Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deploy GRUB hardening #137

Merged
merged 12 commits into from
Aug 15, 2018
Merged

Deploy GRUB hardening #137

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a30934a
Harden the grub prompt.
timstoop Jun 24, 2018
756230c
Add code to allow the system to boot without password.
timstoop Jun 26, 2018
1788c4e
Add docs and ability to set the variable.
timstoop Jun 26, 2018
de7a10d
Merge branch 'upstream' into cis-dil-bechmark-1
timstoop Jun 26, 2018
58b512b
Fix the unless condition.
timstoop Jun 26, 2018
db41696
Fix template (was using a different branch to test...).
timstoop Jun 26, 2018
1661c68
More fixes to template.
timstoop Jun 26, 2018
0fde60f
Work on the comments that were given.
timstoop Jul 30, 2018
b8dcd68
Make everything not-Debian the default.
timstoop Aug 1, 2018
d671674
Fix default case.
timstoop Aug 8, 2018
467f1fd
Merge branch 'upstream' into cis-dil-bechmark-1
timstoop Aug 8, 2018
2de45fb
Set mode of the new snippet.
timstoop Aug 15, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,14 @@ This Puppet module provides secure configuration of your base OS with hardening.
`true` if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Puppet run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
* `dry_run_on_unknown = false`
like `remove_from_unknown` above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
* `enable_grub_hardening = false`
set to true to enable some grub hardening rules
* `grub_user = 'root'`
the grub username that needs to be provided when changing config on the grub prompt
* `grub_password_hash = false`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value for grub_password_hash must be set to '' (String, not Boolean), otherwise I get an error here ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I honestly hadn't tested it with the default settings... 😊 Fixing!

a password hash created with `grub-mkpasswd-pbkdf2` that is associated with the grub\_user
* `boot_without_password = true`
setup Grub so it only requires a password when changing an entry, not when booting an existing entry

## Usage

Expand Down
69 changes: 69 additions & 0 deletions manifests/grub.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# === Copyright
#
# Copyright 2018, Kumina B.V., Tim Stoop
# Licensed under the Apache License, Version 2.0 (the "License");
# http://www.apache.org/licenses/LICENSE-2.0
#

# == Class: os_hardening::grub
#
# Hardens the grub config
#
class os_hardening::grub (
Boolean $enable = false,
String $user = 'root',
String $password_hash = false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default to ''

Boolean $boot_without_password = true,
) {

case $::operatingsystem {
debian, ubuntu: {
$grub_cfg = '/boot/grub/grub.cfg'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it a better way to call update-grub on ubuntu/debian?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't bother:

~$ cat /usr/sbin/update-grub
#!/bin/sh
set -e
exec grub-mkconfig -o /boot/grub/grub.cfg "$@"

This is more consistent, imho.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:D I did not check the file itself, but I saw it in all possible man pages :)
Fine for me as is now

$grub_cmd = "/usr/sbin/grub-mkconfig"
}
redhat, fedora: {
$grub_cfg = '/boot/grub2/grub.cfg'
$grub_cmd = "/usr/sbin/grub2-mkconfig"
}
}

if $enable {
file { '/etc/grub.d/01_hardening':
content => template('os_hardening/grub_hardening.erb'),
notify => Exec['Grub configuration recreate for os_hardening::grub'],
}

file { $grub_cfg:
owner => 'root',
group => 'root',
mode => '0600',
}

if $boot_without_password {
# This sets up Grub on Debian Stretch so you can still boot the system without a password
exec { 'Keep system bootable without credentials':
command => "/bin/sed -i -e 's/^CLASS=\"\\(.*\\)\"/CLASS=\"\\1 --unrestricted\"/' /etc/grub.d/10_linux;",
unless => '/bin/grep -e "^CLASS=" /etc/grub.d/10_linux | /bin/grep -q -- "--unrestricted"',
notify => Exec['Grub configuration recreate for os_hardening::grub'],
}
} else {
exec { 'Remove addition for keeping system bootable without credentials':
command => "/bin/sed -i -e 's/^CLASS=\"\\(.*\\) --unrestricted\\(.*\\)\"/CLASS=\"\\1\\2\"/' /etc/grub.d/10_linux;",
onlyif => '/bin/grep -e "^CLASS=" /etc/grub.d/10_linux | /bin/grep -q -- "--unrestricted"',
notify => Exec['Grub configuration recreate for os_hardening::grub'],
}
}
} else {
file { '/etc/grub.d/01_hardening':
ensure => absent,
notify => Exec['Grub configuration recreate for os_hardening::grub'],
}
}

exec { 'Grub configuration recreate for os_hardening::grub':
command => "${grub_cmd} -o ${grub_cfg}",
refreshonly => true,
}

}

12 changes: 12 additions & 0 deletions manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,11 @@
Boolean $enable_stack_protection = true,
Boolean $enable_rpfilter = true,
Boolean $enable_log_martians = true,

Boolean $enable_grub_hardening = false,
String $grub_user = 'root',
String $grub_password_hash = false,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default to ''

Boolean $boot_without_password = true,
) {

# Prepare
Expand Down Expand Up @@ -180,4 +185,11 @@
}
}

class { 'os_hardening::grub':
enable => $enable_grub_hardening,
user => $grub_user,
password_hash => $grub_password_hash,
boot_without_password => $boot_without_password,
}

}
4 changes: 4 additions & 0 deletions templates/grub_hardening.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/sh
echo set superusers="<%= @user %>"
echo password_pbkdf2 <%= @user %> <%= @password_hash %>