updates for #244 mount tasks

Signed-off-by: George Nalen <georgen@mindpointgroup.com>
ansible-lockdown · Dec 13, 2022 · da144c2 · da144c2
1 parent 9ba29bb
commit da144c2
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 101 deletions.
diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml
@@ -2,29 +2,16 @@
 
 - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var"
   block:
-      - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent"
+      - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent"
         debug:
-            msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
-        register: var_mount_absent
-        changed_when: var_mount_absent.skipped is undefined
-        when:
-            - required_mount not in mount_names
+            msg: "Warning!! /var does not exist, which is not STIG compliant. This is a manual task remediate"
+        when: "'/var' not in mount_names"
 
       - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count"
         set_fact:
             control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]"
             warn_count: "{{ warn_count | int + 1 }}"
-        when:
-            - required_mount not in mount_names
-
-      - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
-        debug:
-            msg: "Congratulations: {{ required_mount }} exists."
-        register: var_mount_present
-        when:
-            - required_mount in mount_names
-  vars:
-      required_mount: '/var'
+        when: "'/var' not in mount_names"
   when:
       - rhel8cis_rule_1_1_3_1
   tags:
@@ -46,15 +33,14 @@
       fstype: "{{ item.fstype }}"
       state: present
       opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %}
+  notify: change_requires_reboot
   with_items:
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
   when:
-      - var_mount_present is defined
+      - "'/var' in mount_names"
       - item.mount == "/var"
-      - rhel8cis_rule_1_1_3_1  # This is required so the check takes place
       - rhel8cis_rule_1_1_3_2 or
         rhel8cis_rule_1_1_3_3 or
         rhel8cis_rule_1_1_3_4

diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml
@@ -1,31 +1,17 @@
 ---
 
-# Skips if mount is absent
 - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp"
   block:
-      - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
+      - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent"
         debug:
-            msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
-        register: var_tmp_mount_absent
-        changed_when: var_tmp_mount_absent.skipped is undefined
-        when:
-            - required_mount not in mount_names
+            msg: "Warning!! /var/tmp does not exist, which is not STIG compliant. This is a manual task remediate"
+        when: "'/var/tmp' not in mount_names"
 
       - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count"
         set_fact:
             control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]"
             warn_count: "{{ warn_count | int + 1 }}"
-        when:
-            - required_mount not in mount_names
-
-      - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
-        debug:
-            msg: "Congratulations: {{ required_mount }} exists."
-        register: var_tmp_mount_present
-        when:
-            - required_mount in mount_names
-  vars:
-      required_mount: '/var/tmp'
+        when: "'/var/tmp' not in mount_names"
   when:
       - rhel8cis_rule_1_1_4_1
   tags:
@@ -47,15 +33,14 @@
       fstype: "{{ item.fstype }}"
       state: present
       opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %}
+  notify: change_requires_reboot
   with_items:
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
   when:
-      - var_tmp_mount_present is defined
+      - "'/var/tmp' in mount_names"
       - item.mount == "/var/tmp"
-      - rhel8cis_rule_1_1_4_1  # This is required so the check takes place
       - rhel8cis_rule_1_1_4_2 or
         rhel8cis_rule_1_1_4_3 or
         rhel8cis_rule_1_1_4_4

diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml
@@ -2,29 +2,16 @@
 
 - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log"
   block:
-      - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
+      - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent"
         debug:
-            msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
-        register: var_log_mount_absent
-        changed_when: var_log_mount_absent.skipped is undefined
-        when:
-            - required_mount not in mount_names
+            msg: "Warning!! /var/log does not exist, which is not STIG compliant. This is a manual task remediate"
+        when: "'/var/log' not in mount_names"
 
       - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count"
         set_fact:
             control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]"
             warn_count: "{{ warn_count | int + 1 }}"
-        when:
-            - required_mount not in mount_names
-
-      - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
-        debug:
-            msg: "Congratulations: {{ required_mount }} exists."
-        register: var_log_mount_present
-        when:
-            - required_mount in mount_names
-  vars:
-      required_mount: '/var/log'
+        when: "'/var/log' not in mount_names"
   when:
       - rhel8cis_rule_1_1_5_1
   tags:
@@ -36,6 +23,7 @@
       - rule_1.1.5.1
       - skip_ansible_lint
 
+# skips if mount is absent
 - name: |
           "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
           "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition"
@@ -46,15 +34,14 @@
       fstype: "{{ item.fstype }}"
       state: present
       opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %}
+  notify: change_requires_reboot
   with_items:
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
   when:
-      - var_log_mount_present is defined
+      - "'/var/log' in mount_names"
       - item.mount == "/var/log"
-      - rhel8cis_rule_1_1_5_1  # This is required so the check takes place
       - rhel8cis_rule_1_1_5_2 or
         rhel8cis_rule_1_1_5_3 or
         rhel8cis_rule_1_1_5_4

diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml
@@ -2,29 +2,16 @@
 
 - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit"
   block:
-      - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
+      - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent"
         debug:
-            msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
-        register: var_log_audit_mount_absent
-        changed_when: var_log_audit_mount_absent.skipped is undefined
-        when:
-            - required_mount not in mount_names
+            msg: "Warning!! /var/log/audit does not exist, which is not STIG compliant. This is a manual task remediate"
+        when: "'/var/log/audit' not in mount_names"
 
       - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count"
         set_fact:
             control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]"
             warn_count: "{{ warn_count | int + 1 }}"
-        when:
-            - required_mount not in mount_names
-
-      - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
-        debug:
-            msg: "Congratulations: {{ required_mount }} exists."
-        register: var_log_audit_mount_present
-        when:
-            - required_mount in mount_names
-  vars:
-      required_mount: '/var/log/audit'
+        when: "'/var/log/audit' not in mount_names"
   when:
       - rhel8cis_rule_1_1_6_1
   tags:
@@ -35,6 +22,7 @@
       - mounts
       - rule_1.1.6.1
 
+# skips if mount is absent
 - name: |
           "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition"
           "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition"
@@ -45,15 +33,14 @@
       fstype: "{{ item.fstype }}"
       state: present
       opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %}
+  notify: change_requires_reboot
   with_items:
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
   when:
-      - var_log_audit_mount_present is defined
+      - "'/var/log/audit' not in mount_names"
       - item.mount == "/var/log/audit"
-      - rhel8cis_rule_1_1_6_1  # This is required so the check takes place
       - rhel8cis_rule_1_1_6_2 or
         rhel8cis_rule_1_1_6_3 or
         rhel8cis_rule_1_1_6_4

diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml
@@ -2,29 +2,16 @@
 
 - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home"
   block:
-      - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent"
+      - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent"
         debug:
-            msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
-        register: home_mount_absent
-        changed_when: home_mount_absent.skipped is undefined
-        when:
-            - required_mount not in mount_names
+            msg: "Warning!! /home does not exist, which is not STIG compliant. This is a manual task remediate"
+        when: "'/home' not in mount_names"
 
       - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count"
         set_fact:
             control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]"
             warn_count: "{{ warn_count | int + 1 }}"
-        when:
-            - required_mount not in mount_names
-
-      - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
-        debug:
-            msg: "Congratulations: {{ required_mount }} exists."
-        register: home_mount_present
-        when:
-            - required_mount in mount_names
-  vars:
-      required_mount: '/home'
+        when: "'/home' not in mount_names"
   when:
       - rhel8cis_rule_1_1_7_1
   tags:
@@ -36,6 +23,7 @@
       - rule_1.1.7.1
       - skip_ansible_lint
 
+# skips if mount is absent
 - name: |
     "1.1.7.2 | PATCH | Ensure nodev option set on /home partition
      1.1.7.3 | PATCH | Ensure nosuid option set on /home partition
@@ -47,15 +35,14 @@
       fstype: "{{ item.fstype }}"
       state: present
       opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %}
+  notify: change_requires_reboot
   with_items:
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
   when:
-      - home_mount_present is defined
+      - "'/home' not in mount_names"
       - item.mount == "/home"
-      - rhel8cis_rule_1_1_7_1
       - rhel8cis_rule_1_1_7_2 or
         rhel8cis_rule_1_1_7_3 or
         rhel8cis_rule_1_1_7_4 or