From 4f7d7b7d454489fd6692b27c46b4f41eed193848 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 24 Oct 2024 16:38:14 +0200 Subject: [PATCH] Refs #8025: Refactor-awx - rol Debian-base - New task grub_startup. Added password to edit and timeout to 1. Default Linux continues boot normally --- roles/debian-base/defaults/main.yaml | 1 + roles/debian-base/files/10_linux | 416 +++++++++++++++++++++++ roles/debian-base/tasks/grub_startup.yml | 38 +++ roles/debian-base/tasks/main.yml | 2 + roles/secure-grub/handlers/main.yml | 2 - roles/secure-grub/tasks/main.yml | 7 - roles/secure-grub/vars/main.yaml | 1 - 7 files changed, 457 insertions(+), 10 deletions(-) create mode 100644 roles/debian-base/files/10_linux create mode 100644 roles/debian-base/tasks/grub_startup.yml delete mode 100644 roles/secure-grub/handlers/main.yml delete mode 100644 roles/secure-grub/tasks/main.yml delete mode 100644 roles/secure-grub/vars/main.yaml diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 2ea9091..36db4a8 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,5 +1,6 @@ vn_first_time: false vn_witness_checked: false +grub_user: admin default_user: user fail2ban: email: "{{ sysadmin_mail }}" diff --git a/roles/debian-base/files/10_linux b/roles/debian-base/files/10_linux new file mode 100644 index 0000000..518b50d --- /dev/null +++ b/roles/debian-base/files/10_linux @@ -0,0 +1,416 @@ +#! /bin/sh +set -e + +# grub-mkconfig helper script. +# Copyright (C) 2006,2007,2008,2009,2010 Free Software Foundation, Inc. +# +# GRUB is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# GRUB is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GRUB. If not, see . + +prefix="/usr" +exec_prefix="/usr" +datarootdir="/usr/share" +ubuntu_recovery="0" +quiet_boot="0" +quick_boot="0" +gfxpayload_dynamic="0" +vt_handoff="0" + +. "$pkgdatadir/grub-mkconfig_lib" + +export TEXTDOMAIN=grub +export TEXTDOMAINDIR="${datarootdir}/locale" + +CLASS="--class gnu-linux --class gnu --class os" +SUPPORTED_INITS="sysvinit:/lib/sysvinit/init systemd:/lib/systemd/systemd upstart:/sbin/upstart" + +if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then + OS=GNU/Linux +else + case ${GRUB_DISTRIBUTOR} in + Ubuntu|Kubuntu) + OS="${GRUB_DISTRIBUTOR}" + ;; + *) + OS="${GRUB_DISTRIBUTOR} GNU/Linux" + ;; + esac + CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}" +fi + +# loop-AES arranges things so that /dev/loop/X can be our root device, but +# the initrds that Linux uses don't like that. +case ${GRUB_DEVICE} in + /dev/loop/*|/dev/loop[0-9]) + GRUB_DEVICE=`losetup ${GRUB_DEVICE} | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/"` + # We can't cope with devices loop-mounted from files here. + case ${GRUB_DEVICE} in + /dev/*) ;; + *) exit 0 ;; + esac + ;; +esac + +# Default to disabling partition uuid support to maintian compatibility with +# older kernels. +GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true} + +# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter +# and mounting btrfs requires user space scanning, so force UUID in this case. +if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \ + || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \ + && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \ + || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \ + && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \ + || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then + LINUX_ROOT_DEVICE=${GRUB_DEVICE} +elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \ + || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then + LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID} +else + LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID} +fi + +case x"$GRUB_FS" in + xbtrfs) + rootsubvol="`make_system_path_relative_to_its_root /`" + rootsubvol="${rootsubvol#/}" + if [ "x${rootsubvol}" != x ]; then + GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}" + fi;; + xzfs) + rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true` + bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`" + LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs%/}" + ;; +esac + +title_correction_code= + +if [ -x /lib/recovery-mode/recovery-menu ]; then + GRUB_CMDLINE_LINUX_RECOVERY=recovery +else + GRUB_CMDLINE_LINUX_RECOVERY=single +fi +if [ "$ubuntu_recovery" = 1 ]; then + GRUB_CMDLINE_LINUX_RECOVERY="$GRUB_CMDLINE_LINUX_RECOVERY nomodeset" +fi + +if [ "$vt_handoff" = 1 ]; then + for word in $GRUB_CMDLINE_LINUX_DEFAULT; do + if [ "$word" = splash ]; then + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT \$vt_handoff" + fi + done +fi + +linux_entry () +{ + os="$1" + version="$2" + type="$3" + args="$4" + + if [ -z "$boot_device_id" ]; then + boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" + fi + if [ x$type != xsimple ] ; then + case $type in + recovery) + title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;; + init-*) + title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "${type#init-}")" ;; + *) + title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; + esac + if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then + replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" + quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" + title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" + grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" + fi + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + else + echo "menuentry '$(echo "$os" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + fi + if [ "$quick_boot" = 1 ]; then + echo " recordfail" | sed "s/^/$submenu_indentation/" + fi + if [ x$type != xrecovery ] ; then + save_default_entry | grub_add_tab + fi + + # Use ELILO's generic "efifb" when it's known to be available. + # FIXME: We need an interface to select vesafb in case efifb can't be used. + if [ "x$GRUB_GFXPAYLOAD_LINUX" = x ]; then + echo " load_video" | sed "s/^/$submenu_indentation/" + else + if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then + echo " load_video" | sed "s/^/$submenu_indentation/" + fi + fi + if ([ "$ubuntu_recovery" = 0 ] || [ x$type != xrecovery ]) && \ + ([ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 1 ]); then + echo " gfxmode \$linux_gfx_mode" | sed "s/^/$submenu_indentation/" + fi + + echo " insmod gzio" | sed "s/^/$submenu_indentation/" + echo " if [ x\$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi" | sed "s/^/$submenu_indentation/" + + if [ x$dirname = x/ ]; then + if [ -z "${prepare_root_cache}" ]; then + prepare_root_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab)" + fi + printf '%s\n' "${prepare_root_cache}" | sed "s/^/$submenu_indentation/" + else + if [ -z "${prepare_boot_cache}" ]; then + prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)" + fi + printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" + fi + if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then + message="$(gettext_printf "Loading Linux %s ..." ${version})" + sed "s/^/$submenu_indentation/" << EOF + echo '$(echo "$message" | grub_quote)' +EOF + fi + if test -d /sys/firmware/efi && test -e "${linux}.efi.signed"; then + sed "s/^/$submenu_indentation/" << EOF + linux ${rel_dirname}/${basename}.efi.signed root=${linux_root_device_thisversion} ro ${args} +EOF + else + sed "s/^/$submenu_indentation/" << EOF + linux ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args} +EOF + fi + if test -n "${initrd}" ; then + # TRANSLATORS: ramdisk isn't identifier. Should be translated. + if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then + message="$(gettext_printf "Loading initial ramdisk ...")" + sed "s/^/$submenu_indentation/" << EOF + echo '$(echo "$message" | grub_quote)' +EOF + fi + initrd_path= + for i in ${initrd}; do + initrd_path="${initrd_path} ${rel_dirname}/${i}" + done + sed "s/^/$submenu_indentation/" << EOF + initrd $(echo $initrd_path) +EOF + fi + sed "s/^/$submenu_indentation/" << EOF +} +EOF +} + +machine=`uname -m` +case "x$machine" in + xi?86 | xx86_64) + list= + for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do + if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi + done ;; + *) + list= + for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do + if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi + done ;; +esac + +case "$machine" in + i?86) GENKERNEL_ARCH="x86" ;; + mips|mips64) GENKERNEL_ARCH="mips" ;; + mipsel|mips64el) GENKERNEL_ARCH="mipsel" ;; + arm*) GENKERNEL_ARCH="arm" ;; + *) GENKERNEL_ARCH="$machine" ;; +esac + +prepare_boot_cache= +prepare_root_cache= +boot_device_id= +title_correction_code= + +cat << 'EOF' +function gfxmode { + set gfxpayload="${1}" +EOF +if [ "$vt_handoff" = 1 ]; then + cat << 'EOF' + if [ "${1}" = "keep" ]; then + set vt_handoff=vt.handoff=7 + else + set vt_handoff= + fi +EOF +fi +cat << EOF +} +EOF + +# Use ELILO's generic "efifb" when it's known to be available. +# FIXME: We need an interface to select vesafb in case efifb can't be used. +if [ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 0 ]; then + echo "set linux_gfx_mode=$GRUB_GFXPAYLOAD_LINUX" +else + cat << EOF +if [ "\${recordfail}" != 1 ]; then + if [ -e \${prefix}/gfxblacklist.txt ]; then + if hwmatch \${prefix}/gfxblacklist.txt 3; then + if [ \${match} = 0 ]; then + set linux_gfx_mode=keep + else + set linux_gfx_mode=text + fi + else + set linux_gfx_mode=text + fi + else + set linux_gfx_mode=keep + fi +else + set linux_gfx_mode=text +fi +EOF +fi +cat << EOF +export linux_gfx_mode +EOF + +# Extra indentation to add to menu entries in a submenu. We're not in a submenu +# yet, so it's empty. In a submenu it will be equal to '\t' (one tab). +submenu_indentation="" + +is_top_level=true +while [ "x$list" != "x" ] ; do + linux=`version_find_latest $list` + case $linux in + *.efi.signed) + # We handle these in linux_entry. + list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '` + continue + ;; + esac + gettext_printf "Found linux image: %s\n" "$linux" >&2 + basename=`basename $linux` + dirname=`dirname $linux` + rel_dirname=`make_system_path_relative_to_its_root $dirname` + version=`echo $basename | sed -e "s,^[^0-9]*-,,g"` + alt_version=`echo $version | sed -e "s,\.old$,,g"` + linux_root_device_thisversion="${LINUX_ROOT_DEVICE}" + + initrd_early= + for i in ${GRUB_EARLY_INITRD_LINUX_STOCK} \ + ${GRUB_EARLY_INITRD_LINUX_CUSTOM}; do + if test -e "${dirname}/${i}" ; then + initrd_early="${initrd_early} ${i}" + fi + done + + initrd_real= + for i in "initrd.img-${version}" "initrd-${version}.img" "initrd-${version}.gz" \ + "initrd-${version}" "initramfs-${version}.img" \ + "initrd.img-${alt_version}" "initrd-${alt_version}.img" \ + "initrd-${alt_version}" "initramfs-${alt_version}.img" \ + "initramfs-genkernel-${version}" \ + "initramfs-genkernel-${alt_version}" \ + "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \ + "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}"; do + if test -e "${dirname}/${i}" ; then + initrd_real="${i}" + break + fi + done + + initrd= + if test -n "${initrd_early}" || test -n "${initrd_real}"; then + initrd="${initrd_early} ${initrd_real}" + + initrd_display= + for i in ${initrd}; do + initrd_display="${initrd_display} ${dirname}/${i}" + done + gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2 + fi + + config= + for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do + if test -e "${i}" ; then + config="${i}" + break + fi + done + + initramfs= + if test -n "${config}" ; then + initramfs=`grep CONFIG_INITRAMFS_SOURCE= "${config}" | cut -f2 -d= | tr -d \"` + fi + + if test -z "${initramfs}" && test -z "${initrd_real}" ; then + # "UUID=" and "ZFS=" magic is parsed by initrd or initramfs. Since there's + # no initrd or builtin initramfs, it can't work here. + if [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] \ + || [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ]; then + + linux_root_device_thisversion=${GRUB_DEVICE} + else + linux_root_device_thisversion=PARTUUID=${GRUB_DEVICE_PARTUUID} + fi + fi + + # The GRUB_DISABLE_SUBMENU option used to be different than others since it was + # mentioned in the documentation that has to be set to 'y' instead of 'true' to + # enable it. This caused a lot of confusion to users that set the option to 'y', + # 'yes' or 'true'. This was fixed but all of these values must be supported now. + if [ "x${GRUB_DISABLE_SUBMENU}" = xyes ] || [ "x${GRUB_DISABLE_SUBMENU}" = xy ]; then + GRUB_DISABLE_SUBMENU="true" + fi + + if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xtrue ]; then + linux_entry "${OS}" "${version}" simple \ + "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" + + submenu_indentation="$grub_tab" + + if [ -z "$boot_device_id" ]; then + boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" + fi + # TRANSLATORS: %s is replaced with an OS name + echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {" + is_top_level=false + fi + + linux_entry "${OS}" "${version}" advanced \ + "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" + for supported_init in ${SUPPORTED_INITS}; do + init_path="${supported_init#*:}" + if [ -x "${init_path}" ] && [ "$(readlink -f /sbin/init)" != "$(readlink -f "${init_path}")" ]; then + linux_entry "${OS}" "${version}" "init-${supported_init%%:*}" \ + "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} init=${init_path}" + fi + done + if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then + linux_entry "${OS}" "${version}" recovery \ + "${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}" + fi + + list=`echo $list | tr ' ' '\n' | fgrep -vx "$linux" | tr '\n' ' '` +done + +# If at least one kernel was found, then we need to +# add a closing '}' for the submenu command. +if [ x"$is_top_level" != xtrue ]; then + echo '}' +fi + +echo "$title_correction_code" diff --git a/roles/debian-base/tasks/grub_startup.yml b/roles/debian-base/tasks/grub_startup.yml new file mode 100644 index 0000000..ae44e49 --- /dev/null +++ b/roles/debian-base/tasks/grub_startup.yml @@ -0,0 +1,38 @@ +# Added password protect to grub +# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution +# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html +# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html +# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates +- name: GRUB edit unrestricted option + copy: + src: 10_linux + dest: /etc/grub.d/10_linux + owner: root + group: root + checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49 + mode: u=rwx,g=rx,o=rx + register: grubedit +- name: GRUB edit password protection + copy: + content: | + #!/bin/sh + exec tail -n +3 $0 + set superusers="{{ grub_user }}" + password_pbkdf2 {{ grub_user }} {{ grub_code }} + dest: /etc/grub.d/00_before + owner: root + group: root + mode: u=rwx,g=rx,o=rx + register: grubpass +- name: Change GRUB_TIMEOUT from 5 to 1 + copy: + content: | + GRUB_TIMEOUT=1 + dest: /etc/default/grub.d/timeout.cfg + owner: root + group: root + mode: u=rw,g=r,o=r + register: grubtime +- name: Generate GRUB configuration + command: update-grub + when: grubedit.changed or grubpass.changed or grubtime.changed diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index dcd5f94..bbdc17a 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -32,3 +32,5 @@ tags: bacula - import_tasks: vn-repo.yml tags: vn-repo +- import_tasks: grub_startup.yml + tags: grub_startup diff --git a/roles/secure-grub/handlers/main.yml b/roles/secure-grub/handlers/main.yml deleted file mode 100644 index 5b3125c..0000000 --- a/roles/secure-grub/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: grub-register - command: update-grub diff --git a/roles/secure-grub/tasks/main.yml b/roles/secure-grub/tasks/main.yml deleted file mode 100644 index dd4acb3..0000000 --- a/roles/secure-grub/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: GRUB boot password protection - blockinfile: - path: /etc/grub.d/40_custom - block: | - set superusers="{{ grub_user }}" - password_pbkdf2 {{ grub_user }} {{ grub_code }} - notify: grub-register diff --git a/roles/secure-grub/vars/main.yaml b/roles/secure-grub/vars/main.yaml deleted file mode 100644 index 875fc0c..0000000 --- a/roles/secure-grub/vars/main.yaml +++ /dev/null @@ -1 +0,0 @@ -grub_user: admin