8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
# File 'manifests/trusty64/boot_settings.pp', line 8
class cis_benchmark::trusty64::boot_settings {
## local variables
$grub_user = $::cis_benchmark::grub_user
$grub_password = $::cis_benchmark::grub_password
$root_password = $::cis_benchmark::root_password
## local variables: stig items
$cis_1_4_1 = $::cis_benchmark::cis_1_4_1
$cis_1_4_2 = $::cis_benchmark::cis_1_4_2
$cis_1_4_3 = $::cis_benchmark::cis_1_4_3
## 1.4.1 Ensure permissions on bootloader config are configured (Scored)
if ($cis_1_4_1) {
file { 'file-cis-1-4-1':
path => '/boot/grub/grub.cfg',
owner => root,
group => root,
mode => '0700',
}
}
##
## 1.4.2 Ensure permissions on bootloader config are configured (Scored)
##
## Note: the corresponding password can be (re)created as follows:
##
## grub-mkpasswd-pbkdf2
## Enter password: <password>
## Reenter password: <password>
## Your PBKDF2 is <encrypted-password>
##
if ($cis_1_4_2) {
file { 'file-cis-1-4-2':
content => dos2unix(template('cis_benchmark//trusty64/grub_bootloader.erb')),
path => '/etc/grub.d/50_bootloader',
mode => '0755',
owner => root,
group => root,
notify => Exec['update-grub'],
}
}
## 1.4.3 Ensure authentication required for single user mode (Scored)
if ($cis_1_4_3) {
user { root:
ensure => present,
password => $root_password,
}
}
##
## update grub2 configuration
##
## Note: without the shell provider, the 'basename: not found' error exists.
##
exec { 'update-grub':
command => 'update-grub',
provider => shell,
refreshonly => true,
}
}
|