forked from ansible-lockdown/RHEL9-CIS
updated grub controls
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
9c519482a8
commit
08e48fbe83
3 changed files with 2 additions and 38 deletions
|
|
@ -115,7 +115,7 @@
|
||||||
- skip_ansible_lint
|
- skip_ansible_lint
|
||||||
|
|
||||||
- name: grub2cfg
|
- name: grub2cfg
|
||||||
shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
|
shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
|
||||||
args:
|
args:
|
||||||
warn: false
|
warn: false
|
||||||
ignore_errors: True
|
ignore_errors: True
|
||||||
|
|
|
||||||
|
|
@ -156,40 +156,6 @@
|
||||||
- rule_5.3.4
|
- rule_5.3.4
|
||||||
- rule_5.3.5
|
- rule_5.3.5
|
||||||
|
|
||||||
- name: "PRELIM | Set facts based on boot type"
|
|
||||||
block:
|
|
||||||
- name: "PRELIM | Check whether machine is UEFI-based"
|
|
||||||
stat:
|
|
||||||
path: /sys/firmware/efi
|
|
||||||
register: rhel_09_efi_boot
|
|
||||||
|
|
||||||
- name: "PRELIM | AUDIT | set legacy boot and grub path | Bios"
|
|
||||||
set_fact:
|
|
||||||
rhel9cis_legacy_boot: true
|
|
||||||
grub2_path: /etc/grub2.cfg
|
|
||||||
when: not rhel_09_efi_boot.stat.exists
|
|
||||||
|
|
||||||
- name: "PRELIM | set grub fact | UEFI"
|
|
||||||
set_fact:
|
|
||||||
grub2_path: /etc/grub2-efi.cfg
|
|
||||||
when: rhel_09_efi_boot.stat.exists
|
|
||||||
when:
|
|
||||||
- not system_is_container
|
|
||||||
tags:
|
|
||||||
- bootloader
|
|
||||||
- grub
|
|
||||||
|
|
||||||
- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats"
|
|
||||||
stat:
|
|
||||||
path: "{{ grub2_path }}"
|
|
||||||
changed_when: false
|
|
||||||
register: grub_cfg
|
|
||||||
when:
|
|
||||||
- not system_is_container
|
|
||||||
tags:
|
|
||||||
- bootloader
|
|
||||||
- grub
|
|
||||||
|
|
||||||
- name: "PRELIM | Check for rhnsd service"
|
- name: "PRELIM | Check for rhnsd service"
|
||||||
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
|
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@
|
||||||
block:
|
block:
|
||||||
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
|
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
|
||||||
file:
|
file:
|
||||||
path: "{{ grub_cfg.stat.lnk_source }}"
|
path: /boot/grub2/grub.cfg
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
@ -47,8 +47,6 @@
|
||||||
- item.mount == "/boot/efi"
|
- item.mount == "/boot/efi"
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_1_4_2
|
- rhel9cis_rule_1_4_2
|
||||||
- grub_cfg.stat.exists
|
|
||||||
- grub_cfg.stat.islnk
|
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue