Deploy GRUB hardening (#137)

* Harden the grub prompt.

HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <[email protected]> (github: timstoop)

README.md

@@ -110,6 +110,14 @@ Otherwise puppet will drop an error (duplicate resource)!
   `true` if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Puppet run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
 * `dry_run_on_unknown = false`
   like `remove_from_unknown` above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
+* `enable_grub_hardening = false`
+  set to true to enable some grub hardening rules
+* `grub_user = 'root'`
+  the grub username that needs to be provided when changing config on the grub prompt
+* `grub_password_hash = ''`
+  a password hash created with `grub-mkpasswd-pbkdf2` that is associated with the grub\_user
+* `boot_without_password = true`
+  setup Grub so it only requires a password when changing an entry, not when booting an existing entry
 
 ## Usage
 

manifests/grub.pp

@@ -0,0 +1,70 @@
+# === Copyright
+#
+# Copyright 2018, Kumina B.V., Tim Stoop
+# Licensed under the Apache License, Version 2.0 (the "License");
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+
+# == Class: os_hardening::grub
+#
+# Hardens the grub config
+#
+class os_hardening::grub (
+  Boolean $enable                = false,
+  String  $user                  = 'root',
+  String  $password_hash         = '',
+  Boolean $boot_without_password = true,
+) {
+
+  case $::operatingsystem {
+    debian, ubuntu: {
+      $grub_cfg = '/boot/grub/grub.cfg'
+      $grub_cmd = "/usr/sbin/grub-mkconfig"
+    }
+    default: {
+      $grub_cfg = '/boot/grub2/grub.cfg'
+      $grub_cmd = "/usr/sbin/grub2-mkconfig"
+    }
+  }
+
+  if $enable {
+    file { '/etc/grub.d/01_hardening':
+      content => template('os_hardening/grub_hardening.erb'),
+      notify  => Exec['Grub configuration recreate for os_hardening::grub'],
+      mode    => '0755',
+    }
+
+    file { $grub_cfg:
+      owner => 'root',
+      group => 'root',
+      mode  => '0600',
+    }
+
+    if $boot_without_password {
+      # This sets up Grub on Debian Stretch so you can still boot the system without a password
+      exec { 'Keep system bootable without credentials':
+        command => "/bin/sed -i -e 's/^CLASS=\"\\(.*\\)\"/CLASS=\"\\1 --unrestricted\"/' /etc/grub.d/10_linux;",
+        unless  => '/bin/grep -e "^CLASS=" /etc/grub.d/10_linux | /bin/grep -q -- "--unrestricted"',
+        notify  => Exec['Grub configuration recreate for os_hardening::grub'],
+      }
+    } else {
+      exec { 'Remove addition for keeping system bootable without credentials':
+        command => "/bin/sed -i -e 's/^CLASS=\"\\(.*\\) --unrestricted\\(.*\\)\"/CLASS=\"\\1\\2\"/' /etc/grub.d/10_linux;",
+        onlyif  => '/bin/grep -e "^CLASS=" /etc/grub.d/10_linux | /bin/grep -q -- "--unrestricted"',
+        notify  => Exec['Grub configuration recreate for os_hardening::grub'],
+      }
+    }
+  } else {
+    file { '/etc/grub.d/01_hardening':
+      ensure => absent,
+      notify  => Exec['Grub configuration recreate for os_hardening::grub'],
+    }
+  }
+
+  exec { 'Grub configuration recreate for os_hardening::grub':
+    command     => "${grub_cmd} -o ${grub_cfg}",
+    refreshonly => true,
+  }
+
+}
+

manifests/init.pp

@@ -67,6 +67,11 @@
   Boolean           $enable_stack_protection  = true,
   Boolean           $enable_rpfilter          = true,
   Boolean           $enable_log_martians      = true,
+
+  Boolean           $enable_grub_hardening    = false,
+  String            $grub_user                = 'root',
+  String            $grub_password_hash       = '',
+  Boolean           $boot_without_password    = true,
 ) {
 
   # Prepare
@@ -193,4 +198,11 @@
     }
   }
 
+  class { 'os_hardening::grub':
+    enable                => $enable_grub_hardening,
+    user                  => $grub_user,
+    password_hash         => $grub_password_hash,
+    boot_without_password => $boot_without_password,
+  }
+
 }

templates/grub_hardening.erb

@@ -0,0 +1,4 @@
+#!/bin/sh
+echo set superusers="<%= @user %>"
+echo password_pbkdf2 <%= @user %> <%= @password_hash %>
+