From 9361a146e443847a92d4c1561673cc82d0b128c9 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Evrard Date: Thu, 6 Apr 2017 17:20:12 +0000 Subject: [PATCH] Do not update grub if grub not used The security check should be skipped if GRUB update tool does not exist (grub isn't installed). Change-Id: I99a3b372e12e264cbc40bdc3ae6b6b60bf3c1c79 --- handlers/main.yml | 2 ++ tasks/main.yml | 7 +++++++ vars/redhat.yml | 2 +- vars/ubuntu.yml | 2 +- 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c033fa99..41e7a222 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -74,6 +74,8 @@ command: "{{ grub_update_cmd }}" when: - security_enable_grub_update | bool + - grub_update_binary.stat.exists | bool + - grub_update_binary.stat.executable | bool notify: - set bootloader file permissions after updating grub config diff --git a/tasks/main.yml b/tasks/main.yml index 18fa5ddb..10e56b97 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,6 +45,13 @@ tags: - always + - name: Check if grub is present on the remote node + stat: + path: "{{ grub_update_cmd.split(' ')[0] }}" + register: grub_update_binary + tags: + - always + - name: Install EPEL repository yum: name: epel-release diff --git a/vars/redhat.yml b/vars/redhat.yml index b48141d1..c3424218 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -39,7 +39,7 @@ chrony_service: chronyd clamav_service: 'clamd@scan' # Commands -grub_update_cmd: "grub2-mkconfig -o {{ grub_config_file_boot }}" +grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" ssh_keysign_path: /usr/libexec/openssh # RHEL 6 STIG: Packages to add/remove diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index f56ac3da..cb6d4a29 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -42,7 +42,7 @@ chrony_service: chrony clamav_service: clamav-daemon # Commands -grub_update_cmd: "update-grub" +grub_update_cmd: "/usr/sbin/update-grub" ssh_keysign_path: /usr/lib/openssh # RHEL 6 STIG: Packages to add/remove