RHEL9-CIS/tasks/section_1/cis_1.1.2.1.x.yml

---

- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition"
  when:
    - required_mount not in mount_names
    - rhel9cis_rule_1_1_2_1_1
  tags:
    - level1-server
    - level1-workstation
    - audit
    - mounts
    - rule_1.1.2.1.1
    - NIST800-53R5_CM-7
  vars:
    warn_control_id: '1.1.2.1.1'
    required_mount: '/tmp'
  block:
    - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent"
      ansible.builtin.debug:
        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"

    - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

# via fstab
- name: |
    "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
    "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition"
    "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition"
  ansible.posix.mount:
    name: /tmp
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}"
  notify: Remount tmp
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
  when:
    - item.mount == "/tmp"
    - not rhel9cis_tmp_svc
    - rhel9cis_rule_1_1_2_1_2 or
      rhel9cis_rule_1_1_2_1_3 or
      rhel9cis_rule_1_1_2_1_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - mounts
    - rule_1.1.2.1.2
    - rule_1.1.2.1.3
    - rule_1.1.2.1.4
    - NIST800-53R5_CM-7
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2

# via systemd
- name: |
    "1.1.2.1.1 | PATCH | Ensure /tmp is configured"
    "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
    "1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition"
    "1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition"
  when:
    - rhel9cis_tmp_svc
    - rhel9cis_rule_1_1_2_1_1 or
      rhel9cis_rule_1_1_2_1_2 or
      rhel9cis_rule_1_1_2_1_3 or
      rhel9cis_rule_1_1_2_1_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - mounts
    - rule_1.1.2.1.1
    - rule_1.1.2.1.2
    - rule_1.1.2.1.3
    - rule_1.1.2.1.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.template:
    src: etc/systemd/system/tmp.mount.j2
    dest: /etc/systemd/system/tmp.mount
    owner: root
    group: root
    mode: 'go-wx'
  notify: Systemd restart tmp.mount
section1 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-19 17:01:23 +01:00			`---`

			`- name: "1.1.2.1.1 \| PATCH \| Ensure /tmp is a separate partition"`
			`when:`
			`- required_mount not in mount_names`
			`- rhel9cis_rule_1_1_2_1_1`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- audit`
			`- mounts`
			`- rule_1.1.2.1.1`
Added Nist values Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-22 12:42:39 +01:00			`- NIST800-53R5_CM-7`
section1 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-19 17:01:23 +01:00			`vars:`
			`warn_control_id: '1.1.2.1.1'`
			`required_mount: '/tmp'`
			`block:`
			`- name: "1.1.2.1.1 \| PATCH \| Ensure /tmp is a separate partition \| Absent"`
			`ansible.builtin.debug:`
improvement to Warning Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 08:01:16 +00:00			`msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"`
section1 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-19 17:01:23 +01:00
			`- name: "1.1.2.1.1 \| PATCH \| Ensure /tmp is a separate partition \| Present"`
			`ansible.builtin.import_tasks:`
			`file: warning_facts.yml`

			`# via fstab`
			`- name: \|`
			`"1.1.2.1.2 \| PATCH \| Ensure nodev option set on /tmp partition"`
			`"1.1.2.1.3 \| PATCH \| Ensure nosuid option set on /tmp partition"`
			`"1.1.2.1.4 \| PATCH \| Ensure noexec option set on /tmp partition"`
			`ansible.posix.mount:`
			`name: /tmp`
			`src: "{{ item.device }}"`
			`fstype: "{{ item.fstype }}"`
			`state: present`
improved mount idempotence Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-11-11 16:04:14 +00:00			`opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}"`
section1 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-19 17:01:23 +01:00			`notify: Remount tmp`
			`loop: "{{ ansible_facts.mounts }}"`
			`loop_control:`
			`label: "{{ item.device }}"`
			`when:`
			`- item.mount == "/tmp"`
			`- not rhel9cis_tmp_svc`
			`- rhel9cis_rule_1_1_2_1_2 or`
			`rhel9cis_rule_1_1_2_1_3 or`
			`rhel9cis_rule_1_1_2_1_4`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- mounts`
			`- rule_1.1.2.1.2`
			`- rule_1.1.2.1.3`
			`- rule_1.1.2.1.4`
Added Nist values Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-22 12:42:39 +01:00			`- NIST800-53R5_CM-7`
			`- NIST800-53R5_AC-3`
			`- NIST800-53R5_MP-2`
section1 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-19 17:01:23 +01:00
			`# via systemd`
			`- name: \|`
			`"1.1.2.1.1 \| PATCH \| Ensure /tmp is configured"`
			`"1.1.2.1.2 \| PATCH \| Ensure nodev option set on /tmp partition"`
			`"1.1.2.1.3 \| PATCH \| Ensure noexec option set on /tmp partition"`
			`"1.1.2.1.4 \| PATCH \| Ensure nosuid option set on /tmp partition"`
			`when:`
			`- rhel9cis_tmp_svc`
			`- rhel9cis_rule_1_1_2_1_1 or`
			`rhel9cis_rule_1_1_2_1_2 or`
			`rhel9cis_rule_1_1_2_1_3 or`
			`rhel9cis_rule_1_1_2_1_4`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- mounts`
			`- rule_1.1.2.1.1`
			`- rule_1.1.2.1.2`
			`- rule_1.1.2.1.3`
			`- rule_1.1.2.1.4`
Added Nist values Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-22 12:42:39 +01:00			`- NIST800-53R5_AC-3`
			`- NIST800-53R5_MP-2`
section1 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-19 17:01:23 +01:00			`ansible.builtin.template:`
			`src: etc/systemd/system/tmp.mount.j2`
			`dest: /etc/systemd/system/tmp.mount`
			`owner: root`
			`group: root`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`mode: 'go-wx'`
section1 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-19 17:01:23 +01:00			`notify: Systemd restart tmp.mount`