ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-05-09 23:33:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Improved mask logic and package names

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2026-04-08 13:51:01 +01:00
parent 201edf02e4
commit 53561fbf08
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
3 changed files with 16 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

24
tasks/section_2/cis_2.1.x.yml
View file

@ -93,8 +93,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- dhcpd.service
@ -252,8 +252,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('dovecot' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dovecot' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "dovecot.socket"
@ -347,8 +347,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('cups' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('cups' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "cups.socket"
@ -381,8 +381,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('rpcbind' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('rpcbind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- rpcbind.service
@ -415,8 +415,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- 'rsyncd.socket'
@ -509,8 +509,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('tftp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('tftp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- 'tftp.socket'

4
tasks/section_3/cis_3.1.x.yml
View file

@ -105,6 +105,6 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: bluetooth.service
enabled: false
state: stopped
enabled: "{{ ('bluez' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('bluez' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true

4
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -72,8 +72,8 @@
- NIST800-53R5_AU-12
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
state: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary('stopped', omit) }}"
enabled: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary(false, omit) }}"
masked: true
loop:
- systemd-journal-remote.socket