RHEL9-CIS/tasks/section_1/cis_1.1.4.x.yml

---

# Skips if mount is absent
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp"
  block:
      - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
        ansible.builtin.debug:
            msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

      - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
        ansible.builtin.import_tasks:
            file: warning_facts.yml
  vars:
      warn_control_id: '1.1.4.1'
      required_mount: '/var/tmp'
  when:
      - required_mount not in mount_names
      - rhel9cis_rule_1_1_4_1
  tags:
      - level2-server
      - level2-workstation
      - audit
      - mounts
      - rule_1.1.4.1

# skips if mount is absent
- name: |
          "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition"
          "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
          "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition"
  ansible.builtin.mount:
      name: /var/tmp
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      state: present
      opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_4_2) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_4_3) %},nosuid{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_4_4) %},nodev{% endif %}"
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
      label: "{{ item.device }}"
  notify: Change_requires_reboot
  when:
      - item.mount == "/var/tmp"
      - rhel9cis_rule_1_1_4_2 or
        rhel9cis_rule_1_1_4_3 or
        rhel9cis_rule_1_1_4_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - mounts
      - skip_ansible_lint
      - rule_1.1.4.2
      - rule_1.1.4.3
      - rule_1.1.4.4
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`---`

			`# Skips if mount is absent`
			`- name: "1.1.4.1 \| AUDIT \| Ensure separate partition exists for /var/tmp"`
			`block:`
			`- name: "1.1.4.1 \| AUDIT \| Ensure separate partition exists for /var/tmp \| Absent"`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`ansible.builtin.debug:`
added warning count Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-07-20 17:13:33 +01:00			`msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00
cis_v1.0.0 alignment updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-19 10:07:14 +00:00			`- name: "1.1.4.1 \| AUDIT \| Ensure separate partition exists for /var/tmp \| Present"`
import_tasks file added Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 15:07:52 +01:00			`ansible.builtin.import_tasks:`
fix filename Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-21 15:35:35 +01:00			`file: warning_facts.yml`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`vars:`
warn control count updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 11:05:25 +00:00			`warn_control_id: '1.1.4.1'`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`required_mount: '/var/tmp'`
			`when:`
warn control count updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 11:05:25 +00:00			`- required_mount not in mount_names`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:22:30 +01:00			`- rhel9cis_rule_1_1_4_1`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- audit`
			`- mounts`
			`- rule_1.1.4.1`

			`# skips if mount is absent`
			`- name: \|`
			`"1.1.4.2 \| PATCH \| Ensure noexec option set on /var/tmp partition"`
			`"1.1.4.3 \| PATCH \| Ensure nosuid option set on /var/tmp partition"`
			`"1.1.4.4 \| PATCH \| Ensure nodev option set on /var/tmp partition"`
v1.0.0 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-09 16:29:47 +00:00			`ansible.builtin.mount:`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`name: /var/tmp`
			`src: "{{ item.device }}"`
			`fstype: "{{ item.fstype }}"`
			`state: present`
improved idempotence on mount point options Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-11-11 15:43:44 +00:00			`opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_4_2) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_4_3) %},nosuid{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_4_4) %},nodev{% endif %}"`
#54 merged into new layout Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-09-06 08:44:23 +01:00			`loop: "{{ ansible_facts.mounts }}"`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`loop_control:`
			`label: "{{ item.device }}"`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2023-01-13 12:10:18 +00:00			`notify: Change_requires_reboot`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`when:`
			`- item.mount == "/var/tmp"`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:22:30 +01:00			`- rhel9cis_rule_1_1_4_2 or`
			`rhel9cis_rule_1_1_4_3 or`
			`rhel9cis_rule_1_1_4_4`
section_1 updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 11:02:30 +01:00			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- mounts`
			`- skip_ansible_lint`
			`- rule_1.1.4.2`
			`- rule_1.1.4.3`
lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-09-16 11:10:31 +01:00			`- rule_1.1.4.4`