RHEL9-CIS/tasks/section_1/cis_1.1.8.x.yml

---

# Skips if mount is absent
- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition"
  block:
      - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists"
        ansible.builtin.shell: mount -l | grep -w /dev/shm
        changed_when: false
        register: rhel9cis_1_8_1_1_mount_check

      - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition"
        block:
            - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
              ansible.builtin.debug:
                  msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

            - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present"
              ansible.builtin.import_tasks:
                  file: warning_facts.yml
        when: rhel9cis_1_8_1_1_mount_check.rc == 1

  vars:
      warn_control_id: '1.1.8.1'
  when:
      - rhel9cis_rule_1_1_8_1
  tags:
      - level1-server
      - level1-workstation
      - audit
      - mounts
      - rule_1.1.8.1
      - skip_ansible_lint

- name: |
       "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option
        1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option
        1.1.8.4 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option"
  ansible.posix.mount:
      name: /dev/shm
      src: tmpfs
      fstype: tmpfs
      state: mounted
      opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}"
  notify: Change_requires_reboot
  when:
      - rhel9cis_rule_1_1_8_2 or
        rhel9cis_rule_1_1_8_3 or
        rhel9cis_rule_1_1_8_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - mounts
      - rule_1.1.8.2
      - rule_1.1.8.3
      - rule_1.1.8.4
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`---`

			`# Skips if mount is absent`
lint fqcn & typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-12 13:38:14 +00:00			`- name: "1.1.8.1 \| AUDIT \| Ensure /dev/shm is a separate partition"`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`block:`
updated test and control Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-18 09:51:56 +01:00			`- name: "1.1.8.1 \| AUDIT \| Ensure /dev/shm is a separate partition \| check exists"`
			`ansible.builtin.shell: mount -l \| grep -w /dev/shm`
			`changed_when: false`
			`register: rhel9cis_1_8_1_1_mount_check`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 14:55:00 +01:00			`- name: "1.1.8.1 \| AUDIT \| Ensure /dev/shm is a separate partition"`
			`block:`
updated test and control Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-18 09:51:56 +01:00			`- name: "1.1.8.1 \| AUDIT \| Ensure /dev/shm is a separate partition \| Absent"`
			`ansible.builtin.debug:`
			`msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"`

			`- name: "1.1.8.1 \| AUDIT \| Ensure separate partition exists for /home \| Present"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 15:07:52 +01:00			`ansible.builtin.import_tasks:`
fix filename Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 15:35:35 +01:00			`file: warning_facts.yml`
updated test and control Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-18 09:51:56 +01:00			`when: rhel9cis_1_8_1_1_mount_check.rc == 1`
warn control count updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 11:05:25 +00:00
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`vars:`
warn control count updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 11:05:25 +00:00			`warn_control_id: '1.1.8.1'`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`when:`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`- rhel9cis_rule_1_1_8_1`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`tags:`
			`- level1-server`
			`- level1-workstation`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`- audit`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`- mounts`
			`- rule_1.1.8.1`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`- skip_ansible_lint`

			`- name: \|`
			`"1.1.8.2 \| PATCH \| Ensure nodev option set on /dev/shm partition \| Set nodev option`
			`1.1.8.3 \| PATCH \| Ensure noexec option set on /dev/shm partition \| Set nosuid option`
			`1.1.8.4 \| PATCH \| Ensure nosuid option set on /dev/shm partition \| Set noexec option"`
Readme Update, Yamllint Update Signed-off-by: Stephen Williams <stephenw@mindpointgroup.com> 2023-04-10 13:48:47 -04:00			`ansible.posix.mount:`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`name: /dev/shm`
			`src: tmpfs`
			`fstype: tmpfs`
			`state: mounted`
improved idempotence on mount point options Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-11-11 15:43:44 +00:00			`opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}"`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`notify: Change_requires_reboot`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`when:`
			`- rhel9cis_rule_1_1_8_2 or`
			`rhel9cis_rule_1_1_8_3 or`
			`rhel9cis_rule_1_1_8_4`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- mounts`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`- rule_1.1.8.2`
			`- rule_1.1.8.3`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`- rule_1.1.8.4`