---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Check to see if grub.cfg exists
  stat:
    path: "{{ grub_conf_file }}"
  register: grub_cfg
  always_run: True

- name: V-38438 - Auditing must be enabled at boot by setting a kernel parameter
  lineinfile:
    dest: /etc/default/grub.d/99-enable-auditd.cfg
    line: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT audit=1"'
    create: yes
  notify:
    - update grub config
  tags:
    - boot
    - cat1
    - V-38438
  when:
    - security_enable_audit_during_boot | bool

- name: V-38579 - Bootloader configuration files must be owned by root
  file:
    path: "{{ grub_conf_file }}"
    owner: root
  tags:
    - boot
    - cat2
    - V-38579
  when:
    - grub_cfg.stat.exists

- name: V-38581 - Bootloader configuration files must be group-owned by root
  file:
    path: "{{ grub_conf_file }}"
    group: root
  tags:
    - boot
    - cat2
    - V-38581
  when:
    - grub_cfg.stat.exists

- name: V-38583 - Bootloader configuration files must have mode 0644 or less
  file:
    path: "{{ grub_conf_file }}"
    mode: 0644
  tags:
    - boot
    - cat2
    - V-38583
  when: grub_cfg.stat.exists