---

- name: "1.1.9 | PATCH | Disable USB Storage"
  block:
      - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config"
        ansible.builtin.lineinfile:
            path: /etc/modprobe.d/CIS.conf
            regexp: "^(#)?install usb-storage(\\s|$)"
            line: "install usb-storage /bin/true"
            create: true
            owner: root
            group: root
            mode: 0600

      - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config"
        community.general.modprobe:
            name: usb-storage
            state: absent

      - name: "1.1.9 | PATCH | Disable USB Storage | blacklist"
        ansible.builtin.lineinfile:
            path: /etc/modprobe.d/blacklist.conf
            regexp: "^(#)?blacklist usb-storage(\\s|$)"
            line: "blacklist usb-storage"
            create: true
            mode: 0600
  when:
      - rhel9cis_rule_1_1_9
  tags:
      - level1-server
      - level2-workstation
      - patch
      - mounts
      - removable_storage
      - rule_1.1.9