Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule 1.4.x Grub Config #55

Closed
zac90 opened this issue Aug 8, 2023 · 1 comment
Closed

Rule 1.4.x Grub Config #55

zac90 opened this issue Aug 8, 2023 · 1 comment
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@zac90
Copy link

zac90 commented Aug 8, 2023
edited
Loading

Describe the Issue
There appears to be issues the way the grub config is setup. Mainly in the module that sets the password. It has capture groups set but backrefs isn't on so those capture groups aren't used. Also it is looking for insertafter: set superusers="{{ ubtu22cis_grub_user }}"

Also, the way grub requires encrypted passwords is different to what is stored in /etc/shadow The rule for 1.4.3 uses the same grub hash which is incorrect as it uses a different hash format.

Expected Behavior
The grub file should be updated with both the username and the password in encrypted form. The user module should update the password correctly.

Actual Behavior
No user is added and only the password is added with a \1 due to incorrect capture group usage.
The root user password ins't updated correctly in /etc/shadow

Control(s) Affected
1.4.1

Possible Solution
Accept the password variable as standard text that is just encrypted with ansible vault and then decrypt it and run it through a module that generates both a hash suitable for grub and a hash suitable for the shadow file that can then be fed into a variable during playbook execution.
Fix the module - name: "1.4.1 | PATCH | Ensure bootloader password is set" Perhaps change to blockinfile as both the user and password need to be set. Something like
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
ansible.builtin.blockinfile:
path: "{{ ubtu22cis_grub_user_file }}"
insertafter: EOF
block: |
cat<<EOF
set superusers="{{ ubtu22cis_grub_user }}"
password_pbkdf2 {{ ubtu22cis_grub_user }} {{ ubtu22cis_bootloader_password_hash }}
EOF
state: present
notify: Grub update

Fix the module "1.4.3 | PATCH | Ensure authentication required for single user mode" to take the right hash format.
@zac90 zac90 added the bug Something isn't working label Aug 8, 2023
@uk-bolly uk-bolly self-assigned this Aug 9, 2023
uk-bolly added a commit that referenced this issue Aug 9, 2023
@uk-bolly
updated grub config #55
e961e41 
Signed-off-by: Mark Bolwell <[email protected]>
This was referenced Aug 10, 2023
Merged
Merged
@uk-bolly
Copy link
Member

uk-bolly commented Aug 21, 2023
edited
Loading

hi @zac90

Thank you for taking your time to feedback on the ubuntu22-cis role. You should find all open issues have now been merged. Please let us know if there is anything that is not working as expected for your setup.

Thank you again for your feedback and detailed issues.

uk-bolly

@uk-bolly uk-bolly closed this as completed Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zac90 @uk-bolly