ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

updated grub controls

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-11 17:38:01 +01:00
parent 9c519482a8
commit 08e48fbe83
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
3 changed files with 2 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

2
handlers/main.yml
View file

@ -115,7 +115,7 @@
- skip_ansible_lint
- name: grub2cfg
shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
args:
warn: false
ignore_errors: True

34
tasks/prelim.yml
View file

@ -156,40 +156,6 @@
- rule_5.3.4
- rule_5.3.5
- name: "PRELIM | Set facts based on boot type"
block:
- name: "PRELIM | Check whether machine is UEFI-based"
stat:
path: /sys/firmware/efi
register: rhel_09_efi_boot
- name: "PRELIM | AUDIT | set legacy boot and grub path | Bios"
set_fact:
rhel9cis_legacy_boot: true
grub2_path: /etc/grub2.cfg
when: not rhel_09_efi_boot.stat.exists
- name: "PRELIM | set grub fact | UEFI"
set_fact:
grub2_path: /etc/grub2-efi.cfg
when: rhel_09_efi_boot.stat.exists
when:
- not system_is_container
tags:
- bootloader
- grub
- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats"
stat:
path: "{{ grub2_path }}"
changed_when: false
register: grub_cfg
when:
- not system_is_container
tags:
- bootloader
- grub
- name: "PRELIM | Check for rhnsd service"
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
changed_when: false

4
tasks/section_1/cis_1.4.x.yml
View file

@ -25,7 +25,7 @@
block:
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
file:
path: "{{ grub_cfg.stat.lnk_source }}"
path: /boot/grub2/grub.cfg
owner: root
group: root
mode: 0600
@ -47,8 +47,6 @@
- item.mount == "/boot/efi"
when:
- rhel9cis_rule_1_4_2
- grub_cfg.stat.exists
- grub_cfg.stat.islnk
tags:
- level1-server
- level1-workstation