mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
Merge 59eca28b3c into 07885f99b4
This commit is contained in:
Jeffrey van Pelt
GitHub
commit
be8200c228
4 changed files with 82 additions and 8 deletions
|
|
@ -583,10 +583,11 @@ rhel9cis_selinux_pol: targeted
|
|||
rhel9cis_selinux_enforce: enforcing
|
||||
|
||||
## Control 1.4.1
|
||||
# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
|
||||
# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
|
||||
# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
|
||||
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
|
||||
# This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
|
||||
rhel9cis_bootloader_password: password # pragma: allowlist secret
|
||||
|
||||
# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
|
||||
rhel9cis_bootloader_salt: ''
|
||||
|
||||
## Control 1.4.1
|
||||
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
|
||||
|
|
|
|||
73
filter_plugins/grub_hash.py
Normal file
73
filter_plugins/grub_hash.py
Normal file
|
|
@ -0,0 +1,73 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
# Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
|
||||
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
DOCUMENTATION = r"""
|
||||
name: grub_hash
|
||||
short_description: Generate a GRUB2 password hash
|
||||
version_added: 1.0.0
|
||||
author: Jeffrey van Pelt (@Thulium-Drake)
|
||||
description:
|
||||
- Generate a GRUB2 password hash from the input
|
||||
options:
|
||||
_input:
|
||||
description: The desired password for the GRUB bootloader
|
||||
type: string
|
||||
required: true
|
||||
salt:
|
||||
description: The salt used to generate the hash
|
||||
type: string
|
||||
required: false
|
||||
rounds:
|
||||
description: The amount of rounds to run the PBKDF2 function
|
||||
type: int
|
||||
required: false
|
||||
"""
|
||||
|
||||
EXAMPLES = r"""
|
||||
- name: 'Generate hash with defaults'
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ 'mango123!' | grub_hash }}"
|
||||
|
||||
- name: 'Generate hash with custom rounds and salt'
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
|
||||
# Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
|
||||
"""
|
||||
|
||||
RETURN = r"""
|
||||
_value:
|
||||
description: A GRUB2 password hash
|
||||
type: string
|
||||
"""
|
||||
|
||||
from ansible.errors import AnsibleFilterError
|
||||
import os
|
||||
import base64
|
||||
from passlib.hash import grub_pbkdf2_sha512
|
||||
|
||||
def grub_hash(password, rounds=10000, salt=None):
|
||||
if salt is None:
|
||||
# Generate 64-byte salt if not provided
|
||||
salt = os.urandom(64)
|
||||
|
||||
# Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
|
||||
if not isinstance(salt, bytes):
|
||||
try:
|
||||
salt = salt.encode("utf-8")
|
||||
except AttributeError:
|
||||
raise TypeError("Salt must be a string, not int.")
|
||||
|
||||
# Configure hash generator
|
||||
pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
|
||||
return pbkdf2_generator.hash(password)
|
||||
|
||||
class FilterModule(object):
|
||||
def filters(self):
|
||||
return {
|
||||
'grub_hash': grub_hash
|
||||
}
|
||||
|
|
@ -43,14 +43,14 @@
|
|||
fail_msg: "Crypto policy is not a permitted version"
|
||||
success_msg: "Crypto policy is a permitted version"
|
||||
|
||||
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
|
||||
- name: "Check rhel9cis_bootloader_password variable has been changed"
|
||||
when:
|
||||
- rhel9cis_set_boot_pass
|
||||
- rhel9cis_rule_1_4_1
|
||||
tags: always
|
||||
ansible.builtin.assert:
|
||||
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
|
||||
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
|
||||
that: rhel9cis_bootloader_password != 'password' # pragma: allowlist secret
|
||||
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly"
|
||||
|
||||
- name: "Check crypto-policy module input"
|
||||
when:
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
- NIST800-53R5_AC-3
|
||||
ansible.builtin.copy:
|
||||
dest: /boot/grub2/user.cfg
|
||||
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
|
||||
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
|
||||
owner: root
|
||||
group: root
|
||||
mode: 'go-rwx'
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue