Puppet Class: security_baseline::rules::sles::sec_grub2

Defined in:
manifests/rules/sles/sec_grub2.pp

Summary

Ensure permissions on bootloader config are configured (Scored)

Overview

The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub2/grub.cfg and linked as /etc/grub2.cfg. Additional settings can be found in the /boot/grub2/user.cfg file.

Rationale: Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Examples:

class security_baseline::rules::sles::sec_grub2 {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule or just test and log

  • message (String) (defaults to: '')

    Message to print into the log

  • log_level (String) (defaults to: '')

    The log_level for the above message



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
# File 'manifests/rules/sles/sec_grub2.pp', line 30

class security_baseline::rules::sles::sec_grub2 (
  Boolean $enforce  = true,
  String $message   = '',
  String $log_level = ''
) {

  if($enforce) {

    file { '/boot/grub2/grub.cfg':
      ensure => present,
      owner  => 'root',
      group  => 'root',
      mode   => '0600',
    }

  } else {
    if(
      ($facts['security_baseline']['grub']['grub.cfg']['uid'] != 0) or
      ($facts['security_baseline']['grub']['grub.cfg']['gid'] != 0) or
      ($facts['security_baseline']['grub']['grub.cfg']['mode'] != 384)
    ) {
      echo { 'grub-grub-cfg':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}