ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

added guardrails on enabled and state flags to systemd mask tasks to only disable and stop when the package is installed, otherwise just mask to prevent the service from ever starting should it get installed at a later time. This allows hardening to proceed when the service doesn't exist but masking has been requested. Otherwise the playbook run will fail at a step when the service which comes with the package doesn't already exist

Browse source 
Signed-off-by: Michael Hicks <nooneofconsequence@gmail.com>
This commit is contained in:
Michael Hicks 2026-03-04 10:40:41 -08:00
parent 497b3dc8d9
commit c4a97079b1
No known key found for this signature in database
GPG key ID: A939A14F4AFC6498
4 changed files with 61 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -72,8 +72,8 @@
- NIST800-53R5_AU-12
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
enabled: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- systemd-journal-remote.socket