From 0942edc3c1354296538147fb54acbc9c1b622eaa Mon Sep 17 00:00:00 2001
From: Dan D <daniel.deremiah@windriver.com>
Date: Tue, 26 Sep 2023 13:14:14 -0700
Subject: [PATCH] adds superusers and fixes issue #88

Signed-off-by: Dan D <daniel.deremiah@windriver.com>
---
 tasks/section_1/cis_1.4.x.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
index 2b9dc503..f9a41d47 100644
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@@ -2,14 +2,17 @@
 
 - name: "1.4.1 | PATCH | Ensure bootloader password is set"
   block:
-      - name: "1.4.1 | PATCH | Ensure bootloader password is set"
+      - name: "1.4.1 | PATCH | Ensure bootloader password is set | set superusers and password"
         ansible.builtin.lineinfile:
             path: "{{ ubtu20cis_grub_user_file }}"
-            regexp: '^(password_pbkdf2 {{ ubtu20cis_grub_user }}) grub.pbkdf2.*'
-            line: '\1 {{ ubtu20cis_bootloader_password_hash }}'
-            insertafter: set superusers="{{ ubtu20cis_grub_user }}"
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
             state: present
+            insertafter: "{{ item.after | default(omit) }}"
             create: true
+        loop:
+          - { regexp: '^set superusers', line: 'set superusers="{{ ubtu20cis_grub_user }}"' }
+          - { regexp: '^password_pbkdf2 {{ ubtu20cis_grub_user }} grub.pbkdf2.*', line: 'password_pbkdf2 {{ ubtu20cis_grub_user }} {{ ubtu20cis_bootloader_password_hash }}', after: 'set superusers="' }
         notify: Grub update
 
       - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"