--- - name: | "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" "via fstab" mount: name: /tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5 %}nosuid{% endif %} notify: remount tmp loop: "{{ ansible_mounts }}" when: - item.mount == "/tmp" - not rhel9cis_tmp_svc - rhel9cis_rule_1_1_2 or rhel9cis_rule_1_1_3 or rhel9cis_rule_1_1_4 or rhel9cis_rule_1_1_5 tags: - level1-server - level1-workstation - scored - patch - mounts - rule_1.1.3 - rule_1.1.4 - rule_1.1.5 - name: | "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" "via systemd" template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root group: root mode: 0644 notify: systemd restart tmp.mount when: - rhel9cis_tmp_svc - rhel9cis_rule_1_1_2 or rhel9cis_rule_1_1_3 or rhel9cis_rule_1_1_4 or rhel9cis_rule_1_1_5 tags: - level1-server - level1-workstation - scored - patch - mounts - rule_1.1.3 - rule_1.1.4 - rule_1.1.5 - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var" block: - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Absent" debug: msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" register: var_mount_absent changed_when: var_mount_absent.skipped is undefined when: - required_mount not in mount_names - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Present" debug: msg: "Congratulations: {{ required_mount }} exists." when: - required_mount in mount_names vars: required_mount: '/var' when: - rhel9cis_rule_1_1_6 tags: - level2-server - level2-workstation - scored - patch - mounts - rule_1.1.6 - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | skips if mount absent" block: - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" debug: msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined when: - required_mount not in mount_names - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Present" debug: msg: "Congratulations: {{ required_mount }} exists." register: var_tmp_mount_present when: - required_mount in mount_names vars: required_mount: '/var/tmp' when: - rhel9cis_rule_1_1_7 tags: - level2-server - level2-workstation - scored - audit - mounts - rule_1.1.7 - name: | "1.1.8 | L1 | PATCH | Ensure nodev option set on /var/tmp partition | skips if mount absent" "1.1.9 | L1 | PATCH | Ensure nosuid option set on /var/tmp partition | skips if mount absent" "1.1.10 | L1 | PATCH | Ensure noexec option set on /var/tmp partition | skips if mount absent" mount: name: /var/tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_10 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_9 %}nosuid{% endif %} loop: "{{ ansible_mounts }}" when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" - rhel9cis_rule_1_1_7 # This is required so the check takes place - rhel9cis_rule_1_1_8 or rhel9cis_rule_1_1_9 or rhel9cis_rule_1_1_10 tags: - level1-server - level1-workstation - scored - patch - mounts - skip_ansible_lint - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log" block: - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Absent" debug: msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_mount_absent changed_when: var_log_mount_absent.skipped is undefined when: - required_mount not in mount_names - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Present" debug: msg: "Congratulations: {{ required_mount }} exists." when: - required_mount in mount_names vars: required_mount: '/var/log' when: - rhel9cis_rule_1_1_11 tags: - level2-server - level2-workstation - scored - audit - mounts - rule_1.1.11 - skip_ansible_lint - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit" block: - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" debug: msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_audit_mount_absent changed_when: var_log_audit_mount_absent.skipped is undefined when: - required_mount not in mount_names - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" debug: msg: "Congratulations: {{ required_mount }} exists." when: - required_mount in mount_names vars: required_mount: '/var/log/audit' when: - rhel9cis_rule_1_1_12 tags: - level2-server - level2-workstation - scored - audit - mounts - rule_1.1.12 - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Absent" debug: msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent changed_when: home_mount_absent.skipped is undefined when: - required_mount not in mount_names - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Present" debug: msg: "Congratulations: {{ required_mount }} exists." register: home_mount_present when: - required_mount in mount_names vars: required_mount: '/home' when: - rhel9cis_rule_1_1_13 tags: - level2-server - level2-workstation - scored - audit - mounts - rule_1.1.13 - skip_ansible_lint - name: "1.1.14 | L1 | PATCH | Ensure nodev option set on /home partition | skips if mount absent" mount: name: /home src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_14 %}nodev{% endif %} loop: "{{ ansible_mounts }}" when: - home_mount_present is defined - item.mount == "/home" - rhel9cis_rule_1_1_14 tags: - level1-server - level1-workstation - scored - patch - mounts - rule_1.1.13 - skip_ansible_lint - name: | "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" block: - name: | "1.1.15 | L1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence 1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence 1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" shell: mount -l | grep -E '\s/dev/shm\s' changed_when: false failed_when: false check_mode: no register: rhel9cis_1_1_15_dev_shm_status - name: | "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" mount: name: /dev/shm src: tmpfs fstype: tmpfs state: mounted opts: defaults,{% if rhel9cis_rule_1_1_17 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_15 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_16 %}nosuid{% endif %} when: "'dev/shm' in rhel9cis_1_1_15_dev_shm_status.stdout" when: - rhel9cis_rule_1_1_15 or rhel9cis_rule_1_1_16 or rhel9cis_rule_1_1_17 tags: - level1-server - level1-workstation - scored - patch - mounts - rule_1.1.15 - rule_1.1.16 - rule_1.1.17 - name: | "1.1.18 | L1 | PATCH | Ensure nodev option set on removable media partitions" "1.1.19 | L1 | PATCH | Ensure nosuid option set on removable media partitions" "1.1.20 | L1 | PATCH | Ensure noexec option set on removable media partitions" debug: msg: "--> Not relevant" changed_when: false when: - rhel9cis_rule_1_1_18 or rhel9cis_rule_1_1_19 or rhel9cis_rule_1_1_20 tags: - level1-server - level1-workstation - notscored - audit - mounts - rule_1.1.18 - rule_1.1.19 - rule_1.1.20 - name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: warn: no changed_when: false failed_when: false when: - rhel9cis_rule_1_1_21 tags: - skip_ansible_lint - level1-server - level1-workstation - patch - stickybits - permissons - rule_1.1.21 - name: "1.1.22 | L1 | PATCH | Disable Automounting" service: name: autofs enabled: no when: - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" - rhel9cis_rule_1_1_22 tags: - level1-server - level2-workstation - patch - mounts - automounting - rule_1.1.22 - name: "1.1.23 | L1 | PATCH | Disable USB Storage" block: - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: yes owner: root group: root mode: 0600 - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" modprobe: name: usb-storage state: absent when: - rhel9cis_rule_1_1_23 tags: - level1-server - level2-workstation - patch - mounts - removable_storage - rule_1.1.23