diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 2b9dc503..94bae31b 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -2,11 +2,20 @@ - name: "1.4.1 | PATCH | Ensure bootloader password is set" block: - - name: "1.4.1 | PATCH | Ensure bootloader password is set" + - name: "1.4.1 | PATCH | Ensure bootloader password is set | superusers line" ansible.builtin.lineinfile: path: "{{ ubtu20cis_grub_user_file }}" - regexp: '^(password_pbkdf2 {{ ubtu20cis_grub_user }}) grub.pbkdf2.*' - line: '\1 {{ ubtu20cis_bootloader_password_hash }}' + regexp: '^set superusers' + line: 'set superusers="{{ ubtu20cis_grub_user }}"' + state: present + create: true + notify: Grub update + + - name: "1.4.1 | PATCH | Ensure bootloader password is set | set password" + ansible.builtin.lineinfile: + path: "{{ ubtu20cis_grub_user_file }}" + regexp: '^password_pbkdf2 {{ ubtu20cis_grub_user }} grub.pbkdf2.*' + line: 'password_pbkdf2 {{ ubtu20cis_grub_user }} {{ ubtu20cis_bootloader_password_hash }}' insertafter: set superusers="{{ ubtu20cis_grub_user }}" state: present create: true