sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

section_1 updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-03-30 11:02:30 +01:00
parent c96271ea7a
commit efdcb0b6f5
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
10 changed files with 782 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

43
tasks/section_1/cis_1.1.8.x.yml Normal file
View file

@ -0,0 +1,43 @@
---
# Skips if mount is absent
- name: |
"1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition
1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition
1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition"
block:
- name: |
"1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence
1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence
1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence"
shell: mount -l | grep -E '\s/dev/shm\s'
changed_when: false
failed_when: false
check_mode: no
register: rhel9cis_1_1_8_x_dev_shm_status
- name: |
"1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option
1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option
1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option"
mount:
name: /dev/shm
src: tmpfs
fstype: tmpfs
state: mounted
opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout"
notify: change_requires_reboot
when:
- rhel9cis_rule_1_1_8_1 or
rhel9cis_rule_1_1_8_2 or
rhel9cis_rule_1_1_8_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- mounts
- rule_1.1.8.1
- rule_1.1.8.2
- rule_1.1.8.3