Skip to content

Commit 4fc3ae3

Browse files
alanmcanonicalalanmcanonical
committed
STIG expects the "audit=1" in both GRUB_CMDLINE_LINUX_DEFAULT and GRUB_CMDLINE_LINUX
Signed-off-by: Alan Moore <alan.moore@canonical.com>
1 parent 1ad577e commit 4fc3ae3

File tree

2 files changed

+46
-29
lines changed

2 files changed

+46
-29
lines changed

shared/macros/10-ansible.jinja

Lines changed: 27 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1599,49 +1599,58 @@ Part of the grub2_bootloader_argument template.
15991599
#}}
16001600
{{%- macro ansible_grub2_bootloader_argument(arg_name, arg_name_value, arg_variable) -%}}
16011601
{{% if 'ubuntu' in product or 'debian' in product or product in ['ol7', 'sle12', 'sle15', 'sle16', 'slmicro5'] %}}
1602-
- name: Check {{{ arg_name }}} argument exists
1603-
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=' /etc/default/grub
1602+
1603+
{{%- if 'ubuntu' in product %}}
1604+
{{%- set grub_vars = ['GRUB_CMDLINE_LINUX', 'GRUB_CMDLINE_LINUX_DEFAULT'] -%}}
1605+
{{%- else %}}
1606+
{{%- set grub_vars = ['GRUB_CMDLINE_LINUX'] -%}}
1607+
{{%- endif %}}
1608+
1609+
{{%- for grub_var in grub_vars %}}
1610+
- name: Check {{{ arg_name }}} argument exists in {{{ grub_var }}}
1611+
ansible.builtin.command: grep '^\s*{{{ grub_var }}}=.*{{{ arg_name }}}=' /etc/default/grub
16041612
check_mode: False
16051613
failed_when: False
16061614
changed_when: False
1607-
register: argcheck
1615+
register: argcheck_{{{ grub_var }}}
16081616

1609-
- name: Check {{{ arg_name }}} argument exists
1610-
ansible.builtin.command: grep '^\s*GRUB_CMDLINE_LINUX=' /etc/default/grub
1617+
- name: Check {{{ grub_var }}} line exists
1618+
ansible.builtin.command: grep '^\s*{{{ grub_var }}}=' /etc/default/grub
16111619
check_mode: False
16121620
failed_when: False
16131621
changed_when: False
1614-
register: linecheck
1622+
register: linecheck_{{{ grub_var }}}
16151623

1616-
- name: Add {{{ arg_name }}} argument
1624+
- name: Add {{{ arg_name }}} argument to {{{ grub_var }}}
16171625
ansible.builtin.lineinfile:
1618-
line: 'GRUB_CMDLINE_LINUX="{{{ arg_name_value }}} "'
1626+
line: '{{{ grub_var }}}="{{{ arg_name_value }}} "'
16191627
state: present
16201628
dest: /etc/default/grub
16211629
create: yes
16221630
mode: '0644'
1623-
when: argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and linecheck.rc != 0
1631+
when: argcheck_{{{ grub_var }}} is not skipped and linecheck_{{{ grub_var }}} is not skipped and argcheck_{{{ grub_var }}}.rc != 0 and linecheck_{{{ grub_var }}}.rc != 0
16241632

1625-
- name: Replace existing {{{ arg_name }}} argument
1633+
- name: Replace existing {{{ arg_name }}} argument in {{{ grub_var }}}
16261634
ansible.builtin.replace:
16271635
path: /etc/default/grub
1628-
regexp: '{{{ arg_name }}}=[a-zA-Z0-9,]+'
1629-
replace: '{{{ arg_name_value }}}'
1630-
when: argcheck is not skipped and linecheck is not skipped and argcheck.rc == 0 and linecheck.rc == 0
1636+
regexp: '(^\s*{{{ grub_var }}}=.*){{{ arg_name }}}=[a-zA-Z0-9,]+(.*)'
1637+
replace: '\1{{{ arg_name_value }}}\2'
1638+
when: argcheck_{{{ grub_var }}} is not skipped and linecheck_{{{ grub_var }}} is not skipped and argcheck_{{{ grub_var }}}.rc == 0 and linecheck_{{{ grub_var }}}.rc == 0
16311639

1632-
- name: Add {{{ arg_name }}} argument
1640+
- name: Add {{{ arg_name }}} argument to {{{ grub_var }}}
16331641
ansible.builtin.replace:
16341642
path: /etc/default/grub
1635-
regexp: '(^\s*GRUB_CMDLINE_LINUX=.*)"'
1643+
regexp: '(^\s*{{{ grub_var }}}=.*)"'
16361644
replace: '\1 {{{ arg_name_value }}}"'
1637-
when: argcheck is not skipped and linecheck is not skipped and argcheck.rc != 0 and linecheck.rc == 0
1645+
when: argcheck_{{{ grub_var }}} is not skipped and linecheck_{{{ grub_var }}} is not skipped and argcheck_{{{ grub_var }}}.rc != 0 and linecheck_{{{ grub_var }}}.rc == 0
1646+
{{%- endfor %}}
16381647

16391648
{{% endif -%}}
16401649

16411650
{{% if product in ['sle12', 'sle15', 'sle16', 'slmicro5'] %}}
16421651
- name: Update grub defaults and the bootloader menu
16431652
ansible.builtin.command: /usr/sbin/grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg
1644-
{{% elif 'debian' in product %}}
1653+
{{% elif 'debian' in product or 'ubuntu' in product %}}
16451654
- name: Update grub defaults and the bootloader menu
16461655
ansible.builtin.command: /usr/sbin/update-grub
16471656
{{% else %}}
@@ -2395,7 +2404,7 @@ lines will be inserted at the beginning of the profile.
23952404

23962405
{{#
23972406

2398-
Set a sshd configuration parameter to a value for system with /usr - located default config
2407+
Set a sshd configuration parameter to a value for system with /usr - located default config
23992408

24002409
:parameter msg: Message to be set as Task Title, if not set the rule's title will be used instead
24012410
:type msg: str

shared/macros/10-bash.jinja

Lines changed: 19 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1964,18 +1964,26 @@ fi
19641964
19651965
#}}
19661966
{{%- macro update_etc_default_grub_manually(arg_name, arg_name_value) -%}}
1967+
{{%- if 'ubuntu' in product -%}}
1968+
{{%- set grub_vars = "GRUB_CMDLINE_LINUX GRUB_CMDLINE_LINUX_DEFAULT" -%}}
1969+
{{%- else -%}}
1970+
{{%- set grub_vars = "GRUB_CMDLINE_LINUX" -%}}
1971+
{{%- endif -%}}
1972+
19671973
# Correct the form of default kernel command line in GRUB
1968-
if grep -q '^\s*GRUB_CMDLINE_LINUX=.*{{{ arg_name }}}=.*"' '/etc/default/grub' ; then
1969-
# modify the GRUB command-line if an {{{ arg_name }}}= arg already exists
1970-
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\){{{ arg_name }}}=[^[:space:]]\+\(.*\"\)/\1{{{ arg_name_value }}}\2/" '/etc/default/grub'
1971-
# Add to already existing GRUB_CMDLINE_LINUX parameters
1972-
elif grep -q '^\s*GRUB_CMDLINE_LINUX=' '/etc/default/grub' ; then
1973-
# no {{{ arg_name }}}=arg is present, append it
1974-
sed -i "s/\(^\s*GRUB_CMDLINE_LINUX=\".*\)\"/\1 {{{ arg_name_value }}}\"/" '/etc/default/grub'
1975-
# Add GRUB_CMDLINE_LINUX parameters line
1976-
else
1977-
echo "GRUB_CMDLINE_LINUX=\"{{{ arg_name_value }}}\"" >> '/etc/default/grub'
1978-
fi
1974+
for grub_var in {{{ grub_vars }}}; do
1975+
if grep -q "^\s*${grub_var}=\".*{{{ arg_name }}}=.*\"" '/etc/default/grub' ; then
1976+
# modify the GRUB command-line if an {{{ arg_name }}}= arg already exists
1977+
sed -i "s/\(^\s*${grub_var}=\".*\){{{ arg_name }}}=[^[:space:]]\+\(.*\"\)/\1{{{ arg_name_value }}}\2/" '/etc/default/grub'
1978+
# Add to already existing parameters
1979+
elif grep -q "^\s*${grub_var}=" '/etc/default/grub' ; then
1980+
# no {{{ arg_name }}}=arg is present, append it
1981+
sed -i "s/\(^\s*${grub_var}=\".*\)\"/\1 {{{ arg_name_value }}}\"/" '/etc/default/grub'
1982+
# Add parameters line if completely missing
1983+
else
1984+
echo "${grub_var}=\"{{{ arg_name_value }}}\"" >> '/etc/default/grub'
1985+
fi
1986+
done
19791987
{{%- endmacro %}}
19801988

19811989

0 commit comments

Comments
 (0)