Security: Check for grub.cfg first

As noted in bug 1550426, the tasks for grub.cfg will fail if the file is not present. This patch checks for the grub.cfg and only tries to make changes if the file is present. Closes-bug: 1550426 Change-Id: Id5368dfa2c24d555c59f9ceef4676f3d15706ad9
2016-02-29 14:15:29 -06:00 · 2016-02-29 14:15:29 -06:00 · 6803e42e10
commit 6803e42e10
parent d0420c9bd3
2 changed files with 13 additions and 0 deletions
--- a/tasks/boot.yml
+++ b/tasks/boot.yml
@ -13,6 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- name: Check to see if grub.cfg exists
+  stat:
+    path: /boot/grub/grub.cfg
+  register: grub_cfg
+  always_run: True
+
 - name: V-38579 - Bootloader configuration files must be owned by root
  file:
    path: /boot/grub/grub.cfg
@ -21,6 +27,7 @@
    - boot
    - cat2
    - V-38579
+  when: grub_cfg.stat.exists

 - name: V-38581 - Bootloader configuration files must be group-owned by root
  file:
@ -30,6 +37,7 @@
    - boot
    - cat2
    - V-38581
+  when: grub_cfg.stat.exists

 - name: V-38582 - Bootloader configuration files must have mode 0644 or less
  file:
@ -39,3 +47,4 @@
    - boot
    - cat2
    - V-38582
+  when: grub_cfg.stat.exists
--- a/tests/test.yml
+++ b/tests/test.yml
@ -15,5 +15,9 @@

 - name: Playbook for role testing
  hosts: localhost
+  pre_tasks:
+    - name: Ensure apt cache is updated before testing
+      apt:
+        update_cache: yes
  roles:
    - role: "{{ rolename }}"