diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1beb222..9e6f89b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -322,11 +322,21 @@ changed_when: false check_mode: false -- name: "PRELIM | Check the grub configuration" +- name: "PRELIM | Check the grub.cfg configuration" stat: path: /boot/grub/grub.cfg register: grub_cfg +- name: "PRELIM | Check the grub.conf configuration" + stat: + path: /boot/grub/grub.conf + register: grub_conf + +- name: "PRELIM | Check the menu.lst configuration" + stat: + path: "/boot/grub/menu.lst" + register: menu_lst + - name: "PRELIM | Check that system accounts are non-login #1" shell: > set -o pipefail && diff --git a/tasks/section1.yml b/tasks/section1.yml index fc57a57..f7c7dd2 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -720,7 +720,7 @@ - patch - rule_1.4.2 -- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured" +- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg" file: path: "/boot/grub/grub.cfg" owner: root @@ -736,6 +736,40 @@ - patch - rule_1.5.1 +- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.conf" + file: + path: "/boot/grub/grub.conf" + owner: root + group: root + mode: 0400 + when: + - ansible_os_family == "Debian" + - ubuntu1804cis_rule_1_5_1 + - grub_conf.stat.exists + tags: + - level1 + - scored + - grub + - patch + - rule_1.5.1 + +- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for menu.lst" + file: + path: "/boot/grub/menu.lst" + owner: root + group: root + mode: 0400 + when: + - ansible_os_family == "Debian" + - ubuntu1804cis_rule_1_5_1 + - menu_lst.stat.exists + tags: + - level1 + - scored + - grub + - patch + - rule_1.5.1 + - name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate password" shell: "set -o pipefail; if [ '{{ ubuntu1804cis_bootloader_password }}' == 'random' ];