From 4f7d7b7d454489fd6692b27c46b4f41eed193848 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 24 Oct 2024 16:38:14 +0200 Subject: [PATCH 1/4] Refs #8025: Refactor-awx - rol Debian-base - New task grub_startup. Added password to edit and timeout to 1. Default Linux continues boot normally --- roles/debian-base/defaults/main.yaml | 1 + roles/debian-base/files/10_linux | 416 +++++++++++++++++++++++ roles/debian-base/tasks/grub_startup.yml | 38 +++ roles/debian-base/tasks/main.yml | 2 + roles/secure-grub/handlers/main.yml | 2 - roles/secure-grub/tasks/main.yml | 7 - roles/secure-grub/vars/main.yaml | 1 - 7 files changed, 457 insertions(+), 10 deletions(-) create mode 100644 roles/debian-base/files/10_linux create mode 100644 roles/debian-base/tasks/grub_startup.yml delete mode 100644 roles/secure-grub/handlers/main.yml delete mode 100644 roles/secure-grub/tasks/main.yml delete mode 100644 roles/secure-grub/vars/main.yaml diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 2ea9091..36db4a8 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -1,5 +1,6 @@ vn_first_time: false vn_witness_checked: false +grub_user: admin default_user: user fail2ban: email: "{{ sysadmin_mail }}" diff --git a/roles/debian-base/files/10_linux b/roles/debian-base/files/10_linux new file mode 100644 index 0000000..518b50d --- /dev/null +++ b/roles/debian-base/files/10_linux @@ -0,0 +1,416 @@ +#! /bin/sh +set -e + +# grub-mkconfig helper script. +# Copyright (C) 2006,2007,2008,2009,2010 Free Software Foundation, Inc. +# +# GRUB is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# GRUB is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GRUB. If not, see . + +prefix="/usr" +exec_prefix="/usr" +datarootdir="/usr/share" +ubuntu_recovery="0" +quiet_boot="0" +quick_boot="0" +gfxpayload_dynamic="0" +vt_handoff="0" + +. "$pkgdatadir/grub-mkconfig_lib" + +export TEXTDOMAIN=grub +export TEXTDOMAINDIR="${datarootdir}/locale" + +CLASS="--class gnu-linux --class gnu --class os" +SUPPORTED_INITS="sysvinit:/lib/sysvinit/init systemd:/lib/systemd/systemd upstart:/sbin/upstart" + +if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then + OS=GNU/Linux +else + case ${GRUB_DISTRIBUTOR} in + Ubuntu|Kubuntu) + OS="${GRUB_DISTRIBUTOR}" + ;; + *) + OS="${GRUB_DISTRIBUTOR} GNU/Linux" + ;; + esac + CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}" +fi + +# loop-AES arranges things so that /dev/loop/X can be our root device, but +# the initrds that Linux uses don't like that. +case ${GRUB_DEVICE} in + /dev/loop/*|/dev/loop[0-9]) + GRUB_DEVICE=`losetup ${GRUB_DEVICE} | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/"` + # We can't cope with devices loop-mounted from files here. + case ${GRUB_DEVICE} in + /dev/*) ;; + *) exit 0 ;; + esac + ;; +esac + +# Default to disabling partition uuid support to maintian compatibility with +# older kernels. +GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true} + +# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter +# and mounting btrfs requires user space scanning, so force UUID in this case. +if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \ + || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \ + && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \ + || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \ + && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \ + || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then + LINUX_ROOT_DEVICE=${GRUB_DEVICE} +elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \ + || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then + LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID} +else + LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID} +fi + +case x"$GRUB_FS" in + xbtrfs) + rootsubvol="`make_system_path_relative_to_its_root /`" + rootsubvol="${rootsubvol#/}" + if [ "x${rootsubvol}" != x ]; then + GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}" + fi;; + xzfs) + rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true` + bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`" + LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs%/}" + ;; +esac + +title_correction_code= + +if [ -x /lib/recovery-mode/recovery-menu ]; then + GRUB_CMDLINE_LINUX_RECOVERY=recovery +else + GRUB_CMDLINE_LINUX_RECOVERY=single +fi +if [ "$ubuntu_recovery" = 1 ]; then + GRUB_CMDLINE_LINUX_RECOVERY="$GRUB_CMDLINE_LINUX_RECOVERY nomodeset" +fi + +if [ "$vt_handoff" = 1 ]; then + for word in $GRUB_CMDLINE_LINUX_DEFAULT; do + if [ "$word" = splash ]; then + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT \$vt_handoff" + fi + done +fi + +linux_entry () +{ + os="$1" + version="$2" + type="$3" + args="$4" + + if [ -z "$boot_device_id" ]; then + boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" + fi + if [ x$type != xsimple ] ; then + case $type in + recovery) + title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;; + init-*) + title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "${type#init-}")" ;; + *) + title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; + esac + if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then + replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" + quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" + title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" + grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" + fi + echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + else + echo "menuentry '$(echo "$os" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" + fi + if [ "$quick_boot" = 1 ]; then + echo " recordfail" | sed "s/^/$submenu_indentation/" + fi + if [ x$type != xrecovery ] ; then + save_default_entry | grub_add_tab + fi + + # Use ELILO's generic "efifb" when it's known to be available. + # FIXME: We need an interface to select vesafb in case efifb can't be used. + if [ "x$GRUB_GFXPAYLOAD_LINUX" = x ]; then + echo " load_video" | sed "s/^/$submenu_indentation/" + else + if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then + echo " load_video" | sed "s/^/$submenu_indentation/" + fi + fi + if ([ "$ubuntu_recovery" = 0 ] || [ x$type != xrecovery ]) && \ + ([ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 1 ]); then + echo " gfxmode \$linux_gfx_mode" | sed "s/^/$submenu_indentation/" + fi + + echo " insmod gzio" | sed "s/^/$submenu_indentation/" + echo " if [ x\$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi" | sed "s/^/$submenu_indentation/" + + if [ x$dirname = x/ ]; then + if [ -z "${prepare_root_cache}" ]; then + prepare_root_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab)" + fi + printf '%s\n' "${prepare_root_cache}" | sed "s/^/$submenu_indentation/" + else + if [ -z "${prepare_boot_cache}" ]; then + prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)" + fi + printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" + fi + if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then + message="$(gettext_printf "Loading Linux %s ..." ${version})" + sed "s/^/$submenu_indentation/" << EOF + echo '$(echo "$message" | grub_quote)' +EOF + fi + if test -d /sys/firmware/efi && test -e "${linux}.efi.signed"; then + sed "s/^/$submenu_indentation/" << EOF + linux ${rel_dirname}/${basename}.efi.signed root=${linux_root_device_thisversion} ro ${args} +EOF + else + sed "s/^/$submenu_indentation/" << EOF + linux ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args} +EOF + fi + if test -n "${initrd}" ; then + # TRANSLATORS: ramdisk isn't identifier. Should be translated. + if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then + message="$(gettext_printf "Loading initial ramdisk ...")" + sed "s/^/$submenu_indentation/" << EOF + echo '$(echo "$message" | grub_quote)' +EOF + fi + initrd_path= + for i in ${initrd}; do + initrd_path="${initrd_path} ${rel_dirname}/${i}" + done + sed "s/^/$submenu_indentation/" << EOF + initrd $(echo $initrd_path) +EOF + fi + sed "s/^/$submenu_indentation/" << EOF +} +EOF +} + +machine=`uname -m` +case "x$machine" in + xi?86 | xx86_64) + list= + for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do + if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi + done ;; + *) + list= + for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do + if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi + done ;; +esac + +case "$machine" in + i?86) GENKERNEL_ARCH="x86" ;; + mips|mips64) GENKERNEL_ARCH="mips" ;; + mipsel|mips64el) GENKERNEL_ARCH="mipsel" ;; + arm*) GENKERNEL_ARCH="arm" ;; + *) GENKERNEL_ARCH="$machine" ;; +esac + +prepare_boot_cache= +prepare_root_cache= +boot_device_id= +title_correction_code= + +cat << 'EOF' +function gfxmode { + set gfxpayload="${1}" +EOF +if [ "$vt_handoff" = 1 ]; then + cat << 'EOF' + if [ "${1}" = "keep" ]; then + set vt_handoff=vt.handoff=7 + else + set vt_handoff= + fi +EOF +fi +cat << EOF +} +EOF + +# Use ELILO's generic "efifb" when it's known to be available. +# FIXME: We need an interface to select vesafb in case efifb can't be used. +if [ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 0 ]; then + echo "set linux_gfx_mode=$GRUB_GFXPAYLOAD_LINUX" +else + cat << EOF +if [ "\${recordfail}" != 1 ]; then + if [ -e \${prefix}/gfxblacklist.txt ]; then + if hwmatch \${prefix}/gfxblacklist.txt 3; then + if [ \${match} = 0 ]; then + set linux_gfx_mode=keep + else + set linux_gfx_mode=text + fi + else + set linux_gfx_mode=text + fi + else + set linux_gfx_mode=keep + fi +else + set linux_gfx_mode=text +fi +EOF +fi +cat << EOF +export linux_gfx_mode +EOF + +# Extra indentation to add to menu entries in a submenu. We're not in a submenu +# yet, so it's empty. In a submenu it will be equal to '\t' (one tab). +submenu_indentation="" + +is_top_level=true +while [ "x$list" != "x" ] ; do + linux=`version_find_latest $list` + case $linux in + *.efi.signed) + # We handle these in linux_entry. + list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '` + continue + ;; + esac + gettext_printf "Found linux image: %s\n" "$linux" >&2 + basename=`basename $linux` + dirname=`dirname $linux` + rel_dirname=`make_system_path_relative_to_its_root $dirname` + version=`echo $basename | sed -e "s,^[^0-9]*-,,g"` + alt_version=`echo $version | sed -e "s,\.old$,,g"` + linux_root_device_thisversion="${LINUX_ROOT_DEVICE}" + + initrd_early= + for i in ${GRUB_EARLY_INITRD_LINUX_STOCK} \ + ${GRUB_EARLY_INITRD_LINUX_CUSTOM}; do + if test -e "${dirname}/${i}" ; then + initrd_early="${initrd_early} ${i}" + fi + done + + initrd_real= + for i in "initrd.img-${version}" "initrd-${version}.img" "initrd-${version}.gz" \ + "initrd-${version}" "initramfs-${version}.img" \ + "initrd.img-${alt_version}" "initrd-${alt_version}.img" \ + "initrd-${alt_version}" "initramfs-${alt_version}.img" \ + "initramfs-genkernel-${version}" \ + "initramfs-genkernel-${alt_version}" \ + "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \ + "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}"; do + if test -e "${dirname}/${i}" ; then + initrd_real="${i}" + break + fi + done + + initrd= + if test -n "${initrd_early}" || test -n "${initrd_real}"; then + initrd="${initrd_early} ${initrd_real}" + + initrd_display= + for i in ${initrd}; do + initrd_display="${initrd_display} ${dirname}/${i}" + done + gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2 + fi + + config= + for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do + if test -e "${i}" ; then + config="${i}" + break + fi + done + + initramfs= + if test -n "${config}" ; then + initramfs=`grep CONFIG_INITRAMFS_SOURCE= "${config}" | cut -f2 -d= | tr -d \"` + fi + + if test -z "${initramfs}" && test -z "${initrd_real}" ; then + # "UUID=" and "ZFS=" magic is parsed by initrd or initramfs. Since there's + # no initrd or builtin initramfs, it can't work here. + if [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] \ + || [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ]; then + + linux_root_device_thisversion=${GRUB_DEVICE} + else + linux_root_device_thisversion=PARTUUID=${GRUB_DEVICE_PARTUUID} + fi + fi + + # The GRUB_DISABLE_SUBMENU option used to be different than others since it was + # mentioned in the documentation that has to be set to 'y' instead of 'true' to + # enable it. This caused a lot of confusion to users that set the option to 'y', + # 'yes' or 'true'. This was fixed but all of these values must be supported now. + if [ "x${GRUB_DISABLE_SUBMENU}" = xyes ] || [ "x${GRUB_DISABLE_SUBMENU}" = xy ]; then + GRUB_DISABLE_SUBMENU="true" + fi + + if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xtrue ]; then + linux_entry "${OS}" "${version}" simple \ + "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" + + submenu_indentation="$grub_tab" + + if [ -z "$boot_device_id" ]; then + boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" + fi + # TRANSLATORS: %s is replaced with an OS name + echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {" + is_top_level=false + fi + + linux_entry "${OS}" "${version}" advanced \ + "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" + for supported_init in ${SUPPORTED_INITS}; do + init_path="${supported_init#*:}" + if [ -x "${init_path}" ] && [ "$(readlink -f /sbin/init)" != "$(readlink -f "${init_path}")" ]; then + linux_entry "${OS}" "${version}" "init-${supported_init%%:*}" \ + "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} init=${init_path}" + fi + done + if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then + linux_entry "${OS}" "${version}" recovery \ + "${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}" + fi + + list=`echo $list | tr ' ' '\n' | fgrep -vx "$linux" | tr '\n' ' '` +done + +# If at least one kernel was found, then we need to +# add a closing '}' for the submenu command. +if [ x"$is_top_level" != xtrue ]; then + echo '}' +fi + +echo "$title_correction_code" diff --git a/roles/debian-base/tasks/grub_startup.yml b/roles/debian-base/tasks/grub_startup.yml new file mode 100644 index 0000000..ae44e49 --- /dev/null +++ b/roles/debian-base/tasks/grub_startup.yml @@ -0,0 +1,38 @@ +# Added password protect to grub +# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution +# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html +# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html +# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates +- name: GRUB edit unrestricted option + copy: + src: 10_linux + dest: /etc/grub.d/10_linux + owner: root + group: root + checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49 + mode: u=rwx,g=rx,o=rx + register: grubedit +- name: GRUB edit password protection + copy: + content: | + #!/bin/sh + exec tail -n +3 $0 + set superusers="{{ grub_user }}" + password_pbkdf2 {{ grub_user }} {{ grub_code }} + dest: /etc/grub.d/00_before + owner: root + group: root + mode: u=rwx,g=rx,o=rx + register: grubpass +- name: Change GRUB_TIMEOUT from 5 to 1 + copy: + content: | + GRUB_TIMEOUT=1 + dest: /etc/default/grub.d/timeout.cfg + owner: root + group: root + mode: u=rw,g=r,o=r + register: grubtime +- name: Generate GRUB configuration + command: update-grub + when: grubedit.changed or grubpass.changed or grubtime.changed diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index dcd5f94..bbdc17a 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -32,3 +32,5 @@ tags: bacula - import_tasks: vn-repo.yml tags: vn-repo +- import_tasks: grub_startup.yml + tags: grub_startup diff --git a/roles/secure-grub/handlers/main.yml b/roles/secure-grub/handlers/main.yml deleted file mode 100644 index 5b3125c..0000000 --- a/roles/secure-grub/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: grub-register - command: update-grub diff --git a/roles/secure-grub/tasks/main.yml b/roles/secure-grub/tasks/main.yml deleted file mode 100644 index dd4acb3..0000000 --- a/roles/secure-grub/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ -- name: GRUB boot password protection - blockinfile: - path: /etc/grub.d/40_custom - block: | - set superusers="{{ grub_user }}" - password_pbkdf2 {{ grub_user }} {{ grub_code }} - notify: grub-register diff --git a/roles/secure-grub/vars/main.yaml b/roles/secure-grub/vars/main.yaml deleted file mode 100644 index 875fc0c..0000000 --- a/roles/secure-grub/vars/main.yaml +++ /dev/null @@ -1 +0,0 @@ -grub_user: admin -- 2.40.1 From d22e1e0ea376fe0d5f951a63da625e7fcee8307c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 25 Oct 2024 12:01:14 +0200 Subject: [PATCH 2/4] Refs #8025: Refactor-awx - rol Debian-base - Task grub_startup. Refactoring grub.cfg generation with new 09_custom_file for unrestricted menu entry selection --- roles/debian-base/tasks/grub_startup.yml | 27 +++++++++++++++--------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/roles/debian-base/tasks/grub_startup.yml b/roles/debian-base/tasks/grub_startup.yml index ae44e49..97968a4 100644 --- a/roles/debian-base/tasks/grub_startup.yml +++ b/roles/debian-base/tasks/grub_startup.yml @@ -1,17 +1,24 @@ -# Added password protect to grub -# Added --unrestricted option to 10_linux default template to allow pass on default boot linux distribution -# Oficial grub Manual --> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html -# http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html -# https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates +# Added password protection to restrict only GRUB editing, leaving menu entries unprotected. +# Added --unrestricted option to 09_make_OS_entries_unrestricted custom template. +# Oficial grub Manual -->> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html +# Questions -->> http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html +# Questions -->> https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates +# Resolution -->> https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks - name: GRUB edit unrestricted option copy: - src: 10_linux - dest: /etc/grub.d/10_linux + content: | + #!/bin/sh + exec tail -n +3 $0 + # This file provides an easy way to add custom menu entries. Simply type the + # menu entries you want to add after this comment. Be careful not to change + # the 'exec tail' line above. + menuentry_id_option="--unrestricted $menuentry_id_option" + dest: /etc/grub.d/09_make_OS_entries_unrestricted owner: root group: root - checksum: abff7ebe4b79dbf622ec1431d2a487e7aedc7e49 + checksum: fed5c365f11a919b857b78207565cf341b86082b mode: u=rwx,g=rx,o=rx - register: grubedit + register: grubunrestricted - name: GRUB edit password protection copy: content: | @@ -35,4 +42,4 @@ register: grubtime - name: Generate GRUB configuration command: update-grub - when: grubedit.changed or grubpass.changed or grubtime.changed + when: grubunrestricted.changed or grubpass.changed or grubtime.changed -- 2.40.1 From 593663bf151d9132807152e53f9ec0adb60863cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 25 Oct 2024 12:47:30 +0200 Subject: [PATCH 3/4] Refs #8025: Refactor-awx - rol Debian-base - Task grub_startup. Refactoring grub.cfg passbolt query to retrive grub user password --- roles/debian-base/tasks/grub_startup.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/debian-base/tasks/grub_startup.yml b/roles/debian-base/tasks/grub_startup.yml index 97968a4..a47d03c 100644 --- a/roles/debian-base/tasks/grub_startup.yml +++ b/roles/debian-base/tasks/grub_startup.yml @@ -1,9 +1,9 @@ -# Added password protection to restrict only GRUB editing, leaving menu entries unprotected. -# Added --unrestricted option to 09_make_OS_entries_unrestricted custom template. -# Oficial grub Manual -->> https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html -# Questions -->> http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html -# Questions -->> https://askubuntu.com/questions/1088215/grub-2-avoid-unrestricted-boot-options-are-overwritten-with-kernel-updates -# Resolution -->> https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks +# Enabled password protection to restrict GRUB editing only, leaving menu entries accessible without authentication. +# Added the --unrestricted option to the custom 09_make_OS_entries_unrestricted template. +# Official GRUB Manual: https://www.gnu.org/software/grub/manual/grub/html_node/Authentication-and-authorisation.html +# Additional guidance: http://daniel-lange.com/archives/75-Securing-the-grub-boot-loader.html +# Discussion and troubleshooting: https://wiki.archlinux.org/title/Talk:GRUB/Tips_and_tricks +# To generate a GRUB password, use the command syntax provided by grub-mkpasswd-pbkdf2 --help. - name: GRUB edit unrestricted option copy: content: | @@ -19,6 +19,9 @@ checksum: fed5c365f11a919b857b78207565cf341b86082b mode: u=rwx,g=rx,o=rx register: grubunrestricted +- name: Search grub password in Passbolt + set_fact: + grub_code: "{{ lookup(passbolt, 'grub', folder_parent_id=passbolt_folder).description }}" - name: GRUB edit password protection copy: content: | -- 2.40.1 From 0e39fe57c2b9ae127f81515ccab30e4b846ef4b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Fri, 25 Oct 2024 13:08:05 +0200 Subject: [PATCH 4/4] Refs #8025: Refactor-awx - rol Debian-base - Task grub_startup. Delete 10_linux template --- roles/debian-base/files/10_linux | 416 ------------------------------- 1 file changed, 416 deletions(-) delete mode 100644 roles/debian-base/files/10_linux diff --git a/roles/debian-base/files/10_linux b/roles/debian-base/files/10_linux deleted file mode 100644 index 518b50d..0000000 --- a/roles/debian-base/files/10_linux +++ /dev/null @@ -1,416 +0,0 @@ -#! /bin/sh -set -e - -# grub-mkconfig helper script. -# Copyright (C) 2006,2007,2008,2009,2010 Free Software Foundation, Inc. -# -# GRUB is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# GRUB is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with GRUB. If not, see . - -prefix="/usr" -exec_prefix="/usr" -datarootdir="/usr/share" -ubuntu_recovery="0" -quiet_boot="0" -quick_boot="0" -gfxpayload_dynamic="0" -vt_handoff="0" - -. "$pkgdatadir/grub-mkconfig_lib" - -export TEXTDOMAIN=grub -export TEXTDOMAINDIR="${datarootdir}/locale" - -CLASS="--class gnu-linux --class gnu --class os" -SUPPORTED_INITS="sysvinit:/lib/sysvinit/init systemd:/lib/systemd/systemd upstart:/sbin/upstart" - -if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then - OS=GNU/Linux -else - case ${GRUB_DISTRIBUTOR} in - Ubuntu|Kubuntu) - OS="${GRUB_DISTRIBUTOR}" - ;; - *) - OS="${GRUB_DISTRIBUTOR} GNU/Linux" - ;; - esac - CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1|LC_ALL=C sed 's,[^[:alnum:]_],_,g') ${CLASS}" -fi - -# loop-AES arranges things so that /dev/loop/X can be our root device, but -# the initrds that Linux uses don't like that. -case ${GRUB_DEVICE} in - /dev/loop/*|/dev/loop[0-9]) - GRUB_DEVICE=`losetup ${GRUB_DEVICE} | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/"` - # We can't cope with devices loop-mounted from files here. - case ${GRUB_DEVICE} in - /dev/*) ;; - *) exit 0 ;; - esac - ;; -esac - -# Default to disabling partition uuid support to maintian compatibility with -# older kernels. -GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true} - -# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter -# and mounting btrfs requires user space scanning, so force UUID in this case. -if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \ - || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \ - && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \ - || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \ - && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \ - || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then - LINUX_ROOT_DEVICE=${GRUB_DEVICE} -elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \ - || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then - LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID} -else - LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID} -fi - -case x"$GRUB_FS" in - xbtrfs) - rootsubvol="`make_system_path_relative_to_its_root /`" - rootsubvol="${rootsubvol#/}" - if [ "x${rootsubvol}" != x ]; then - GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}" - fi;; - xzfs) - rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true` - bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`" - LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs%/}" - ;; -esac - -title_correction_code= - -if [ -x /lib/recovery-mode/recovery-menu ]; then - GRUB_CMDLINE_LINUX_RECOVERY=recovery -else - GRUB_CMDLINE_LINUX_RECOVERY=single -fi -if [ "$ubuntu_recovery" = 1 ]; then - GRUB_CMDLINE_LINUX_RECOVERY="$GRUB_CMDLINE_LINUX_RECOVERY nomodeset" -fi - -if [ "$vt_handoff" = 1 ]; then - for word in $GRUB_CMDLINE_LINUX_DEFAULT; do - if [ "$word" = splash ]; then - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT \$vt_handoff" - fi - done -fi - -linux_entry () -{ - os="$1" - version="$2" - type="$3" - args="$4" - - if [ -z "$boot_device_id" ]; then - boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" - fi - if [ x$type != xsimple ] ; then - case $type in - recovery) - title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;; - init-*) - title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "${type#init-}")" ;; - *) - title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;; - esac - if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then - replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" - quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" - title_correction_code="${title_correction_code}if [ \"x\$default\" = '$quoted' ]; then default='$(echo "$replacement_title" | grub_quote)'; fi;" - grub_warn "$(gettext_printf "Please don't use old title \`%s' for GRUB_DEFAULT, use \`%s' (for versions before 2.00) or \`%s' (for 2.00 or later)" "$GRUB_ACTUAL_DEFAULT" "$replacement_title" "gnulinux-advanced-$boot_device_id>gnulinux-$version-$type-$boot_device_id")" - fi - echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" - else - echo "menuentry '$(echo "$os" | grub_quote)' --unrestricted ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" - fi - if [ "$quick_boot" = 1 ]; then - echo " recordfail" | sed "s/^/$submenu_indentation/" - fi - if [ x$type != xrecovery ] ; then - save_default_entry | grub_add_tab - fi - - # Use ELILO's generic "efifb" when it's known to be available. - # FIXME: We need an interface to select vesafb in case efifb can't be used. - if [ "x$GRUB_GFXPAYLOAD_LINUX" = x ]; then - echo " load_video" | sed "s/^/$submenu_indentation/" - else - if [ "x$GRUB_GFXPAYLOAD_LINUX" != xtext ]; then - echo " load_video" | sed "s/^/$submenu_indentation/" - fi - fi - if ([ "$ubuntu_recovery" = 0 ] || [ x$type != xrecovery ]) && \ - ([ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 1 ]); then - echo " gfxmode \$linux_gfx_mode" | sed "s/^/$submenu_indentation/" - fi - - echo " insmod gzio" | sed "s/^/$submenu_indentation/" - echo " if [ x\$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi" | sed "s/^/$submenu_indentation/" - - if [ x$dirname = x/ ]; then - if [ -z "${prepare_root_cache}" ]; then - prepare_root_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE} | grub_add_tab)" - fi - printf '%s\n' "${prepare_root_cache}" | sed "s/^/$submenu_indentation/" - else - if [ -z "${prepare_boot_cache}" ]; then - prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | grub_add_tab)" - fi - printf '%s\n' "${prepare_boot_cache}" | sed "s/^/$submenu_indentation/" - fi - if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then - message="$(gettext_printf "Loading Linux %s ..." ${version})" - sed "s/^/$submenu_indentation/" << EOF - echo '$(echo "$message" | grub_quote)' -EOF - fi - if test -d /sys/firmware/efi && test -e "${linux}.efi.signed"; then - sed "s/^/$submenu_indentation/" << EOF - linux ${rel_dirname}/${basename}.efi.signed root=${linux_root_device_thisversion} ro ${args} -EOF - else - sed "s/^/$submenu_indentation/" << EOF - linux ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args} -EOF - fi - if test -n "${initrd}" ; then - # TRANSLATORS: ramdisk isn't identifier. Should be translated. - if [ x"$quiet_boot" = x0 ] || [ x"$type" != xsimple ]; then - message="$(gettext_printf "Loading initial ramdisk ...")" - sed "s/^/$submenu_indentation/" << EOF - echo '$(echo "$message" | grub_quote)' -EOF - fi - initrd_path= - for i in ${initrd}; do - initrd_path="${initrd_path} ${rel_dirname}/${i}" - done - sed "s/^/$submenu_indentation/" << EOF - initrd $(echo $initrd_path) -EOF - fi - sed "s/^/$submenu_indentation/" << EOF -} -EOF -} - -machine=`uname -m` -case "x$machine" in - xi?86 | xx86_64) - list= - for i in /boot/vmlinuz-* /vmlinuz-* /boot/kernel-* ; do - if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi - done ;; - *) - list= - for i in /boot/vmlinuz-* /boot/vmlinux-* /vmlinuz-* /vmlinux-* /boot/kernel-* ; do - if grub_file_is_not_garbage "$i" ; then list="$list $i" ; fi - done ;; -esac - -case "$machine" in - i?86) GENKERNEL_ARCH="x86" ;; - mips|mips64) GENKERNEL_ARCH="mips" ;; - mipsel|mips64el) GENKERNEL_ARCH="mipsel" ;; - arm*) GENKERNEL_ARCH="arm" ;; - *) GENKERNEL_ARCH="$machine" ;; -esac - -prepare_boot_cache= -prepare_root_cache= -boot_device_id= -title_correction_code= - -cat << 'EOF' -function gfxmode { - set gfxpayload="${1}" -EOF -if [ "$vt_handoff" = 1 ]; then - cat << 'EOF' - if [ "${1}" = "keep" ]; then - set vt_handoff=vt.handoff=7 - else - set vt_handoff= - fi -EOF -fi -cat << EOF -} -EOF - -# Use ELILO's generic "efifb" when it's known to be available. -# FIXME: We need an interface to select vesafb in case efifb can't be used. -if [ "x$GRUB_GFXPAYLOAD_LINUX" != x ] || [ "$gfxpayload_dynamic" = 0 ]; then - echo "set linux_gfx_mode=$GRUB_GFXPAYLOAD_LINUX" -else - cat << EOF -if [ "\${recordfail}" != 1 ]; then - if [ -e \${prefix}/gfxblacklist.txt ]; then - if hwmatch \${prefix}/gfxblacklist.txt 3; then - if [ \${match} = 0 ]; then - set linux_gfx_mode=keep - else - set linux_gfx_mode=text - fi - else - set linux_gfx_mode=text - fi - else - set linux_gfx_mode=keep - fi -else - set linux_gfx_mode=text -fi -EOF -fi -cat << EOF -export linux_gfx_mode -EOF - -# Extra indentation to add to menu entries in a submenu. We're not in a submenu -# yet, so it's empty. In a submenu it will be equal to '\t' (one tab). -submenu_indentation="" - -is_top_level=true -while [ "x$list" != "x" ] ; do - linux=`version_find_latest $list` - case $linux in - *.efi.signed) - # We handle these in linux_entry. - list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '` - continue - ;; - esac - gettext_printf "Found linux image: %s\n" "$linux" >&2 - basename=`basename $linux` - dirname=`dirname $linux` - rel_dirname=`make_system_path_relative_to_its_root $dirname` - version=`echo $basename | sed -e "s,^[^0-9]*-,,g"` - alt_version=`echo $version | sed -e "s,\.old$,,g"` - linux_root_device_thisversion="${LINUX_ROOT_DEVICE}" - - initrd_early= - for i in ${GRUB_EARLY_INITRD_LINUX_STOCK} \ - ${GRUB_EARLY_INITRD_LINUX_CUSTOM}; do - if test -e "${dirname}/${i}" ; then - initrd_early="${initrd_early} ${i}" - fi - done - - initrd_real= - for i in "initrd.img-${version}" "initrd-${version}.img" "initrd-${version}.gz" \ - "initrd-${version}" "initramfs-${version}.img" \ - "initrd.img-${alt_version}" "initrd-${alt_version}.img" \ - "initrd-${alt_version}" "initramfs-${alt_version}.img" \ - "initramfs-genkernel-${version}" \ - "initramfs-genkernel-${alt_version}" \ - "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \ - "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}"; do - if test -e "${dirname}/${i}" ; then - initrd_real="${i}" - break - fi - done - - initrd= - if test -n "${initrd_early}" || test -n "${initrd_real}"; then - initrd="${initrd_early} ${initrd_real}" - - initrd_display= - for i in ${initrd}; do - initrd_display="${initrd_display} ${dirname}/${i}" - done - gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2 - fi - - config= - for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do - if test -e "${i}" ; then - config="${i}" - break - fi - done - - initramfs= - if test -n "${config}" ; then - initramfs=`grep CONFIG_INITRAMFS_SOURCE= "${config}" | cut -f2 -d= | tr -d \"` - fi - - if test -z "${initramfs}" && test -z "${initrd_real}" ; then - # "UUID=" and "ZFS=" magic is parsed by initrd or initramfs. Since there's - # no initrd or builtin initramfs, it can't work here. - if [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] \ - || [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ]; then - - linux_root_device_thisversion=${GRUB_DEVICE} - else - linux_root_device_thisversion=PARTUUID=${GRUB_DEVICE_PARTUUID} - fi - fi - - # The GRUB_DISABLE_SUBMENU option used to be different than others since it was - # mentioned in the documentation that has to be set to 'y' instead of 'true' to - # enable it. This caused a lot of confusion to users that set the option to 'y', - # 'yes' or 'true'. This was fixed but all of these values must be supported now. - if [ "x${GRUB_DISABLE_SUBMENU}" = xyes ] || [ "x${GRUB_DISABLE_SUBMENU}" = xy ]; then - GRUB_DISABLE_SUBMENU="true" - fi - - if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xtrue ]; then - linux_entry "${OS}" "${version}" simple \ - "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" - - submenu_indentation="$grub_tab" - - if [ -z "$boot_device_id" ]; then - boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")" - fi - # TRANSLATORS: %s is replaced with an OS name - echo "submenu '$(gettext_printf "Advanced options for %s" "${OS}" | grub_quote)' \$menuentry_id_option 'gnulinux-advanced-$boot_device_id' {" - is_top_level=false - fi - - linux_entry "${OS}" "${version}" advanced \ - "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}" - for supported_init in ${SUPPORTED_INITS}; do - init_path="${supported_init#*:}" - if [ -x "${init_path}" ] && [ "$(readlink -f /sbin/init)" != "$(readlink -f "${init_path}")" ]; then - linux_entry "${OS}" "${version}" "init-${supported_init%%:*}" \ - "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} init=${init_path}" - fi - done - if [ "x${GRUB_DISABLE_RECOVERY}" != "xtrue" ]; then - linux_entry "${OS}" "${version}" recovery \ - "${GRUB_CMDLINE_LINUX_RECOVERY} ${GRUB_CMDLINE_LINUX}" - fi - - list=`echo $list | tr ' ' '\n' | fgrep -vx "$linux" | tr '\n' ' '` -done - -# If at least one kernel was found, then we need to -# add a closing '}' for the submenu command. -if [ x"$is_top_level" != xtrue ]; then - echo '}' -fi - -echo "$title_correction_code" -- 2.40.1