🐛 Correct default value for ubtu22cis_grub_file: /boot/grub/grub.cfg

CIS's assessment for rule 1.4.2 Ensure permissions on bootloader config are configured uses `/boot/grub/grub.cfg`. I think the current value defined within the variable ubtu22cis_grub_file(respectively /etc/default/grub.cfg) is wrong, as it is a mix between: DEFAULT FILE: /etc/default/grub THE AUTO-GENERATED GRUB FILE: /boot/grub/grub.cfg So the current value `/boot/grub/grub.cfg` is a non-existant file, but CIS rule means `/boot/grub/grub.cfg`. Signed-off-by: Fabian Raab <[email protected]>
ansible-lockdown · Sep 28, 2023 · 81221ae · 81221ae
1 parent 8713b3f
commit 81221ae
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -573,7 +573,10 @@ ubtu22cis_grub_user_file: /etc/grub.d/00_user
 ubtu22cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword"  # pragma: allowlist secret
 ubtu22cis_set_boot_pass: true
 
-ubtu22cis_grub_file: /etc/default/grub.cfg
+## Control 1.4.2
+# The grub configuration file contain senitive information, for example boot parameters or passwords.
+# Specify the file here which is used by GRUB during boot.
+ubtu22cis_grub_file: /boot/grub/grub.cfg
 
 ## Controls 1.6.1.x - apparmor
 # AppArmor security policies define what system resources applications can access and their privileges.