ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge 59eca28b3c into 07885f99b4

Browse source
This commit is contained in:
Jeffrey van Pelt 2025-12-03 21:36:45 +01:00 committed by GitHub
commit be8200c228
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 82 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

9
defaults/main.yml
View file

@ -583,10 +583,11 @@ rhel9cis_selinux_pol: targeted
rhel9cis_selinux_enforce: enforcing rhel9cis_selinux_enforce: enforcing
## Control 1.4.1 ## Control 1.4.1
# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value # This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with rhel9cis_bootloader_password: password # pragma: allowlist secret
# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret # Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
rhel9cis_bootloader_salt: ''
## Control 1.4.1 ## Control 1.4.1
# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.

73
filter_plugins/grub_hash.py Normal file
View file

@ -0,0 +1,73 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import annotations
DOCUMENTATION = r"""
name: grub_hash
short_description: Generate a GRUB2 password hash
version_added: 1.0.0
author: Jeffrey van Pelt (@Thulium-Drake)
description:
- Generate a GRUB2 password hash from the input
options:
_input:
description: The desired password for the GRUB bootloader
type: string
required: true
salt:
description: The salt used to generate the hash
type: string
required: false
rounds:
description: The amount of rounds to run the PBKDF2 function
type: int
required: false
"""
EXAMPLES = r"""
- name: 'Generate hash with defaults'
ansible.builtin.debug:
msg: "{{ 'mango123!' | grub_hash }}"
- name: 'Generate hash with custom rounds and salt'
ansible.builtin.debug:
msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
# Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
"""
RETURN = r"""
_value:
description: A GRUB2 password hash
type: string
"""
from ansible.errors import AnsibleFilterError
import os
import base64
from passlib.hash import grub_pbkdf2_sha512
def grub_hash(password, rounds=10000, salt=None):
if salt is None:
# Generate 64-byte salt if not provided
salt = os.urandom(64)
# Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
if not isinstance(salt, bytes):
try:
salt = salt.encode("utf-8")
except AttributeError:
raise TypeError("Salt must be a string, not int.")
# Configure hash generator
pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
return pbkdf2_generator.hash(password)
class FilterModule(object):
def filters(self):
return {
'grub_hash': grub_hash
}

6
tasks/main.yml
View file

@ -43,14 +43,14 @@
fail_msg: "Crypto policy is not a permitted version" fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version" success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed" - name: "Check rhel9cis_bootloader_password variable has been changed"
when: when:
- rhel9cis_set_boot_pass - rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1 - rhel9cis_rule_1_4_1
tags: always tags: always
ansible.builtin.assert: ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret that: rhel9cis_bootloader_password != 'password' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly"
- name: "Check crypto-policy module input" - name: "Check crypto-policy module input"
when: when:

2
tasks/section_1/cis_1.4.x.yml
View file

@ -13,7 +13,7 @@
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
ansible.builtin.copy: ansible.builtin.copy:
dest: /boot/grub2/user.cfg dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}" # noqa template-instead-of-copy
owner: root owner: root
group: root group: root
mode: 'go-rwx' mode: 'go-rwx'