Skip to content

Commit

Permalink
Updating Grub
Browse files Browse the repository at this point in the history
Signed-off-by: Mathieu Fortin <[email protected]>
  • Loading branch information
mfortin committed Jun 7, 2024
1 parent 0924b19 commit 4975300
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 22 deletions.
20 changes: 10 additions & 10 deletions tasks/section_4/cis_4.1.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,26 +34,26 @@
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
block:
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Get Grub CMDLINE Settings"
shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -d'"' -f2
shell: grep -c -E '^GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub
changed_when: false
failed_when: false
register: amazon2cis_4_1_1_3_grub_cmdline_linux

- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting already set"
replace:
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE exists"
lineinfile:
path: /etc/default/grub
regexp: 'audit=([^\D]+)'
replace: 'audit=1'
regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit=\d)?(.*)"'
line: '\1="\2 audit=1\3"'
backrefs: true
notify: grub2cfg
when: "'audit=' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
when: "'1' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"

- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting not already set"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE does not exist"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"'
line: 'GRUB_CMDLINE_LINUX="audit=1"'
notify: grub2cfg
when: "'audit=' not in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
when: "'0' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
when:
- amazon2cis_rule_4_1_1_3
tags:
Expand Down
24 changes: 12 additions & 12 deletions tasks/section_4/cis_4.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,26 +55,26 @@
- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient"
block:
- name: "4.1.2.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Grep GRUB_CMDLINE_LINUX parameter"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | cut -f2 -d'"'
shell: grep -c -E 'GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub
changed_when: false
failed_when: false
register: amazon2cis_4_1_2_4_grub_cmdline_linux_settings

- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if not configured"
- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX exists"
lineinfile:
dest: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout }} audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"'
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit_backlog_limit={{ amazon2cis_audit_backlog_limit }})?(.*)"'
line: '\1="\2 audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}\3"'
backrefs: true
notify: grub2cfg
when: '"audit_backlog_limit" not in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout'
when: "'1' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout"

- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Adjust audit_backlog_limit if exists"
replace:
dest: /etc/default/grub
regexp: 'audit_backlog_limit=([^\D]+)'
replace: 'audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}'
- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX does not exists"
lineinfile:
path: /etc/default/grub
replace: 'GRUB_CMDLINE_LINUX="audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"'
notify: grub2cfg
when: '"audit_backlog_limit" in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout'
when: "'0' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout"
when:
- amazon2cis_rule_4_1_2_4
tags:
Expand Down

0 comments on commit 4975300

Please sign in to comment.