Merge pull request #6 from ansible-lockdown/devel

merge fixes from devel
ansible-lockdown · Aug 30, 2023 · b233269 · b233269
2 parents b2e41e9 + cab1f4c
commit b233269
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 5 deletions.
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -115,7 +115,7 @@
 
           # Run the ansible playbook
             - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
+              uses: ansible-lockdown/action.playbook@main
               with:
                 playbook: site.yml
                 inventory: .github/workflows/github_linux_IaC/hosts.yml

diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -104,7 +104,7 @@
 
           # Run the ansible playbook
             - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
+              uses: ansible-lockdown/action.playbook@main
               with:
                 playbook: site.yml
                 inventory: .github/workflows/github_linux_IaC/hosts.yml

diff --git a/Changelog.md b/Changelog.md
@@ -1,3 +1,8 @@
 # Amazon 2023 CIS - 26th June 2023
 
-## Initial release
+## 0.91
+
+- issue #2 thanks to @babinskiy
+- moved to self hosted action after forking from arillso
+
+## Initial release 0.9
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -120,6 +120,10 @@
         ansible.builtin.set_fact:
             grub2_path: /etc/grub2-efi.cfg
         when: amzn2023cis_efi_boot.stat.exists
+  when:
+      - amzn2023cis_rule_1_4_1
+  tags:
+      - always
 
 - name: "PRELIM | Update to latest gpg keys"
   ansible.builtin.package:
@@ -260,3 +264,8 @@
       manager: auto
   tags:
       - always
+
+- name: "PRELIM  | Set audit to not run if amazon 2023"
+  ansible.builtin.set_fact:
+      run_audit: false
+  when: ansible_distribution_major_version == '2023'
diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
@@ -20,9 +20,9 @@
       - name: "1.4.1 | PATCH | Ensure permissions on bootloader config are configured | efi boot"
         ansible.builtin.lineinfile:
             path: /etc/fstab
-            regexp: (.*\/boot\/efi\s+vfat\s+defaults)
+            regexp: '(.*\/boot\/efi\s+vfat\s+defaults,.*)umask=00\d\d,(fmask=\d\d\d\d,|)(.*$)'
             backrefs: true
-            line: '<g>\1,umask=0027,fmask=0077,uid=0,gid=0 0 0'
+            line: '\1umask=0027,fmask=0077,\3'
         when: not amzn2023cis_legacy_boot
   when:
       - amzn2023cis_rule_1_4_1