diff --git a/ansible/playbooks/init-rocky-system-config.yml b/ansible/playbooks/init-rocky-system-config.yml index dda3b5c..b57b649 100644 --- a/ansible/playbooks/init-rocky-system-config.yml +++ b/ansible/playbooks/init-rocky-system-config.yml @@ -34,7 +34,10 @@ import_tasks: tasks/authentication.yml - name: Configure auditd - include: tasks/auditd.yml + import_tasks: tasks/auditd.yml + + - name: Configure grub + import_tasks: tasks/grub.yml post_tasks: - name: Touching run file that ansible has ran here diff --git a/ansible/playbooks/tasks/grub.yml b/ansible/playbooks/tasks/grub.yml new file mode 100644 index 0000000..df8e431 --- /dev/null +++ b/ansible/playbooks/tasks/grub.yml @@ -0,0 +1,52 @@ +--- +- name: Reset grub link if we are EFI + set_fact: + grub_config_path_link: "{{ grub_config_path_efi }}" + when: + - efi_installed.stat.isdir is defined + - efi_installed.stat.isdir + - grub_config_path_efi is defined + tags: + - efi + +- name: Create grub.d directory + file: + name: /etc/default/grub.d + owner: root + group: root + mode: '0755' + state: directory + recurse: true + tags: + - grub + - kernel + - harden + +- name: Append /etc/default/grub file + lineinfile: + path: /etc/default/grub + line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done + state: present + tags: + - grub + - kernel + - harden + +- name: Command line defaults + copy: + dest: "/etc/default/grub.d/99-rocky.cfg" + owner: root + group: root + mode: '0644' + content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ grub_boot_options }}"' + tags: + - grub + - kernel + - harden + +- name: Rebuild grub + command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }} + tags: + - grub + - kernel + - harden diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml index 619f352..997ce49 100644 --- a/ansible/playbooks/tasks/harden.yml +++ b/ansible/playbooks/tasks/harden.yml @@ -214,54 +214,3 @@ state: absent tags: - harden - -- name: grub and kernel - block: - - name: Reset grub link if we are EFI - set_fact: - grub_config_path_link: "{{ grub_config_path_efi }}" - when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir and grub_config_path_efi is defined - tags: - - efi - - - name: grub.d directory - file: - name: /etc/default/grub.d - owner: root - group: root - mode: '0755' - state: directory - recurse: true - tags: - - grub - - kernel - - harden - - - name: Append /etc/default/grub file - lineinfile: - path: /etc/default/grub - line: for x in $(ls /etc/default/grub.d) ; do source /etc/default/grub.d/$x ; done - state: present - tags: - - grub - - kernel - - harden - - - name: Grub command line defaults - copy: - dest: "/etc/default/grub.d/99-rocky.cfg" - owner: root - group: root - mode: '0644' - content: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_options }}"' - tags: - - grub - - kernel - - harden - - - name: rebuild grub - command: /usr/sbin/grub2-mkconfig -o {{ grub_config_path_link }} - tags: - - grub - - kernel - - harden diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml index 64c9bab..9f6b27c 100644 --- a/ansible/playbooks/vars/RedHat.yml +++ b/ansible/playbooks/vars/RedHat.yml @@ -3,9 +3,12 @@ bin_su: /usr/bin/su bin_sudo: /usr/bin/sudo -kernel_boot_options: audit=1 + +# grub variables +grub_boot_options: audit=1 grub_config_path_link: /etc/grub2.cfg grub_config_path_efi: /etc/grub2-efi.cfg + ipatype: client # Removing TFTP for now because there will likely be tftp/pxe servers