Set grub2 password [+Docs]
This patch allows deployers to optionally set a GRUB 2 password for accessing single-user and maintenance runlevels. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I33d1ef4dec72d196deaca142169675aa5077740b
This commit is contained in:
parent
e5db8521d9
commit
280e797a4e
@ -548,6 +548,10 @@ security_enable_firewalld: no # RHEL-07-040290
|
|||||||
security_enable_firewalld_rate_limit: no # RHEL-07-040250
|
security_enable_firewalld_rate_limit: no # RHEL-07-040250
|
||||||
security_enable_firewalld_rate_limit_per_minute: 25
|
security_enable_firewalld_rate_limit_per_minute: 25
|
||||||
security_enable_firewalld_rate_limit_burst: 100
|
security_enable_firewalld_rate_limit_burst: 100
|
||||||
|
# Require authentication in GRUB to boot into single-user or maintenance modes.
|
||||||
|
security_require_grub_authentication: no # RHEL-07-010460 / RHEL-07-010470
|
||||||
|
# The default password for grub authentication is 'secrete'.
|
||||||
|
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
|
||||||
|
|
||||||
## Packages (packages)
|
## Packages (packages)
|
||||||
# Remove packages from the system as required by the STIG. Set any of these
|
# Remove packages from the system as required by the STIG. Set any of these
|
||||||
|
@ -1,7 +1,28 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-010460
|
id: RHEL-07-010460
|
||||||
status: not implemented
|
status: opt-in
|
||||||
tag: misc
|
tag: misc
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
Although the STIG requires that GRUB 2 asks for a password whenever a user
|
||||||
|
attempts to enter single-user or maintenance mode, this change might be
|
||||||
|
disruptive in an emergency situation. Therefore, this change is not applied by
|
||||||
|
default.
|
||||||
|
|
||||||
|
Deployers that wish to opt in for this change should set two Ansible variables:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
security_require_grub_authentication: yes
|
||||||
|
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC...
|
||||||
|
|
||||||
|
The default password set in the security role is 'secrete', but deployers
|
||||||
|
should set a much more secure password for production environments. Use the
|
||||||
|
``grub2-mkpasswd-pbkdf2`` command to create a password hash string and use it
|
||||||
|
as the value for the Ansible variable ``security_grub_password_hash``.
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
This change must be tested in a non-production environment first. Requiring
|
||||||
|
authentication in GRUB 2 without proper communication to users could cause
|
||||||
|
extensive delays in emergency situations.
|
||||||
|
@ -1,7 +1,10 @@
|
|||||||
---
|
---
|
||||||
id: RHEL-07-010470
|
id: RHEL-07-010470
|
||||||
status: not implemented
|
status: opt-in
|
||||||
tag: misc
|
tag: misc
|
||||||
---
|
---
|
||||||
|
|
||||||
This STIG requirement is not yet implemented.
|
The tasks in the security role for RHEL-07-010460 will also apply changes to
|
||||||
|
systems that use UEFI. For more details, refer to the following documentation:
|
||||||
|
|
||||||
|
* :ref:`stig-RHEL-07-010460`
|
||||||
|
@ -81,7 +81,7 @@
|
|||||||
# change, which breaks V-38583.
|
# change, which breaks V-38583.
|
||||||
- name: set bootloader file permissions after updating grub config
|
- name: set bootloader file permissions after updating grub config
|
||||||
file:
|
file:
|
||||||
path: "{{ grub_conf_file }}"
|
path: "{{ grub_config_file_boot }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: dconf update
|
- name: dconf update
|
||||||
|
@ -36,10 +36,15 @@
|
|||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
- name: Check to see if we're booting with EFI/UEFI
|
||||||
|
set_fact:
|
||||||
|
booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
|
||||||
|
|
||||||
- name: Set facts
|
- name: Set facts
|
||||||
set_fact:
|
set_fact:
|
||||||
check_mode: "{{ noop_result | skipped }}"
|
check_mode: "{{ noop_result | skipped }}"
|
||||||
linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
|
linux_security_module: "{{ (ansible_os_family == 'Debian') | ternary('apparmor','selinux') }}"
|
||||||
|
grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
|
@ -294,6 +294,22 @@
|
|||||||
- RHEL-07-010401
|
- RHEL-07-010401
|
||||||
- RHEL-07-010402
|
- RHEL-07-010402
|
||||||
|
|
||||||
|
- name: Set a GRUB 2 password for single-user/maintenance modes
|
||||||
|
lineinfile:
|
||||||
|
dest: "{{ grub_defaults_file }}"
|
||||||
|
regexp: '^(#)?GRUB_PASSWORD'
|
||||||
|
line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"'
|
||||||
|
state: present
|
||||||
|
when:
|
||||||
|
- security_require_grub_authentication | bool
|
||||||
|
notify:
|
||||||
|
- update grub config
|
||||||
|
tags:
|
||||||
|
- auth
|
||||||
|
- high
|
||||||
|
- RHEL-07-010460
|
||||||
|
- RHEL-07-010470
|
||||||
|
|
||||||
- name: Get all accounts with UID 0
|
- name: Get all accounts with UID 0
|
||||||
shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
|
shell: "awk -F: '$3 == 0 {print $1}' /etc/passwd"
|
||||||
changed_when: False
|
changed_when: False
|
||||||
|
@ -88,3 +88,4 @@
|
|||||||
security_disable_account_if_password_expires: yes
|
security_disable_account_if_password_expires: yes
|
||||||
security_rhel7_initialize_aide: yes
|
security_rhel7_initialize_aide: yes
|
||||||
security_rhel7_automatic_package_updates: yes
|
security_rhel7_automatic_package_updates: yes
|
||||||
|
security_require_grub_authentication: yes
|
||||||
|
@ -24,6 +24,8 @@ pam_auth_file: /etc/pam.d/system-auth
|
|||||||
pam_password_file: /etc/pam.d/password-auth
|
pam_password_file: /etc/pam.d/password-auth
|
||||||
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
|
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
|
||||||
grub_conf_file: /boot/grub2/grub.cfg
|
grub_conf_file: /boot/grub2/grub.cfg
|
||||||
|
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
|
||||||
|
grub_defaults_file: /etc/sysconfig/grub
|
||||||
aide_cron_job_path: /etc/cron.d/aide
|
aide_cron_job_path: /etc/cron.d/aide
|
||||||
aide_database_file: /var/lib/aide/aide.db.gz
|
aide_database_file: /var/lib/aide/aide.db.gz
|
||||||
chrony_conf_file: /etc/chrony.conf
|
chrony_conf_file: /etc/chrony.conf
|
||||||
@ -35,7 +37,7 @@ chrony_service: chronyd
|
|||||||
clamav_service: 'clamd@scan'
|
clamav_service: 'clamd@scan'
|
||||||
|
|
||||||
# Commands
|
# Commands
|
||||||
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
|
grub_update_cmd: "grub2-mkconfig -o {{ grub_config_file_boot }}"
|
||||||
ssh_keysign_path: /usr/libexec/openssh
|
ssh_keysign_path: /usr/libexec/openssh
|
||||||
|
|
||||||
# RHEL 6 STIG: Packages to add/remove
|
# RHEL 6 STIG: Packages to add/remove
|
||||||
|
@ -27,6 +27,8 @@ pam_auth_file: /etc/pam.d/common-auth
|
|||||||
pam_password_file: /etc/pam.d/common-password
|
pam_password_file: /etc/pam.d/common-password
|
||||||
vsftpd_conf_file: /etc/vsftpd.conf
|
vsftpd_conf_file: /etc/vsftpd.conf
|
||||||
grub_conf_file: /boot/grub/grub.cfg
|
grub_conf_file: /boot/grub/grub.cfg
|
||||||
|
grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
|
||||||
|
grub_defaults_file: /etc/default/grub
|
||||||
aide_cron_job_path: /etc/cron.daily/aide
|
aide_cron_job_path: /etc/cron.daily/aide
|
||||||
aide_database_file: /var/lib/aide/aide.db
|
aide_database_file: /var/lib/aide/aide.db
|
||||||
chrony_conf_file: /etc/chrony/chrony.conf
|
chrony_conf_file: /etc/chrony/chrony.conf
|
||||||
|
Loading…
x
Reference in New Issue
Block a user