forked from ansible-lockdown/RHEL9-CIS
44 lines
1.1 KiB
YAML
44 lines
1.1 KiB
YAML
---
|
|
|
|
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
|
|
when:
|
|
- rhel9cis_set_boot_pass
|
|
- rhel9cis_rule_1_4_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- grub
|
|
- patch
|
|
- rule_1.4.1
|
|
- NIST800-53R5_AC-3
|
|
ansible.builtin.copy:
|
|
dest: /boot/grub2/user.cfg
|
|
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
|
|
owner: root
|
|
group: root
|
|
mode: 'go-rwx'
|
|
notify: Grub2cfg
|
|
|
|
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
|
|
when: rhel9cis_rule_1_4_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- grub
|
|
- patch
|
|
- rule_1.4.2
|
|
- NIST800-53R5_AC-3
|
|
block:
|
|
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
|
|
ansible.builtin.file:
|
|
path: "/boot/grub2/{{ item.path }}"
|
|
owner: root
|
|
group: root
|
|
mode: "{{ item.mode }}"
|
|
state: touch
|
|
modification_time: preserve
|
|
access_time: preserve
|
|
loop:
|
|
- { path: 'grub.cfg', mode: '0700' }
|
|
- { path: 'grubenv', mode: 'go-rwx' }
|
|
- { path: 'user.cfg', mode: 'go-rwx' }
|