updated 1.4.2 thanks to @brent-bean #300

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2025-02-26 11:01:35 +00:00 · 2025-02-26 11:01:35 +00:00 · 40078515fe
commit 40078515fe
parent 5c919fb19d
3 changed files with 48 additions and 4 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -144,6 +144,15 @@
    state: remounted
  listen: "Remount /var/log/audit"

+- name: "Remounting /boot/efi"
+  vars:
+    mount_point: '/boot/efi'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
+    state: remounted
+  notify: Change_requires_reboot
+  listen: "Remount /boot/efi"
+
 - name: Reload sysctl
  ansible.builtin.command: sysctl --system
  changed_when: true
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -29,7 +29,8 @@
    - rule_1.4.2
    - NIST800-53R5_AC-3
  block:
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
+    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
+      when: rhel9cis_legacy_boot
      ansible.builtin.file:
        path: "/boot/grub2/{{ item.path }}"
        owner: root
@ -39,6 +40,37 @@
        modification_time: preserve
        access_time: preserve
      loop:
-        - { path: 'grub.cfg', mode: '0700' }
-        - { path: 'grubenv', mode: 'go-rwx' }
-        - { path: 'user.cfg', mode: 'go-rwx' }
+        - { path: 'grub.cfg', mode: 'u-x,go-rwx' }
+        - { path: 'grubenv', mode: 'u-x,go-rwx' }
+        - { path: 'user.cfg', mode: 'u-x,go-rwx' }
+
+    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
+      when: not rhel9cis_legacy_boot
+      vars:
+        efi_mount_options: ['umask=0077','fmask=0077','uid=0','gid=0']
+      block:
+        - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
+          ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | cut -d ' ' -f4
+          changed_when: false
+          register: discovered_efi_fstab
+
+        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
+          when: item not in discovered_efi_fstab.stdout
+          ansible.builtin.set_fact:
+            efi_mount_opts_addition: "{{ efi_mount_opts_addition + item + ',' }}"
+          loop: "{{ efi_mount_options }}"
+
+        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
+          ansible.builtin.lineinfile:
+            path: /etc/fstab
+            regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*)
+            line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2
+            backrefs: true
+          notify: Remount /boot/efi
+
+        - debug:
+            msg:
+            - "{{ discovered_efi_fstab.stdout }}"
+            - "{{ efi_mount_opts_addition }}"
+
+        - pause:
--- a/vars/main.yml
+++ b/vars/main.yml
@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules:
 warn_control_list: ""
 warn_count: 0

+# Default empty values for 1.4.2
+efi_mount_opts_addition: ''
+
 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"

 ## Controls 6.3.3.x - Audit template