Verify /boot/grub/grub.cfg User Ownership

$ sudo chown root /boot/grub/grub.cfg 

# Remediation is applicable only in certain platforms
if [ ! -d /sys/firmware/efi ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

chown 0 /boot/grub/grub.cfg

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - CJIS-5.5.2.2
 - NIST-800-171-3.4.5
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-7.1
 - PCI-DSSv4-2.2.6
 - configure\_strategy
 - file\_owner\_grub2\_cfg
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Test for existence /boot/grub/grub.cfg
 stat:
 path: /boot/grub/grub.cfg
 register: file\_exists
 when:
 - '"/boot/efi" not in ansible\_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible\_facts.packages'
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CJIS-5.5.2.2
 - NIST-800-171-3.4.5
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-7.1
 - PCI-DSSv4-2.2.6
 - configure\_strategy
 - file\_owner\_grub2\_cfg
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure owner 0 on /boot/grub/grub.cfg
 file:
 path: /boot/grub/grub.cfg
 owner: '0'
 when:
 - '"/boot/efi" not in ansible\_mounts | map(attribute="mount") | list'
 - '"grub2-common" in ansible\_facts.packages'
 - ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 - file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - CJIS-5.5.2.2
 - NIST-800-171-3.4.5
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-7.1
 - PCI-DSSv4-2.2.6
 - configure\_strategy
 - file\_owner\_grub2\_cfg
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed