forked from ansible-lockdown/RHEL9-CIS
boolean variable true/false
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
727095ca35
commit
54f4e0b4b8
26 changed files with 92 additions and 90 deletions
|
|
@ -7,7 +7,7 @@
|
|||
dest: /etc/modprobe.d/CIS.conf
|
||||
regexp: "^(#)?install cramfs(\\s|$)"
|
||||
line: "install cramfs /bin/true"
|
||||
create: yes
|
||||
create: true
|
||||
mode: 0600
|
||||
|
||||
- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
|
||||
|
|
@ -32,7 +32,7 @@
|
|||
dest: /etc/modprobe.d/CIS.conf
|
||||
regexp: "^(#)?install vfat(\\s|$)"
|
||||
line: "install vfat /bin/true"
|
||||
create: yes
|
||||
create: true
|
||||
mode: 0600
|
||||
|
||||
- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT"
|
||||
|
|
@ -58,7 +58,7 @@
|
|||
dest: /etc/modprobe.d/CIS.conf
|
||||
regexp: "^(#)?install squashfs(\\s|$)"
|
||||
line: "install squashfs /bin/true"
|
||||
create: yes
|
||||
create: true
|
||||
mode: 0600
|
||||
|
||||
- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
|
||||
|
|
@ -83,7 +83,7 @@
|
|||
dest: /etc/modprobe.d/CIS.conf
|
||||
regexp: "^(#)?install udf(\\s|$)"
|
||||
line: "install udf /bin/true"
|
||||
create: yes
|
||||
create: true
|
||||
mode: 0600
|
||||
|
||||
- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
|
||||
|
|
|
|||
|
|
@ -256,7 +256,7 @@
|
|||
warn: false
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
register: rhel9cis_1_1_15_dev_shm_status
|
||||
|
||||
- name: |
|
||||
|
|
@ -325,7 +325,7 @@
|
|||
- name: "1.1.22 | L1 | PATCH | Disable Automounting"
|
||||
service:
|
||||
name: autofs
|
||||
enabled: no
|
||||
enabled: false
|
||||
when:
|
||||
- not rhel9cis_allow_autofs
|
||||
- "'autofs' in ansible_facts.packages"
|
||||
|
|
@ -345,7 +345,7 @@
|
|||
dest: /etc/modprobe.d/CIS.conf
|
||||
regexp: "^(#)?install usb-storage(\\s|$)"
|
||||
line: "install usb-storage /bin/true"
|
||||
create: yes
|
||||
create: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
service:
|
||||
name: rhnsd
|
||||
state: stopped
|
||||
enabled: no
|
||||
enabled: false
|
||||
masked: true
|
||||
when:
|
||||
- ansible_distribution == "RedHat"
|
||||
|
|
@ -84,7 +84,7 @@
|
|||
changed_when: false
|
||||
failed_when: false
|
||||
register: dnf_configured
|
||||
check_mode: no
|
||||
check_mode: false
|
||||
|
||||
- name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list"
|
||||
debug:
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
regexp: '(selinux|enforcing)\s*=\s*0\s*'
|
||||
replace: ''
|
||||
register: selinux_grub_patch
|
||||
ignore_errors: yes
|
||||
ignore_errors: true
|
||||
notify: grub2cfg
|
||||
when:
|
||||
- rhel9cis_rule_1_7_1_2
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@
|
|||
regexp: "{{ item.regexp }}"
|
||||
line: "{{ item.line }}"
|
||||
state: present
|
||||
create: yes
|
||||
create: true
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue