colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tidy up grub/bootloader logic 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-01-10 12:40:06 +00:00
parent 18152bc17d
commit 6e78559776
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
3 changed files with 1 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -665,7 +665,6 @@ ubtu24cis_apparmor_mode: complain
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu24cis_grub_user: root
ubtu24cis_set_grub_user_pass: false
ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme
ubtu24cis_grub_user_file: /etc/grub.d/00_user
ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret
ubtu24cis_set_boot_pass: false

25
tasks/main.yml
View File

@ -62,31 +62,6 @@
that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
- name: Check ubtu24cis_grub_user password variable has been changed
when: ubtu24cis_rule_1_4_1
tags: always
block:
- name: Check ubtu24cis_grub_user password variable has been changed | check password is set
ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
changed_when: false
register: ubtu24cis_password_set_grub_user
- name: Check ubtu24cis_grub_user password variable has been changed | check password is set
when:
- "'$y$' in ubtu24cis_password_set_grub_user.stdout"
- ubtu24cis_set_grub_user_pass
- ubtu24cis_rule_1_4_1
ansible.builtin.assert:
that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
- name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
when: not ubtu24cis_set_grub_user_pass
ansible.builtin.assert:
that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode"
- name: Setup rules if container
when:
- ansible_connection == 'docker' or

2
templates/ansible_vars_goss.yml.j2
View File

@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }}
# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu24cis_grub_user: {{ ubtu24cis_grub_user }}
ubtu24cis_bootloader_password_hash: {{ ubtu24cis_grub_user_passwd }} # pragma: allowlist secret
ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }} # pragma: allowlist secret
## Controls 1.5.x