Do not update grub if grub not used

The security check should be skipped if GRUB update tool does not exist (grub isn't installed). Change-Id: I99a3b372e12e264cbc40bdc3ae6b6b60bf3c1c79
2017-04-06 17:20:12 +00:00 · 2017-04-06 17:20:12 +00:00 · 9361a146e4
parent 6f524798fc
commit 9361a146e4
4 changed files with 11 additions and 2 deletions
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -74,6 +74,8 @@
  command: "{{ grub_update_cmd }}"
  when:
    - security_enable_grub_update | bool
+    - grub_update_binary.stat.exists | bool
+    - grub_update_binary.stat.executable | bool
  notify:
    - set bootloader file permissions after updating grub config

--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -45,6 +45,13 @@
    tags:
      - always

+  - name: Check if grub is present on the remote node
+    stat:
+      path: "{{ grub_update_cmd.split(' ')[0] }}"
+    register: grub_update_binary
+    tags:
+      - always
+
  - name: Install EPEL repository
    yum:
      name: epel-release
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -39,7 +39,7 @@ chrony_service: chronyd
 clamav_service: 'clamd@scan'

 # Commands
-grub_update_cmd: "grub2-mkconfig -o {{ grub_config_file_boot }}"
+grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
 ssh_keysign_path: /usr/libexec/openssh

 # RHEL 6 STIG: Packages to add/remove
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -42,7 +42,7 @@ chrony_service: chrony
 clamav_service: clamav-daemon

 # Commands
-grub_update_cmd: "update-grub"
+grub_update_cmd: "/usr/sbin/update-grub"
 ssh_keysign_path: /usr/lib/openssh

 # RHEL 6 STIG: Packages to add/remove