From bac6e9743e2c3a53c940768d82f2d98223afa376 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 16 May 2023 12:11:04 +0100
Subject: [PATCH 1/3] #18 corrected

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/LE_audit_setup.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml
index 61a4cdf..8321a32 100644
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@@ -13,7 +13,7 @@
 
 - name: copy audit binary
   copy:
-      src:
+      src: "{{ copy_goss_from_path }}"
       dest: "{{ audit_bin }}"
       mode: 0555
       owner: root

From 94f37e67ce9220b69e15b1e4e6b434bd3f1d345e Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 16 May 2023 12:14:09 +0100
Subject: [PATCH 2/3] updated due to #19 great catch

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/pre_remediation_audit.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
index dd98183..3e0c4a6 100644
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@@ -34,7 +34,6 @@
   copy:
       src: "{{ audit_local_copy }}"
       dest: "{{ audit_conf_dir }}"
-      mode: 0644
   when:
       - audit_content == 'copy'
 

From 4975300535c6e11c2298ad9b23ba01b0d0b54531 Mon Sep 17 00:00:00 2001
From: Mathieu Fortin <mathieu.fortin@autodesk.com>
Date: Fri, 7 Jun 2024 12:04:51 -0400
Subject: [PATCH 3/3] Updating Grub

Signed-off-by: Mathieu Fortin <mathieu.fortin@autodesk.com>
---
 tasks/section_4/cis_4.1.1.x.yml | 20 ++++++++++----------
 tasks/section_4/cis_4.1.2.x.yml | 24 ++++++++++++------------
 2 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml
index f8a7a3f..a9a0ac0 100644
--- a/tasks/section_4/cis_4.1.1.x.yml
+++ b/tasks/section_4/cis_4.1.1.x.yml
@@ -34,26 +34,26 @@
 - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
   block:
       - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Get Grub CMDLINE Settings"
-        shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -d'"' -f2
+        shell: grep -c -E '^GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub
         changed_when: false
         failed_when: false
         register: amazon2cis_4_1_1_3_grub_cmdline_linux
 
-      - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting already set"
-        replace:
+      - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE exists"
+        lineinfile:
             path: /etc/default/grub
-            regexp: 'audit=([^\D]+)'
-            replace: 'audit=1'
+            regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit=\d)?(.*)"'
+            line: '\1="\2 audit=1\3"'
+            backrefs: true
         notify: grub2cfg
-        when: "'audit=' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
+        when: "'1' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
 
-      - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting not already set"
+      - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE does not exist"
         lineinfile:
             path: /etc/default/grub
-            regexp: '^GRUB_CMDLINE_LINUX='
-            line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"'
+            line: 'GRUB_CMDLINE_LINUX="audit=1"'
         notify: grub2cfg
-        when: "'audit=' not in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
+        when: "'0' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
   when:
       - amazon2cis_rule_4_1_1_3
   tags:
diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml
index c4cbb65..15afb76 100644
--- a/tasks/section_4/cis_4.1.2.x.yml
+++ b/tasks/section_4/cis_4.1.2.x.yml
@@ -55,26 +55,26 @@
 - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient"
   block:
       - name: "4.1.2.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Grep GRUB_CMDLINE_LINUX parameter"
-        shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | cut -f2 -d'"'
+        shell: grep -c -E 'GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub
         changed_when: false
         failed_when: false
         register: amazon2cis_4_1_2_4_grub_cmdline_linux_settings
 
-      - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if not configured"
+      - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX exists"
         lineinfile:
-            dest: /etc/default/grub
-            regexp: '^GRUB_CMDLINE_LINUX='
-            line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout }} audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"'
+            path: /etc/default/grub
+            regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit_backlog_limit={{ amazon2cis_audit_backlog_limit }})?(.*)"'
+            line: '\1="\2 audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}\3"'
+            backrefs: true
         notify: grub2cfg
-        when: '"audit_backlog_limit" not in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout'
+        when: "'1' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout"
 
-      - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Adjust audit_backlog_limit if exists"
-        replace:
-            dest: /etc/default/grub
-            regexp: 'audit_backlog_limit=([^\D]+)'
-            replace: 'audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}'
+      - name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX does not exists"
+        lineinfile:
+            path: /etc/default/grub
+            replace: 'GRUB_CMDLINE_LINUX="audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"'
         notify: grub2cfg
-        when: '"audit_backlog_limit" in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout'
+        when: "'0' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout"
   when:
       - amazon2cis_rule_4_1_2_4
   tags: