mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
76 lines
2 KiB
YAML
76 lines
2 KiB
YAML
---
|
|
|
|
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
|
|
copy:
|
|
dest: /boot/grub2/user.cfg
|
|
content: "GRUB2_PASSWORD={{ rhel8cis_bootloader_password_hash }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify: grub2cfg
|
|
when:
|
|
- rhel8cis_set_boot_pass
|
|
- grub_pass is defined and grub_pass.passhash is defined
|
|
- grub_pass.passhash | length > 0
|
|
- rhel8cis_rule_1_4_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- grub
|
|
- patch
|
|
- rule_1.4.1
|
|
|
|
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
|
|
block:
|
|
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
|
|
file:
|
|
path: "{{ grub_cfg.stat.lnk_source }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI"
|
|
mount:
|
|
name: /boot/efi
|
|
src: "UUID={{ item.uuid }}"
|
|
fstype: vfat
|
|
state: present
|
|
opts: defaults,umask=0027,fmask=0077,uid=0,gid=0
|
|
passno: '0'
|
|
with_items:
|
|
- "{{ ansible_mounts }}"
|
|
loop_control:
|
|
label: "{{ item.mount }}"
|
|
when:
|
|
- not rhel8cis_legacy_boot
|
|
- item.mount == "/boot/efi"
|
|
when:
|
|
- rhel8cis_rule_1_4_2
|
|
- grub_cfg.stat.exists
|
|
- grub_cfg.stat.islnk
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- grub
|
|
- patch
|
|
- rule_1.4.2
|
|
|
|
- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode"
|
|
lineinfile:
|
|
path: /etc/systemd/system/rescue.service.d/00-require-auth.conf
|
|
regexp: '^ExecStart='
|
|
line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
|
|
create: yes
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
when:
|
|
- rhel8cis_rule_1_4_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- automated
|
|
- patch
|
|
- rule_1.4.3
|