Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not make bootloader config less secure #143

Merged
merged 1 commit into from
Mar 25, 2024
Merged

Do not make bootloader config less secure #143

merged 1 commit into from
Mar 25, 2024

Conversation

kdebisschop
Copy link
Contributor

@kdebisschop kdebisschop commented Mar 24, 2024
edited

Overall Review of Changes:
As currently written, "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
will make a bootloader config with a permission of 0400 into 0600, potentially less secure. This
change insures that if the bootloader config file has a mode of 0400, it will be left as is.

Issue Fixes:
No linking issues

Enhancements:
Ensures that mode 0400 bootloader config file permissions are not more less restrictive.

How has this been tested?:

$ # UNCHANGED CODE - fixes 0444 as expected
$ ansible-playbook -i inventory.yml -l 'server.example.net' -CD cis-ubuntu.yml

PLAY [ubuntu] *********************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *************************************************************************
changed: [server.example.net]

TASK [UBUNTU20-CIS : 1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions] ********
--- before
+++ after
@@ -1,4 +1,4 @@
 {
-    "mode": "0444",
+    "mode": "0600",
     "path": "/boot/grub/grub.cfg"
 }

changed: [server.example.net]

PLAY RECAP ************************************************************************************************************
server.example.net  : ok=76   changed=2    unreachable=0    failed=0    skipped=479  rescued=0    ignored=0   

$ # CHANGED CODE - fixes 0444 as expected
$ ansible-playbook -i inventory.yml -l 'server.example.net' -CD cis-ubuntu.yml

PLAY [ubuntu] *********************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *************************************************************************
changed: [server.example.net]

TASK [UBUNTU20-CIS : 1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions] ********
--- before
+++ after
@@ -1,4 +1,4 @@
 {
-    "mode": "0444",
+    "mode": "0600",
     "path": "/boot/grub/grub.cfg"
 }

changed: [server.example.net]

PLAY RECAP ************************************************************************************************************
server.example.net  : ok=76   changed=2    unreachable=0    failed=0    skipped=479  rescued=0    ignored=0   

$ ssh -q server.example.net sudo chmod 0600 /boot/grub/grub.cfg
$ # UNCHANGED CODE - keeps 0600 as expected
$ ansible-playbook -i inventory.yml -l 'server.example.net' -CD cis-ubuntu.yml

PLAY [ubuntu] *********************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *************************************************************************
changed: [server.example.net]

PLAY RECAP ************************************************************************************************************
server.example.net  : ok=76   changed=1    unreachable=0    failed=0    skipped=479  rescued=0    ignored=0   

$ # CHANGED CODE - keeps 0600 as expected
$ ansible-playbook -i inventory.yml -l 'server.example.net' -CD cis-ubuntu.yml

PLAY [ubuntu] *********************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *************************************************************************
changed: [server.example.net]

PLAY RECAP ************************************************************************************************************
server.example.net  : ok=76   changed=1    unreachable=0    failed=0    skipped=479  rescued=0    ignored=0   

$ ssh -q server.example.net sudo chmod 0400 /boot/grub/grub.cfg
$ # UNCHANGED CODE - changes to less restrictive 0600, contrary to CIS benchmark
$ ansible-playbook -i inventory.yml -l 'server.example.net' -CD cis-ubuntu.yml

PLAY [ubuntu] *********************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *************************************************************************
changed: [server.example.net]

TASK [UBUNTU20-CIS : 1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions] ********
--- before
+++ after
@@ -1,4 +1,4 @@
 {
-    "mode": "0400",
+    "mode": "0600",
     "path": "/boot/grub/grub.cfg"
 }

changed: [server.example.net]

PLAY RECAP ************************************************************************************************************
server.example.net  : ok=76   changed=2    unreachable=0    failed=0    skipped=479  rescued=0    ignored=0   

$ # CHANGED CODE - keeps 0400 as provided for in CIS benchmark
$ ansible-playbook -i inventory.yml -l 'server.example.net' -CD cis-ubuntu.yml

PLAY [ubuntu] *********************************************************************************************************

TASK [UBUNTU20-CIS : PRELIM | Run apt update] *************************************************************************
changed: [server.example.net]

PLAY RECAP ************************************************************************************************************
server.example.net  : ok=75   changed=1    unreachable=0    failed=0    skipped=480  rescued=0    ignored=0   

$

@kdebisschop
Do not make bootloader config less secure
a18fc7d 
Signed-off-by: Karl DeBisschop <kdebisschop@gmail.com>
uk-bolly
uk-bolly approved these changes Mar 25, 2024
View reviewed changes
Copy link
Member

@uk-bolly uk-bolly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice change

@uk-bolly uk-bolly merged commit 3057475 into ansible-lockdown:devel Mar 25, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uk-bolly uk-bolly uk-bolly approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kdebisschop @uk-bolly