V-38579: grub.conf owned by root

Implements: blueprint security-hardening Change-Id: Ibbc5cfe51484d01b304abf61bf944930eddd24c4
2015-10-07 16:39:54 -05:00 · 2015-10-07 16:39:54 -05:00 · a7964a4414
commit a7964a4414
parent bfcf6c7423
2 changed files with 11 additions and 0 deletions
--- a/doc/source/developer-notes/V-38579.rst
+++ b/doc/source/developer-notes/V-38579.rst
@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default.
+The Ansible task will ensure that the secure default is maintained.
--- a/openstack-ansible-security/tasks/boot.yml
+++ b/openstack-ansible-security/tasks/boot.yml
@ -13,6 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- name: V-38579 - Bootloader configuration files must be owned by root
+  file:
+    path: /boot/grub/grub.cfg
+    owner: root
+  tags:
+    - boot
+    - cat2
+    - V-38579
+
 - name: V-38581 - Bootloader configuration files must be group-owned by root
  file:
    path: /boot/grub/grub.cfg