forked from ansible-lockdown/RHEL9-CIS
lint updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
1e22c13794
commit
33340c7487
13 changed files with 27 additions and 24 deletions
|
|
@ -7,7 +7,7 @@
|
||||||
path: /etc/modprobe.d/CIS.conf
|
path: /etc/modprobe.d/CIS.conf
|
||||||
regexp: "^(#)?install cramfs(\\s|$)"
|
regexp: "^(#)?install cramfs(\\s|$)"
|
||||||
line: "install cramfs /bin/true"
|
line: "install cramfs /bin/true"
|
||||||
create: yes
|
create: true
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
||||||
- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
|
- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
|
||||||
|
|
@ -32,7 +32,7 @@
|
||||||
path: /etc/modprobe.d/CIS.conf
|
path: /etc/modprobe.d/CIS.conf
|
||||||
regexp: "^(#)?install squashfs(\\s|$)"
|
regexp: "^(#)?install squashfs(\\s|$)"
|
||||||
line: "install squashfs /bin/true"
|
line: "install squashfs /bin/true"
|
||||||
create: yes
|
create: true
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
||||||
- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
|
- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
|
||||||
|
|
@ -57,7 +57,7 @@
|
||||||
path: /etc/modprobe.d/CIS.conf
|
path: /etc/modprobe.d/CIS.conf
|
||||||
regexp: "^(#)?install udf(\\s|$)"
|
regexp: "^(#)?install udf(\\s|$)"
|
||||||
line: "install udf /bin/true"
|
line: "install udf /bin/true"
|
||||||
create: yes
|
create: true
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
||||||
- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
|
- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
shell: mount -l | grep -E '\s/dev/shm\s'
|
shell: mount -l | grep -E '\s/dev/shm\s'
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
check_mode: no
|
check_mode: false
|
||||||
register: rhel9cis_1_1_8_x_dev_shm_status
|
register: rhel9cis_1_1_8_x_dev_shm_status
|
||||||
|
|
||||||
- name: |
|
- name: |
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@
|
||||||
- name: "1.1.9 | PATCH | Disable Automounting"
|
- name: "1.1.9 | PATCH | Disable Automounting"
|
||||||
service:
|
service:
|
||||||
name: autofs
|
name: autofs
|
||||||
enabled: no
|
enabled: false
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_allow_autofs
|
- not rhel9cis_allow_autofs
|
||||||
- "'autofs' in ansible_facts.packages"
|
- "'autofs' in ansible_facts.packages"
|
||||||
|
|
@ -24,7 +24,7 @@
|
||||||
path: /etc/modprobe.d/CIS.conf
|
path: /etc/modprobe.d/CIS.conf
|
||||||
regexp: "^(#)?install usb-storage(\\s|$)"
|
regexp: "^(#)?install usb-storage(\\s|$)"
|
||||||
line: "install usb-storage /bin/true"
|
line: "install usb-storage /bin/true"
|
||||||
create: yes
|
create: true
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
|
||||||
|
|
@ -96,7 +96,7 @@
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
register: dnf_configured
|
register: dnf_configured
|
||||||
check_mode: no
|
check_mode: false
|
||||||
args:
|
args:
|
||||||
warn: false
|
warn: false
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@
|
||||||
path: /etc/systemd/system/rescue.service.d/00-require-auth.conf
|
path: /etc/systemd/system/rescue.service.d/00-require-auth.conf
|
||||||
regexp: '^ExecStart='
|
regexp: '^ExecStart='
|
||||||
line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
|
line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
|
||||||
create: yes
|
create: true
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
regexp: "{{ item.regexp }}"
|
regexp: "{{ item.regexp }}"
|
||||||
line: "{{ item.line }}"
|
line: "{{ item.line }}"
|
||||||
state: present
|
state: present
|
||||||
create: yes
|
create: true
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
@ -50,7 +50,7 @@
|
||||||
path: "{{ item.file }}"
|
path: "{{ item.file }}"
|
||||||
regexp: "{{ item.regexp }}"
|
regexp: "{{ item.regexp }}"
|
||||||
line: "{{ item.line }}"
|
line: "{{ item.line }}"
|
||||||
create: yes
|
create: true
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
@ -93,7 +93,10 @@
|
||||||
path: /etc/dconf/db/local.d/00-media-automount
|
path: /etc/dconf/db/local.d/00-media-automount
|
||||||
regexp: "{{ item.regex }}"
|
regexp: "{{ item.regex }}"
|
||||||
line: "{{ item.line }}"
|
line: "{{ item.line }}"
|
||||||
create: yes
|
create: true
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
notify: reload dconf
|
notify: reload dconf
|
||||||
with_items:
|
with_items:
|
||||||
- { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }
|
- { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue