sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

fqcn updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-19 13:12:33 +00:00
parent 4e1ee6f8e6
commit 4e8397b89e
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
4 changed files with 7 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/section_1/cis_1.1.1.x.yml
View file

@ -11,7 +11,7 @@
mode: 0600 mode: 0600
- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist"
lineinfile: ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist squashfs(\\s|$)" regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs" line: "blacklist squashfs"
@ -19,7 +19,7 @@
mode: 0600 mode: 0600
- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
modprobe: community.general.modprobe:
name: squashfs name: squashfs
state: absent state: absent
when: not system_is_container when: not system_is_container
@ -44,7 +44,7 @@
mode: 0600 mode: 0600
- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist"
lineinfile: ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist udf(\\s|$)" regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf" line: "blacklist udf"
@ -52,7 +52,7 @@
mode: 0600 mode: 0600
- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
modprobe: community.general.modprobe:
name: udf name: udf
state: absent state: absent
when: not system_is_container when: not system_is_container

3
tasks/section_1/cis_1.1.7.x.yml
View file

@ -1,8 +1,5 @@
--- ---
- ansible.builtin.debug:
msg: "{{ mount_names }}"
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home"
block: block:
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent"

2
tasks/section_1/cis_1.1.x.yml
View file

@ -18,7 +18,7 @@
state: absent state: absent
- name: "1.1.9 | PATCH | Disable USB Storage | blacklist" - name: "1.1.9 | PATCH | Disable USB Storage | blacklist"
lineinfile: ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist usb-storage(\\s|$)" regexp: "^(#)?blacklist usb-storage(\\s|$)"
line: "blacklist usb-storage" line: "blacklist usb-storage"

4
tasks/section_1/cis_1.8.x.yml
View file

@ -70,7 +70,7 @@
- rule_1.8.3 - rule_1.8.3
- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle"
copy: ansible.builtin.copy:
dest: /etc/dconf/db/local.d/00-screensaver dest: /etc/dconf/db/local.d/00-screensaver
content: | content: |
[org/gnome/desktop/session] [org/gnome/desktop/session]
@ -90,7 +90,7 @@
- rule_1.8.4 - rule_1.8.4
- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden"
lineinfile: ansible.builtin.lineinfile:
path: /etc/dconf/db/local.d/locks/session path: /etc/dconf/db/local.d/locks/session
create: true create: true
line: /org/gnome/desktop/screensaver/lock-delay line: /org/gnome/desktop/screensaver/lock-delay