From 6290d78ece52f8f61417b83053629e25a7ecd110 Mon Sep 17 00:00:00 2001
From: rbthomp <26642445+rbthomp@users.noreply.github.com>
Date: Tue, 27 Aug 2019 14:08:52 -0600
Subject: [PATCH] CIS 1.4.1 updated to match benchmark

/etc/grub2.cfg is a symlink to /boot/grub2/grub.cfg because symlinks are always 777 checking the /etc/grub2.cfg will always fail. The CIS documentation is looking for permission on /boot/grub2/grub.cfg and /boot/grub2/user.cfg (if user.cfg exists).
---
 .../cis/centos-7-level-1-scored-v2-2-0.yaml            | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml
index 505ddfe..920d086 100644
--- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml
+++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-2-0.yaml
@@ -893,13 +893,21 @@ stat:
   grub_conf_own_perm:
     data:
       CentOS Linux-7:
-      - /etc/grub2.cfg:
+      - /boot/grub2/grub.cfg:
           gid: 0
           group: root
           mode: 600
           tag: CIS-1.4.1
           uid: 0
           user: root
+      - /boot/grub2/user.cfg:
+          gid: 0
+          group: root
+          mode: 600
+          tag: CIS-1.4.1
+          uid: 0
+          user: root
+          match_on_file_missing: True
     description: Ensure permissions on bootloader config are configured
   hosts_allow:
     data: