From 63016f1c4ff7f559150a461f87b028998d69c2e4 Mon Sep 17 00:00:00 2001
From: aircraft-cerier <58537442+aircraft-cerier@users.noreply.github.com>
Date: Wed, 15 Jul 2020 00:04:16 -0700
Subject: [PATCH] Covering 1.5.1 for menu.lst and grub.conf (#78)

* Covering 1.5.1 for menu.lst and grub.conf
---
 tasks/prelim.yml   | 12 +++++++++++-
 tasks/section1.yml | 36 +++++++++++++++++++++++++++++++++++-
 2 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 1beb222..9e6f89b 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -322,11 +322,21 @@
   changed_when: false
   check_mode: false
 
-- name: "PRELIM | Check the grub configuration"
+- name: "PRELIM | Check the grub.cfg configuration"
   stat:
     path: /boot/grub/grub.cfg
   register: grub_cfg
 
+- name: "PRELIM | Check the grub.conf configuration"
+  stat:
+    path: /boot/grub/grub.conf
+  register: grub_conf
+
+- name: "PRELIM | Check the menu.lst configuration"
+  stat:
+    path: "/boot/grub/menu.lst"
+  register: menu_lst
+
 - name: "PRELIM | Check that system accounts are non-login #1"
   shell: >
     set -o pipefail &&
diff --git a/tasks/section1.yml b/tasks/section1.yml
index fc57a57..f7c7dd2 100644
--- a/tasks/section1.yml
+++ b/tasks/section1.yml
@@ -720,7 +720,7 @@
       - patch
       - rule_1.4.2
 
-- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured"
+- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg"
   file:
       path: "/boot/grub/grub.cfg"
       owner: root
@@ -736,6 +736,40 @@
       - patch
       - rule_1.5.1
 
+- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for grub.conf"
+  file:
+      path: "/boot/grub/grub.conf"
+      owner: root
+      group: root
+      mode: 0400
+  when:
+      - ansible_os_family == "Debian"
+      - ubuntu1804cis_rule_1_5_1
+      - grub_conf.stat.exists
+  tags:
+      - level1
+      - scored
+      - grub
+      - patch
+      - rule_1.5.1
+
+- name: "SCORED | 1.5.1 | PATCH | Ensure permissions on bootloader config are configured for menu.lst"
+  file:
+      path: "/boot/grub/menu.lst"
+      owner: root
+      group: root
+      mode: 0400
+  when:
+      - ansible_os_family == "Debian"
+      - ubuntu1804cis_rule_1_5_1
+      - menu_lst.stat.exists
+  tags:
+      - level1
+      - scored
+      - grub
+      - patch
+      - rule_1.5.1
+
 - name: "SCORED | 1.5.2 | PATCH | Ensure bootloader password is set - generate password"
   shell: "set -o pipefail;
         if [ '{{ ubuntu1804cis_bootloader_password }}' == 'random' ];