Merge pull request #59 from ansible-lockdown/Feb26_updates

Feb26 updates

.ansible-lint

@@ -1,6 +1,5 @@
 ---
 
-parseable: true
 quiet: true
 skip_list:
   - 'package-latest'

.github/workflows/export_badges_private.yml

@@ -12,8 +12,6 @@ on:
   push:
     branches:
       - latest
-  schedule:
-    - cron: '0 */6 * * *'
   workflow_dispatch:
 
 jobs:

Changelog.md

@@ -6,7 +6,7 @@ addressed issue #419, thank you @aaronk1
 addressed issue #418 thank you @bbaassssiiee
 Added better sysctl logic to disable IPv6
 Added option to disable IPv6 via sysctl (original method) or via the kernel
-pre-commit udpates
+pre-commit updates
 public issue #410 thanks to @kpi-nourman
 public issue #413 thanks to @bbaassssiiee
 Public issues incorporated
@@ -18,6 +18,8 @@ Benchmark version variable in audit template
 fixed typo thanks to @fragglexarmy #393
 fixed typo thanks to @trumbaut #397 & #399
 updated auditd template to be 2.19 complaint
+PR345 thanks to thulium-drake boot password hash - if used needs passlib module
+tidy up tags on tasks/main.yml
 
 ## 2.0.3 - Based on CIS v2.0.0
 

README.md

@@ -128,6 +128,9 @@ RHEL Family OS 9
 - python-def
 - libselinux-python
 
+If you are using the option to create your own bootloader hash the ansible controller
+-  passlib
+
 ---
 
 ## Auditing 🔍

defaults/main.yml

@@ -566,14 +566,18 @@ rhel9cis_selinux_pol: targeted
 rhel9cis_selinux_enforce: enforcing
 
 ## Control 1.4.1
-# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
-# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
-# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
+# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
+rhel9cis_set_boot_pass: false
+
+# Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt
+# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
 
-## Control 1.4.1
-# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
-rhel9cis_set_boot_pass: true
+# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
+rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
+
+# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
+rhel9cis_bootloader_salt: ''
 
 ## Controls 1.6.x and Controls 5.1.x
 # This variable governs if current Ansible role should manage system-wide crypto policy.

filter_plugins/grub_hash.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: grub_hash
+short_description: Generate a GRUB2 password hash
+version_added: 1.0.0
+author: Jeffrey van Pelt (@Thulium-Drake)
+description:
+  - Generate a GRUB2 password hash from the input
+options:
+  _input:
+    description: The desired password for the GRUB bootloader
+    type: string
+    required: true
+  salt:
+    description: The salt used to generate the hash
+    type: string
+    required: false
+  rounds:
+    description: The amount of rounds to run the PBKDF2 function
+    type: int
+    required: false
+"""
+
+EXAMPLES = r"""
+- name: 'Generate hash with defaults'
+  ansible.builtin.debug:
+    msg: "{{ 'mango123!' | grub_hash }}"
+
+- name: 'Generate hash with custom rounds and salt'
+  ansible.builtin.debug:
+    msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
+    # Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
+"""
+
+RETURN = r"""
+_value:
+  description: A GRUB2 password hash
+  type: string
+"""
+
+from ansible.errors import AnsibleFilterError
+import os
+import base64
+from passlib.hash import grub_pbkdf2_sha512
+
+def grub_hash(password, rounds=10000, salt=None):
+    if salt is None:
+        # Generate 64-byte salt if not provided
+        salt = os.urandom(64)
+
+    # Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
+    if not isinstance(salt, bytes):
+        try:
+            salt = salt.encode("utf-8")
+        except AttributeError:
+            raise TypeError("Salt must be a string, not int.")
+
+    # Configure hash generator
+    pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
+    return pbkdf2_generator.hash(password)
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'grub_hash': grub_hash
+        }

tasks/main.yml

@@ -41,14 +41,14 @@
     fail_msg: "Crypto policy is not a permitted version"
     success_msg: "Crypto policy is a permitted version"
 
-- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
+- name: "Check rhel9cis_bootloader_password variable has been changed"
   when:
     - rhel9cis_set_boot_pass
     - rhel9cis_rule_1_4_1
   tags: always
   ansible.builtin.assert:
-    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
-    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
+    that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
+    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
 
 - name: "Check crypto-policy module input"
   when:
@@ -154,9 +154,7 @@
     file: "{{ ansible_facts.distribution }}.yml"
 
 - name: "Include preliminary steps"
-  tags:
-    - prelim_tasks
-    - always
+  tags: prelim_tasks
   ansible.builtin.import_tasks:
     file: prelim.yml
 

tasks/prelim.yml

@@ -4,7 +4,9 @@
 # List users in order to look up files inside each home directory
 
 - name: "PRELIM | Include audit specific variables"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
+    - setup_audit
   tags:
     - setup_audit
     - run_audit
@@ -12,7 +14,8 @@
     file: audit.yml
 
 - name: "PRELIM | Include pre-remediation audit tasks"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
   tags: run_audit
   ansible.builtin.import_tasks: pre_remediation_audit.yml
 
@@ -92,6 +95,11 @@
     - rhel9cis_rule_1_2_1_1
     - ansible_facts.distribution != 'RedHat'
     - ansible_facts.distribution != 'OracleLinux'
+  tags:
+    - level1-server
+    - level1-workstation
+    - rule_1.2.1.1
+    - gpg
   ansible.builtin.package:
     name: "{{ gpg_key_package }}"
     state: latest

tasks/section_1/cis_1.4.x.yml

@@ -13,7 +13,7 @@
     - NIST800-53R5_AC-3
   ansible.builtin.copy:
     dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
     owner: root
     group: root
     mode: 'go-rwx'

tasks/section_7/cis_7.1.x.yml

@@ -58,7 +58,7 @@
     - level1-server
     - level1-workstation
     - patch
-    - permissionss
+    - permissions
     - rule_7.1.4
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2

templates/audit/98_auditd_exception.rules.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 ### YOUR CHANGES WILL BE LOST!
 
 # This file contains users whose actions are not logged by auditd

templates/audit/99_auditd.rules.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 ### YOUR CHANGES WILL BE LOST!
 
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually

templates/etc/ansible/compliance_facts.j2

@@ -1,6 +1,6 @@
 # CIS Hardening Carried out
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 [lockdown_details]
 # Benchmark release

templates/etc/cron.d/aide.cron.j2

@@ -1,7 +1,7 @@
 # Run AIDE integrity check
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
 

templates/etc/dconf/db/00-automount_lock.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount

templates/etc/dconf/db/00-autorun_lock.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never

templates/etc/dconf/db/00-media-automount.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 [org/gnome/desktop/media-handling]
 automount=false

templates/etc/dconf/db/00-media-autorun.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 [org/gnome/desktop/media-handling]
 autorun-never=true

templates/etc/dconf/db/00-screensaver.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 # Specify the dconf path
 [org/gnome/desktop/session]

templates/etc/dconf/db/00-screensaver_lock.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay

templates/etc/dconf/db/gdm.d/01-banner-message.j2

@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+# provided by {{ company_title }}
 
 [org/gnome/login-screen]
 banner-message-enable=true

vars/main.yml

@@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules:
   - 'NO-SSHWEAKMAC'
   - 'NO-WEAKMAC'
 
+rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
+
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
@@ -74,3 +76,5 @@ audit_bins:
   - /sbin/autrace
   - /sbin/auditd
   - /sbin/augenrules
+
+company_title: 'Mindpoint Group - A Tyto Athene Company'