56 lines
1.6 KiB
YAML
56 lines
1.6 KiB
YAML
---
|
|
|
|
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
|
|
when:
|
|
- ubtu24cis_set_boot_pass
|
|
- ubtu24cis_rule_1_4_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_1.4.1
|
|
- NIST800-53R5_AC-3
|
|
- grub
|
|
block:
|
|
- name: "1.4.1 | PATCH | Ensure bootloader password is set"
|
|
ansible.builtin.template:
|
|
src: etc/grub.d/00_user.j2
|
|
dest: "{{ ubtu24cis_grub_user_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
notify: Grub update
|
|
|
|
- name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"
|
|
when: not ubtu24cis_ask_passwd_to_boot
|
|
ansible.builtin.lineinfile:
|
|
path: "/etc/grub.d/10_linux"
|
|
regexp: '(^CLASS="--class gnu-linux --class gnu --class os).*"$'
|
|
line: '\g<1> --unrestricted"'
|
|
backrefs: true
|
|
notify: Grub update
|
|
|
|
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
|
|
when: ubtu24cis_rule_1_4_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_1.4.2
|
|
- NIST800-53R5_AC-3
|
|
- grub
|
|
block:
|
|
- name: "1.4.2 | AUDIT | Ensure access to bootloader config is configured | Check for Grub file"
|
|
ansible.builtin.stat:
|
|
path: "{{ ubtu24cis_grub_file }}"
|
|
check_mode: false
|
|
register: discovered_grub_cfg_file
|
|
|
|
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions"
|
|
when: discovered_grub_cfg_file.stat.exists
|
|
ansible.builtin.file:
|
|
path: "{{ ubtu24cis_grub_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: 'u-x,go-rwx'
|