Puppet Class: os_hardening::grub
- Defined in:
- manifests/grub.pp
Overview
Class: os_hardening::grub
Hardens the grub config
[View source]
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
# File 'manifests/grub.pp', line 12
class os_hardening::grub (
Boolean $enable = false,
String $user = 'root',
String $password_hash = '',
Boolean $boot_without_password = true,
) {
case $::operatingsystem {
debian, ubuntu, cumuluslinux: {
$grub_cfg = '/boot/grub/grub.cfg'
$grub_cmd = '/usr/sbin/grub-mkconfig'
}
default: {
$grub_cfg = '/boot/grub2/grub.cfg'
$grub_cmd = '/usr/sbin/grub2-mkconfig'
}
}
if $enable {
file { '/etc/grub.d/01_hardening':
content => template('os_hardening/grub_hardening.erb'),
notify => Exec['Grub configuration recreate for os_hardening::grub'],
mode => '0755',
}
file { $grub_cfg:
owner => 'root',
group => 'root',
mode => '0600',
}
if $boot_without_password {
# This sets up Grub on Debian Stretch so you can still boot the system without a password
exec { 'Keep system bootable without credentials':
command => "/bin/sed -i -e 's/^CLASS=\"\\(.*\\)\"/CLASS=\"\\1 --unrestricted\"/' /etc/grub.d/10_linux;",
unless => '/bin/grep -e "^CLASS=" /etc/grub.d/10_linux | /bin/grep -q -- "--unrestricted"',
notify => Exec['Grub configuration recreate for os_hardening::grub'],
}
} else {
exec { 'Remove addition for keeping system bootable without credentials':
command => "/bin/sed -i -e 's/^CLASS=\"\\(.*\\) --unrestricted\\(.*\\)\"/CLASS=\"\\1\\2\"/' /etc/grub.d/10_linux;",
onlyif => '/bin/grep -e "^CLASS=" /etc/grub.d/10_linux | /bin/grep -q -- "--unrestricted"',
notify => Exec['Grub configuration recreate for os_hardening::grub'],
}
}
} else {
file { '/etc/grub.d/01_hardening':
ensure => absent,
notify => Exec['Grub configuration recreate for os_hardening::grub'],
}
}
exec { 'Grub configuration recreate for os_hardening::grub':
command => "${grub_cmd} -o ${grub_cfg}",
refreshonly => true,
}
}
|