From a7964a4414720b16427b13c0a0e956834bbd5909 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 7 Oct 2015 16:39:54 -0500
Subject: [PATCH] V-38579: grub.conf owned by root

Implements: blueprint security-hardening

Change-Id: Ibbc5cfe51484d01b304abf61bf944930eddd24c4
---
 doc/source/developer-notes/V-38579.rst    | 2 ++
 openstack-ansible-security/tasks/boot.yml | 9 +++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38579.rst

diff --git a/doc/source/developer-notes/V-38579.rst b/doc/source/developer-notes/V-38579.rst
new file mode 100644
index 00000000..ac733bcd
--- /dev/null
+++ b/doc/source/developer-notes/V-38579.rst
@@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default.
+The Ansible task will ensure that the secure default is maintained.
diff --git a/openstack-ansible-security/tasks/boot.yml b/openstack-ansible-security/tasks/boot.yml
index 6f289ac1..3a752ae6 100644
--- a/openstack-ansible-security/tasks/boot.yml
+++ b/openstack-ansible-security/tasks/boot.yml
@@ -13,6 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: V-38579 - Bootloader configuration files must be owned by root
+  file:
+    path: /boot/grub/grub.cfg
+    owner: root
+  tags:
+    - boot
+    - cat2
+    - V-38579
+
 - name: V-38581 - Bootloader configuration files must be group-owned by root
   file:
     path: /boot/grub/grub.cfg