RHEL9-CIS/tasks/section_1/cis_1.5.x.yml

---

- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
  when: rhel9cis_rule_1_5_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - sysctl
    - rule_1.5.1
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-6.1
  block:
    - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true

    - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"

- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
  when: rhel9cis_rule_1_5_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - sysctl
    - rule_1.5.2
  block:
    - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true

    - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"

- name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled"
  when: rhel9cis_rule_1_5_3
  tags:
    - level1-server
    - level1-workstation
    - patch
    - sysctl
    - rule_1.5.3
    - NIST800-53R5_CM-6b
  ansible.builtin.lineinfile:
    path: /etc/systemd/coredump.conf
    regexp: '(?#)^ProcessSizeMax\s*=\s*.*[1-9].*$'
    line: 'ProcessSizeMax=0'

- name: "1.5.4 | PATCH | Ensure core dump storage is disabled"
  when:
    - rhel9cis_rule_1_5_4
    - prelim_systemd_coredump.stat.exists
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_1.5.4
  ansible.builtin.lineinfile:
    path: /etc/systemd/coredump.conf
    regexp: '^Storage\s*=\s*(?!none).*'
    line: 'Storage=none'
  notify: Systemd daemon reload