plus3it · ferricoxide · Mar 13, 2024 · Mar 11, 2024 · Mar 11, 2024 · Mar 11, 2024
diff --git a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010140.sls
@@ -0,0 +1,104 @@
+# Ref Doc:    STIG - RHEL 8 v1r7
+# Finding ID: V-230235
+# STIG ID:    RHEL-08-010140
+# Rule ID:    SV-230235r743925_rule
+# SRG ID(s):  SRG-OS-000080-GPOS-00048
+# Finding Level:        high
+#
+# Rule Summary:
+#       RHEL 8 operating systems booted with EFI must
+#       require authentication upon booting into
+#       single-user and maintenance modes
+#
+# References:
+#   CCI:
+#     - CCI-000213
+#   NIST SP 800-53 :: AC-3
+#   NIST SP 800-53A :: AC-3.1
+#   NIST SP 800-53 Revision 4 :: AC-3
+#
+#################################################################
+{%- set stig_id = 'RHEL-08-010140' %}
+{%- set helperLoc = tpldir ~ '/files' %}
+{%- from tpldir ~ '/grub2_info.jinja' import grubEncryptedPass with context %}
+{%- from tpldir ~ '/grub2_info.jinja' import grubUser with context %}
+{%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
+{%- set mustSet = salt.pillar.get('ash-linux:lookup:grub-passwd', '') %}
+{%- set grubUserFile = '/etc/grub.d/01_users' %}
+{%- if salt.grains.get('os')|lower == 'centos stream' %}
+  {%- set grubPassFile = '/boot/efi/EFI/centos/user.cfg' %}
+{%- else %}
+  {%- set grubPassFile = '/boot/efi/EFI/redhat/user.cfg' %}
+{%- endif %}
+
+
+{{ stig_id }}-description:
+  test.show_notification:
+    - text: |
+        --------------------------------------
+        STIG Finding ID: V-230234
+             RHEL 8 must require authenticated
+             user in order to access single-
+             user and maintenance modes
+        --------------------------------------
+
+{%- if stig_id in skipIt %}
+notify_{{ stig_id }}-skipSet:
+  cmd.run:
+    - name: 'printf "\nchanged=no comment=''Handler for {{ stig_id }} has been selected for skip.''\n"'
+    - stateful: True
+    - cwd: /root
+{%- else %}
+user_cfg_exists-{{ stig_id }}:
+  file.touch:
+    - name: '{{ grubPassFile }}'
+    - makedirs: True
+    - onlyif:
+      - test -d /sys/firmware/efi/
+    - unless: {{ grubPassFile }}
+
+user_cfg_content-{{ stig_id }}:
+  file.managed:
+    - name: '{{ grubPassFile }}'
+    - contents: |-
+        GRUB2_PASSWORD={{ grubEncryptedPass }}
+    - onchanges:
+      - file: user_cfg_exists-{{ stig_id }}
+    - onchanges_in:
+      - regen_grubCfg-{{ stig_id }}
+
+grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}:
+  file.replace:
+    - name: '{{ grubUserFile }}'
+    - pattern: 'superusers=".*"'
+    - repl: 'superusers="{{ grubUser }}"'
+
+grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}:
+  file.replace:
+    - name: '{{ grubUserFile }}'
+    - pattern: 'password_pbkdf2 .* \\'
+    - repl: 'password_pbkdf2 {{ grubUser }} \\'
+
+regen_grubCfg-{{ stig_id }}:
+  cmd.run:
+    - name: '/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg'
+    - cwd: /root
+    - onchanges:
+       - file: grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}
+       - file: grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}
+    - onchanges_in:
+      - file: fix_perms_grubCfg-{{ stig_id }}
+
+fix_perms_grubCfg-{{ stig_id }}:
+  file.managed:
+    - name: '/boot/grub2/grub.cfg'
+    - mode: '0600'
+    - owner: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'unconfined_u'
+    - user: 'root'
+
+{%- endif %}
diff --git a/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls b/ash-linux/el8/STIGbyID/cat1/RHEL-08-010150.sls
@@ -20,18 +20,23 @@
 #################################################################
 {%- set stig_id = 'RHEL-08-010150' %}
 {%- set helperLoc = tpldir ~ '/files' %}
+{%- from tpldir ~ '/grub2_info.jinja' import grubEncryptedPass with context %}
+{%- from tpldir ~ '/grub2_info.jinja' import grubUser with context %}
 {%- set skipIt = salt.pillar.get('ash-linux:lookup:skip-stigs', []) %}
 {%- set mustSet = salt.pillar.get('ash-linux:lookup:grub-passwd', '') %}
-{%- set grubUser = salt.pillar.get('ash-linux:lookup:grub-user', 'grubuser') %}
-{%- set grubPass = salt.pillar.get('ash-linux:lookup:grub-passwd', 'AR34llyB4dP4ssw*rd') %}
 {%- set grubUserFile = '/etc/grub.d/01_users' %}
 {%- set grubPassFile = '/boot/grub2/user.cfg' %}
 {%- set grubUtil = '/bin/grub2-mkpasswd-pbkdf2' %}
 
-script_{{ stig_id }}-describe:
-  cmd.script:
-    - source: salt://{{ helperLoc }}/{{ stig_id }}.sh
-    - cwd: /root
+{{ stig_id }}-description:
+  test.show_notification:
+    - text: |
+        --------------------------------------
+        STIG Finding ID: V-230235
+             RHEL 8 must require authenticated
+             user in order to access single-
+             user and maintenance modes
+        --------------------------------------
 
 {%- if stig_id in skipIt %}
 notify_{{ stig_id }}-skipSet:
@@ -40,47 +45,56 @@ notify_{{ stig_id }}-skipSet:
     - stateful: True
     - cwd: /root
 {%- else %}
-user_cfg_permissions-{{ stig_id }}:
+user_cfg_content-{{ stig_id }}:
   file.managed:
     - name: '{{ grubPassFile }}'
-    - user: 'root'
-    - owner: 'root'
+    - contents: |-
+        GRUB2_PASSWORD={{ grubEncryptedPass }}
     - mode: '000600'
+    - onchanges_in:
+      - cmd: regen_grubCfg-{{ stig_id }}
+    - onlyif:
+      - [[ ! -d /sys/firmware/efi/ ]]
+    - owner: 'root'
     - replace: false
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'unconfined_u'
+    - user: 'root'
 
-user_cfg_selLabels-{{ stig_id }}:
-  cmd.run:
-    - name: 'chcon -u system_u -r object_r -t boot_t {{ grubPassFile }}'
-    - cwd: /root
-    - require:
-      - file: user_cfg_permissions-{{ stig_id }}
-    - unless:
-      - '[[ $( ls -lZ /boot/grub2/user.cfg | awk "{ print $5 }" ) =~ "system_u:object_r:boot_t:"* ]]'
-
-user_cfg_content-{{ stig_id }}:
-  cmd.run:
-    - name: 'printf "GRUB2_PASSWORD=%s\n" "$( printf "{{ grubPass }}\n{{ grubPass }}\n" | {{ grubUtil }} | awk ''/grub.pbkdf/{print $NF}'' )" > {{ grubPassFile }}'
-    - cwd: /root
-    - require:
-      - file: user_cfg_permissions-{{ stig_id }}
-
-grubuser_superDef-{{ grubUserFile }}:
+grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}:
   file.replace:
     - name: '{{ grubUserFile }}'
     - pattern: 'superusers=".*"'
     - repl: 'superusers="{{ grubUser }}"'
 
-grubuser_userSub-{{ grubUserFile }}:
+grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}:
   file.replace:
     - name: '{{ grubUserFile }}'
     - pattern: 'password_pbkdf2 .* \\'
     - repl: 'password_pbkdf2 {{ grubUser }} \\'
 
-regen_grubCfg:
+regen_grubCfg-{{ stig_id }}:
   cmd.run:
     - name: '/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg '
     - cwd: /root
-    - require:
-      - file: grubuser_superDef-{{ grubUserFile }}
-      - file: grubuser_userSub-{{ grubUserFile }}
+    - onchanges:
+      - file: grubuser_superDef-{{ grubUserFile }}-{{ stig_id }}
+      - file: grubuser_userSub-{{ grubUserFile }}-{{ stig_id }}
+    - onchanges_in:
+      - file: fix_perms_grubCfg-{{ stig_id }}
+
+fix_perms_grubCfg-{{ stig_id }}:
+  file.managed:
+    - name: '/boot/grub2/grub.cfg'
+    - mode: '0600'
+    - owner: 'root'
+    - selinux:
+        serange: 's0'
+        serole: 'object_r'
+        setype: 'boot_t'
+        seuser: 'unconfined_u'
+    - user: 'root'
 {%- endif %}
diff --git a/ash-linux/el8/STIGbyID/cat1/files/RHEL-08-010150.sh b/ash-linux/el8/STIGbyID/cat1/files/RHEL-08-010150.sh
diff --git a/ash-linux/el8/STIGbyID/cat1/grub2_info.jinja b/ash-linux/el8/STIGbyID/cat1/grub2_info.jinja
@@ -0,0 +1,12 @@
+{%- set grubUser = salt.pillar.get('ash-linux:lookup:grub-user', 'grubuser') %}
+{%- set grubClearPass = salt.pillar.get('ash-linux:lookup:grub-passwd', 'AR34llyB4dP4ssw*rd') %}
+
+{%-
+    set grubEncryptedPass = salt.cmd.shell(
+        'printf "%s\n%s\n" "' + grubClearPass + '" "' + grubClearPass + '" |
+        /bin/grub2-mkpasswd-pbkdf2 |
+        grep "hash of" |
+        sed "s/^.* is //"',
+        ignore_retcode=True
+    )
+%}
diff --git a/ash-linux/el8/STIGbyID/cat1/init.sls b/ash-linux/el8/STIGbyID/cat1/init.sls
@@ -1,3 +1,4 @@
 include:
+  - ash-linux.el8.STIGbyID.cat1.RHEL-08-010140
   - ash-linux.el8.STIGbyID.cat1.RHEL-08-010150
   - ash-linux.el8.STIGbyID.cat1.RHEL-08-no_pam_nullok