Fix grub.cfg permissions (CIS 1.4.1)
* CIS 1.4.1 Ensure permissions on bootloader config are configured
Related-Prod: PROD-22655
Change-Id: Ia282baae0be5c038d42b672758662aaed9aae6f5
diff --git a/linux/system/grub.sls b/linux/system/grub.sls
index 74ea553..49277ff 100644
--- a/linux/system/grub.sls
+++ b/linux/system/grub.sls
@@ -7,6 +7,7 @@
- makedirs: True
{%- if grains['os_family'] == 'RedHat' %}
+ {%- set boot_grub_cfg = '/boot/grub2/grub.cfg' %}
/etc/default/grub:
file.append:
- text:
@@ -14,14 +15,26 @@
grub_update:
cmd.wait:
- - name: grub2-mkconfig -o /boot/grub2/grub.cfg
+ - name: grub2-mkconfig -o {{ boot_grub_cfg }}
{%- else %}
+ {%- set boot_grub_cfg = '/boot/grub/grub.cfg' %}
-{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
grub_update:
cmd.wait:
- name: update-grub
-{%- endif %}
+ {%- if grains.get('virtual_subtype') in ['Docker', 'LXC'] %}
+ - onlyif: /bin/false
+ {%- endif %}
{%- endif %}
+
+grub_cfg_permissions:
+ file.managed:
+ - name: {{ boot_grub_cfg }}
+ - user: 'root'
+ - owner: 'root'
+ - mode: '400'
+ - onlyif: test -f {{ boot_grub_cfg }}
+ - require:
+ - cmd: grub_update