Merge pull request #4 from ansible-lockdown/issue_#2

Issue #2
ansible-lockdown · Aug 30, 2023 · fad7186 · fad7186
2 parents a909ca6 + a76d552
commit fad7186
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 4 deletions.
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -115,7 +115,7 @@
 
           # Run the ansible playbook
             - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
+              uses: ansible-lockdown/action.playbook@main
               with:
                 playbook: site.yml
                 inventory: .github/workflows/github_linux_IaC/hosts.yml

diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -104,7 +104,7 @@
 
           # Run the ansible playbook
             - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
+              uses: ansible-lockdown/action.playbook@main
               with:
                 playbook: site.yml
                 inventory: .github/workflows/github_linux_IaC/hosts.yml

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -120,6 +120,8 @@
         ansible.builtin.set_fact:
             grub2_path: /etc/grub2-efi.cfg
         when: amzn2023cis_efi_boot.stat.exists
+  tags:
+      - always
 
 - name: "PRELIM | Update to latest gpg keys"
   ansible.builtin.package:

diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
@@ -20,9 +20,9 @@
       - name: "1.4.1 | PATCH | Ensure permissions on bootloader config are configured | efi boot"
         ansible.builtin.lineinfile:
             path: /etc/fstab
-            regexp: (.*\/boot\/efi\s+vfat\s+defaults)
+            regexp: '(.*\/boot\/efi\s+vfat\s+defaults,.*)umask=00\d\d,(fmask=\d\d\d\d,|)(.*$)'
             backrefs: true
-            line: '<g>\1,umask=0027,fmask=0077,uid=0,gid=0 0 0'
+            line: '\1umask=0027,fmask=0077,\3'
         when: not amzn2023cis_legacy_boot
   when:
       - amzn2023cis_rule_1_4_1