Covering 1.5.1 for menu.lst and grub.conf (#78)

* Covering 1.5.1 for menu.lst and grub.conf
florianutz · Jul 15, 2020 · 63016f1 · 63016f1
1 parent 50ba7bb
commit 63016f1
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -322,11 +322,21 @@
   changed_when: false
   check_mode: false
 
-- name: "PRELIM | Check the grub configuration"
+- name: "PRELIM | Check the grub.cfg configuration"
   stat:
     path: /boot/grub/grub.cfg
   register: grub_cfg
 
+- name: "PRELIM | Check the grub.conf configuration"
+  stat:
+    path: /boot/grub/grub.conf
+  register: grub_conf
+
+- name: "PRELIM | Check the menu.lst configuration"
+  stat:
+    path: "/boot/grub/menu.lst"
+  register: menu_lst
+
 - name: "PRELIM | Check that system accounts are non-login #1"
   shell: >
     set -o pipefail &&

diff --git a/tasks/section1.yml b/tasks/section1.yml
@@ -720,7 +720,7 @@
       - patch
       - rule_1.4.2
 
-- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured"
+- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg"
   file:
       path: "/boot/grub/grub.cfg"
       owner: root
@@ -736,6 +736,40 @@
       - patch
       - rule_1.5.1
 
+- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.conf"
+  file:
+      path: "/boot/grub/grub.conf"
+      owner: root
+      group: root
+      mode: 0400
+  when:
+      - ansible_os_family == "Debian"
+      - ubuntu1804cis_rule_1_5_1
+      - grub_conf.stat.exists
+  tags:
+      - level1
+      - scored
+      - grub
+      - patch
+      - rule_1.5.1
+
+- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for menu.lst"
+  file:
+      path: "/boot/grub/menu.lst"
+      owner: root
+      group: root
+      mode: 0400
+  when:
+      - ansible_os_family == "Debian"
+      - ubuntu1804cis_rule_1_5_1
+      - menu_lst.stat.exists
+  tags:
+      - level1
+      - scored
+      - grub
+      - patch
+      - rule_1.5.1
+
 - name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate password"
   shell: "set -o pipefail;
         if [ '{{ ubuntu1804cis_bootloader_password }}' == 'random' ];