Skip to content

Commit

Permalink
V-71961 grub2 Configuration File (#67)
Browse files Browse the repository at this point in the history
* Changed array of grub2 superusers to a single superuser in grub_superuser attribute. Updated V-71961 to look for all instances of setting a grub2 superuser and superusers password within given grub configuration.

* Update V-71961 to check if environment variables are being set for the grub2 superuser password, if they are the control now examines provided user.cfg files to ensure that they password is encrypted with pbkdf2, if they are not it will check the password_ line entry in the given grub_main_cfg file.
  • Loading branch information
Bialogs authored and wdower committed Mar 1, 2022
1 parent 7d8874b commit 5d4d53f
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 11 deletions.
4 changes: 2 additions & 2 deletions attributes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -219,8 +219,8 @@ exempt_home_users: []
# main grub boot config file
grub_main_cfg: '/boot/grub2/grub.cfg'

# superusers for grub boot ( array )
grub_superusers: ['root']
# superusers for grub boot
grub_superusers: 'root'

# grub boot config files
grub_user_boot_files: ['/boot/grub2/user.cfg']
Expand Down
59 changes: 50 additions & 9 deletions controls/V-71961.rb
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
# encoding: utf-8
#

grub_superusers = input(
'grub_superusers',
description: 'superusers for grub boot ( array )',
Expand Down Expand Up @@ -75,18 +74,60 @@
# mv /tmp/grub2.cfg /boot/grub2/grub.cfg
"
tag "fix_id": "F-78313r2_fix"
describe file(grub_main_cfg) do
its('content') { should match %r{^\s*password_pbkdf2\s+root } }

grub_main_content = file(grub_main_cfg).content

# Check if any additional superusers are set
pattern = %r{\s*set superusers=\"(\w+)\"}i
matches = grub_main_content.match(pattern)
superusers = matches.nil? ? [] : matches.captures
describe "There must be only one grub2 superuser, and it must have the value #{grub_superuser}" do
subject { superusers }
its('length') { should cmp 1 }
its('first') { should cmp grub_superuser }
end

grub_user_boot_files.each do |user_cfg_file|
next if !file(user_cfg_file).exist?
describe.one do
grub_superusers.each do |user|
describe file(user_cfg_file) do
its('content') { should match %r{^\s*password_pbkdf2\s+#{user} } }
# Need each password entry that has the superuser
pattern = %r{(.*)\s#{grub_superuser}\s}i
matches = grub_main_content.match(pattern)
password_entries = matches.nil? ? [] : matches.captures
# Each of the entries should start with password_pbkdf2
describe 'The grub2 superuser password entry must begin with \'password_pbkdf2\'' do
subject { password_entries }
its('length') { is_expected.to be >= 1}
password_entries.each do |entry|
subject { entry }
it { should include 'password_pbkdf2'}
end
end

# Get lines such as 'password_pbkdf2 root ${ENV}'
pattern = %r{password_pbkdf2\s#{grub_superuser}\s(\${\w+})}i
matches = grub_main_content.match(pattern)
env_vars = matches.nil? ? [] : matches.captures
if env_vars.length > 0
# If there is an environment variable in the configuration file check that it is set with correct values by looking
# in user.cfg files.
env_vars = env_vars.map { |env_var| env_var.gsub(/[${}]/, '') }
present_user_boot_files = grub_user_boot_files.select { |user_boot_file| file(user_boot_file).exist? }
describe 'grub2 user configuration files for the superuser should be present if they set an environment variable' do
subject { present_user_boot_files }
its('length') { is_expected.to be >= 1 }
present_user_boot_files.each do |user_boot_file|
env_vars.each do |env_var|
describe "#{user_boot_file} should set #{env_var} to a pbkdf2 value" do
subject { file(user_boot_file) }
its('content') { should match %r{^#{env_var}=grub.pbkdf2}i }
end
end
end
end
else
# If there are no environment variable set, look for pbkdf2 after the superuser name
pattern = %r{password_pbkdf2\s#{grub_superuser}\sgrub\.pbkdf2}i
describe 'The grub2 superuser account password should be encrypted with pbkdf2.' do
subject { grub_main_content }
it { should match pattern }
end
end
end

0 comments on commit 5d4d53f

Please sign in to comment.