Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jan25 updates #3

Merged
merged 13 commits into from
Jan 13, 2025
Prev Previous commit
Next Next commit
tidy up grub/bootloader logic
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
  • Loading branch information
uk-bolly committed Jan 10, 2025
commit 6e78559776e4cd36f3f3dfe5978f080f3d5b27ca
1 change: 0 additions & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -665,7 +665,6 @@ ubtu24cis_apparmor_mode: complain
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu24cis_grub_user: root
ubtu24cis_set_grub_user_pass: false
ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme
ubtu24cis_grub_user_file: /etc/grub.d/00_user
ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret
ubtu24cis_set_boot_pass: false
Expand Down
25 changes: 0 additions & 25 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,31 +62,6 @@
that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"

- name: Check ubtu24cis_grub_user password variable has been changed
when: ubtu24cis_rule_1_4_1
tags: always
block:
- name: Check ubtu24cis_grub_user password variable has been changed | check password is set
ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
changed_when: false
register: ubtu24cis_password_set_grub_user

- name: Check ubtu24cis_grub_user password variable has been changed | check password is set
when:
- "'$y$' in ubtu24cis_password_set_grub_user.stdout"
- ubtu24cis_set_grub_user_pass
- ubtu24cis_rule_1_4_1
ansible.builtin.assert:
that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"

- name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
when: not ubtu24cis_set_grub_user_pass
ansible.builtin.assert:
that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode"

- name: Setup rules if container
when:
- ansible_connection == 'docker' or
Expand Down
2 changes: 1 addition & 1 deletion templates/ansible_vars_goss.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }}
# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu24cis_grub_user: {{ ubtu24cis_grub_user }}
ubtu24cis_bootloader_password_hash: {{ ubtu24cis_grub_user_passwd }} # pragma: allowlist secret
ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }} # pragma: allowlist secret

## Controls 1.5.x

Expand Down