tasks: auth: Use standard Grub2 authentication mechanism

GRUB_PASSWORD is not understood by vanilla grub2 installations. As such, we can use the recommended method by setting the superusers environment variable and using the password_pbkdf2 command Change-Id: I07df3decf5e70b85a7dc48b8a8d1ca86e8878d09 Link: https://www.gnu.org/software/grub/manual/grub/grub.html#Security Closes-Bug: 1735709
2017-12-13 12:23:56 +00:00 · 2017-12-13 12:23:56 +00:00 · a0810a9ca1
commit a0810a9ca1
parent 46a94c7251
5 changed files with 14 additions and 11 deletions
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -165,22 +165,25 @@

 # NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
 # should be skipped on those systems.
- name: Check if GRUB defaults file exists
+- name: Check if GRUB2 custom file exists
  stat:
-    path: "{{ grub_defaults_file }}"
-  register: grub_defaults_file_check
+    path: "{{ grub_custom_file }}"
+  register: grub_custom_file_check
  check_mode: no
  tags:
    - always

 - name: Set a GRUB 2 password for single-user/maintenance modes
-  lineinfile:
-    dest: "{{ grub_defaults_file }}"
-    regexp: '^(#)?GRUB_PASSWORD'
-    line: 'GRUB_PASSWORD="{{ security_grub_password_hash }}"'
+  blockinfile:
+    path: "{{ grub_custom_file }}"
+    insertbefore: EOF
+    marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
+    block: |
+      set superusers="root"
+      password_pbkdf2 root {{ security_grub_password_hash }}
    state: present
  when:
-    - grub_defaults_file_check.stat.exists | bool
+    - grub_custom_file_check.stat.exists | bool
    - security_require_grub_authentication | bool
  notify:
    - update grub config
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -30,7 +30,6 @@ pam_postlogin_file: /etc/pam.d/login
 vsftpd_conf_file: /etc/vsftpd.conf
 grub_conf_file: /boot/grub/grub.cfg
 grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
-grub_defaults_file: /etc/default/grub
 aide_cron_job_path: /etc/cron.daily/aide
 aide_database_file: /var/lib/aide/aide.db
 aide_database_out_file: /var/lib/aide/aide.db.new
--- a/vars/main.yml
+++ b/vars/main.yml
@ -20,6 +20,9 @@
 #   - vars/redhat.yml
 #   - vars/ubuntu.yml

+## grub custom configuration
+grub_custom_file: /etc/grub.d/40_custom
+
 ## auditd configuration
 auditd_config:
  - parameter: disk_full_action
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -26,7 +26,6 @@ pam_postlogin_file: /etc/pam.d/postlogin
 vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
 grub_conf_file: /boot/grub2/grub.cfg
 grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
-grub_defaults_file: /etc/sysconfig/grub
 aide_cron_job_path: /etc/cron.d/aide
 aide_database_file: /var/lib/aide/aide.db.gz
 aide_database_out_file: /var/lib/aide/aide.db.new.gz
--- a/vars/suse.yml
+++ b/vars/suse.yml
@ -28,7 +28,6 @@ grub_conf_file: /boot/grub2/grub.cfg
 # create the EFI distro directory. Since this information is not available on
 # Ansible, we have to improvise a bit...
 grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
-grub_defaults_file: /etc/default/grub
 aide_cron_job_path: /etc/cron.daily/aide
 aide_database_file: /var/lib/aide/aide.db
 aide_database_out_file: /var/lib/aide/aide.db.new