Deploy GRUB hardening #137
Conversation
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
Now only a password is required when someone wants to change the boot parameters. Normal boot is allowed without password. HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
|
@timstoop great! Thanks! I have a similar implementation in chef:) I'll review the grub part in the next days |
manifests/grub.pp
Outdated
|
|
||
| if $boot_without_password { | ||
| # This sets up Grub on Debian Stretch so you can still boot the system without a password | ||
| exec { 'Keep system bootable without credentials': |
There was a problem hiding this comment.
You should better use file_line to make changes / substitutions in files
There was a problem hiding this comment.
I don't think it's possible to do back references with file_line? As I want to leave all other options there without touching them. The docs do not seem to discuss back references either.
manifests/grub.pp
Outdated
| notify => Exec['Grub configuration recreate for os_hardening::grub'], | ||
| } | ||
|
|
||
| if $boot_without_password { |
There was a problem hiding this comment.
What if you switch from boot_without_password = true to boot_without_password = false? --> undo the change in the file
manifests/grub.pp
Outdated
| refreshonly => true, | ||
| } | ||
|
|
||
| file { '/boot/grub/grub.cfg': |
There was a problem hiding this comment.
On CentOS / RedHat + OpenSUSE / SLES this file is located here: /boot/grub2/grub.cfg
There was a problem hiding this comment.
What's the value for $::operatingsystem on OpenSUSE/SLES? So I can fix the case statement correctly :)
There was a problem hiding this comment.
That is the value for $::operatingsystem - OpenSUSE for the free distro, SLES for the commercial one
You could also refer to $::osfamily, here we have Suse for both
There was a problem hiding this comment.
Or I default to /boot/grub2/grub.cfg and make debian/ubuntu the exception...
manifests/grub.pp
Outdated
| } | ||
|
|
||
| exec { 'Grub configuration recreate for os_hardening::grub': | ||
| command => '/usr/sbin/update-grub', |
There was a problem hiding this comment.
As there is no such helper script in CentOS / RedHat or OpenSUSE / SLES you should better use this:
grub-mkconfig -o /boot/grub/grub.cfg (Ubuntu / Debian) or grub2-mkconfig -o /boot/grub2/grub.cfg
There was a problem hiding this comment.
Can I assume that grub2-mkconfig is in /usr/sbin or is it somewhere else?
manifests/init.pp
Outdated
| @@ -180,4 +185,12 @@ | |||
| } | |||
| } | |||
|
|
|||
| if $enable_grub_hardening { | |||
There was a problem hiding this comment.
On switching back enable_grub_hardening -> cleanup changes on grub
There was a problem hiding this comment.
Done, but I'd slightly worried that this may actually cause problem for people who make these kind of changes with other modules? There's no way to check if the change was done by this module or by something else.
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
|
|
||
| case $::operatingsystem { | ||
| debian, ubuntu: { | ||
| $grub_cfg = '/boot/grub/grub.cfg' |
There was a problem hiding this comment.
is it a better way to call update-grub on ubuntu/debian?
There was a problem hiding this comment.
I wouldn't bother:
~$ cat /usr/sbin/update-grub
#!/bin/sh
set -e
exec grub-mkconfig -o /boot/grub/grub.cfg "$@"
This is more consistent, imho.
There was a problem hiding this comment.
:D I did not check the file itself, but I saw it in all possible man pages :)
Fine for me as is now
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
README.md
Outdated
| set to true to enable some grub hardening rules | ||
| * `grub_user = 'root'` | ||
| the grub username that needs to be provided when changing config on the grub prompt | ||
| * `grub_password_hash = false` |
There was a problem hiding this comment.
The default value for grub_password_hash must be set to '' (String, not Boolean), otherwise I get an error here ...
There was a problem hiding this comment.
I honestly hadn't tested it with the default settings... 😊 Fixing!
manifests/grub.pp
Outdated
| class os_hardening::grub ( | ||
| Boolean $enable = false, | ||
| String $user = 'root', | ||
| String $password_hash = false, |
manifests/init.pp
Outdated
|
|
||
| Boolean $enable_grub_hardening = false, | ||
| String $grub_user = 'root', | ||
| String $grub_password_hash = false, |
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
|
@timstoop Ok, the code compiles now, but ... I have configured it for one of my test systems (Ubuntu 16.04) like this: ... and after a puppet run the grub.cfg is just the same as before (and of course on reboot there is no password prompt). If I change Am I missing something? |
|
Can you check if the file /etc/grub.d/01_hardening is created? And if running |
|
If have tested this now also on CentOS 7.5 and OpenSUSE 15.0, it's the same ... the file |
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)
|
I have too many branches locally :( |
|
Hah! That did it ... thanks! |
This patch adds the option to harden GRUB. For this to work, it requires a password created with
grub-mkpasswd-pbkdf2provided to it. Optionally, but enabled by default, this also modifies the Grub config to allow for unattended booting of these servers.This was created to fulfil CIS DIL Benchmark 1.4.1 and 1.4.2. It was only tested on Debian Stretch, so I'd welcome someone to test on something else as well and let me know what I need to change to make it work on other OSes as well. Also, I'm not sure if I should wrap the exec that enables unattended booting in a case statement to select the operating system.