEL-07-010460 + - RHEL-07-010470 + - name: Get all accounts with UID 0 shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd" changed_when: False diff --git a/tests/test.yml b/tests/test.yml index 8bbe74a5..b05381fc 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -88,3 +88,4 @@ security_disable_account_if_password_expires: yes security_rhel7_initialize_aide: yes security_rhel7_automatic_package_updates: yes + security_require_grub_authentication: yes diff --git a/vars/redhat.yml b/vars/redhat.yml index 3abe4b78..14083b83 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -24,6 +24,8 @@ pam_auth_file: /etc/pam.d/system-auth pam_password_file: /etc/pam.d/password-auth vsftpd_conf_file: /etc/vsftpd/vsftpd.conf grub_conf_file: /boot/grub2/grub.cfg +grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" +grub_defaults_file: /etc/sysconfig/grub aide_cron_job_path: /etc/cron.d/aide aide_database_file: /var/lib/aide/aide.db.gz chrony_conf_file: /etc/chrony.conf @@ -35,7 +37,7 @@ chrony_service: chronyd clamav_service: 'clamd@scan' # Commands -grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf" +grub_update_cmd: "grub2-mkconfig -o {{ grub_config_file_boot }}" ssh_keysign_path: /usr/libexec/openssh # RHEL 6 STIG: Packages to add/remove diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index 5d589a9f..e2022ed2 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -27,6 +27,8 @@ pam_auth_file: /etc/pam.d/common-auth pam_password_file: /etc/pam.d/common-password vsftpd_conf_file: /etc/vsftpd.conf grub_conf_file: /boot/grub/grub.cfg +grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg +grub_defaults_file: /etc/default/grub aide_cron_job_path: /etc/cron.daily/aide aide_database_file: /var/lib/aide/aide.db chrony_conf_file: /etc/chrony/chrony.conf