--- # Skips if mount is absent - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" block: - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined when: - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" debug: msg: "Congratulations: {{ required_mount }} exists." register: var_tmp_mount_present when: - required_mount in mount_names vars: required_mount: '/var/tmp' when: - rhel9cis_rule_1_1_4_1 tags: - level2-server - level2-workstation - automated - audit - mounts - rule_1.1.4.1 # skips if mount is absent - name: | "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition" "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition" "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition" mount: name: /var/tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: change_requires_reboot when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - rhel9cis_rule_1_1_4_1 # This is required so the check takes place - rhel9cis_rule_1_1_4_2 or rhel9cis_rule_1_1_4_3 or rhel9cis_rule_1_1_4_4 tags: - level1-server - level1-workstation - automated - patch - mounts - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - rule_1.1.4.4