Puppet Class: security_baseline::rules::redhat::sec_grub2

Defined in:: manifests/rules/redhat/sec_grub2.pp

Summary

Ensure permissions on bootloader config are configured (Scored)

Overview

The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub2/grub.cfg and linked as /etc/grub2.cfg. Additional settings can be found in the /boot/grub2/user.cfg file.

Rationale: Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Examples:

class security_baseline::rules::redhat::sec_grub2 {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

enforce (Boolean) (defaults to: true) —

Enforce the rule or just test and log
message (String) (defaults to: '') —

Message to print into the log
log_level (String) (defaults to: '') —

The log_level for the above message

# File 'manifests/rules/redhat/sec_grub2.pp', line 30

class security_baseline::rules::redhat::sec_grub2 (
  Boolean $enforce  = true,
  String $message   = '',
  String $log_level = ''
) {

  if($enforce) {

    file { '/boot/grub2/grub.cfg':
      ensure => present,
      owner  => 'root',
      group  => 'root',
      mode   => '0600',
    }

    file { '/boot/grub2/user.cfg':
      ensure => present,
      owner  => 'root',
      group  => 'root',
      mode   => '0600',
    }

  } else {
    if(
      ($facts['security_baseline']['grub']['grub.cfg']['uid'] != 0) or
      ($facts['security_baseline']['grub']['grub.cfg']['gid'] != 0) or
      ($facts['security_baseline']['grub']['grub.cfg']['mode'] != 384) or
      ($facts['security_baseline']['grub']['user.cfg']['uid'] != 0) or
      ($facts['security_baseline']['grub']['user.cfg']['gid'] != 0) or
      ($facts['security_baseline']['grub']['user.cfg']['mode'] != 384)
    ) {
      echo { 'grub-grub-cfg':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}