From 4975300535c6e11c2298ad9b23ba01b0d0b54531 Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Fri, 7 Jun 2024 12:04:51 -0400 Subject: [PATCH] Updating Grub Signed-off-by: Mathieu Fortin --- tasks/section_4/cis_4.1.1.x.yml | 20 ++++++++++---------- tasks/section_4/cis_4.1.2.x.yml | 24 ++++++++++++------------ 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index f8a7a3f..a9a0ac0 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -34,26 +34,26 @@ - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Get Grub CMDLINE Settings" - shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -d'"' -f2 + shell: grep -c -E '^GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub changed_when: false failed_when: false register: amazon2cis_4_1_1_3_grub_cmdline_linux - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting already set" - replace: + - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE exists" + lineinfile: path: /etc/default/grub - regexp: 'audit=([^\D]+)' - replace: 'audit=1' + regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit=\d)?(.*)"' + line: '\1="\2 audit=1\3"' + backrefs: true notify: grub2cfg - when: "'audit=' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout" + when: "'1' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout" - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting not already set" + - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE does not exist" lineinfile: path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"' + line: 'GRUB_CMDLINE_LINUX="audit=1"' notify: grub2cfg - when: "'audit=' not in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout" + when: "'0' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout" when: - amazon2cis_rule_4_1_1_3 tags: diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index c4cbb65..15afb76 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -55,26 +55,26 @@ - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "4.1.2.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Grep GRUB_CMDLINE_LINUX parameter" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | cut -f2 -d'"' + shell: grep -c -E 'GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub changed_when: false failed_when: false register: amazon2cis_4_1_2_4_grub_cmdline_linux_settings - - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if not configured" + - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX exists" lineinfile: - dest: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout }} audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"' + path: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit_backlog_limit={{ amazon2cis_audit_backlog_limit }})?(.*)"' + line: '\1="\2 audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}\3"' + backrefs: true notify: grub2cfg - when: '"audit_backlog_limit" not in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout' + when: "'1' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout" - - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Adjust audit_backlog_limit if exists" - replace: - dest: /etc/default/grub - regexp: 'audit_backlog_limit=([^\D]+)' - replace: 'audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}' + - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX does not exists" + lineinfile: + path: /etc/default/grub + replace: 'GRUB_CMDLINE_LINUX="audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"' notify: grub2cfg - when: '"audit_backlog_limit" in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout' + when: "'0' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout" when: - amazon2cis_rule_4_1_2_4 tags: