Skip to content

Commit

Permalink
#244 incorporated
Browse files Browse the repository at this point in the history 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
  • Loading branch information
@uk-bolly
uk-bolly committed Feb 1, 2023
1 parent 02f3526 commit f0e8b35
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 72 deletions.
20 changes: 4 additions & 16 deletions tasks/section_1/cis_1.1.3.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,18 @@

- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var"
block:
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent"
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_mount_absent
changed_when: var_mount_absent.skipped is undefined
when:
- required_mount not in mount_names

- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names

- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var'
when:
- "'/var' not in mount_names"
- rhel8cis_rule_1_1_3_1
tags:
- level2-server
Expand All @@ -46,13 +34,13 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel8cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_3_4 %}nosuid{% endif %}
notify: change_requires_reboot
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_mount_present is defined
- "'/var' in mount_names"
- item.mount == "/var"
- rhel8cis_rule_1_1_3_1 # This is required so the check takes place
- rhel8cis_rule_1_1_3_2 or
Expand Down
19 changes: 4 additions & 15 deletions tasks/section_1/cis_1.1.4.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,31 +3,20 @@
# Skips if mount is absent
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp"
block:
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_tmp_mount_absent
changed_when: var_tmp_mount_absent.skipped is undefined
when:
- required_mount not in mount_names

- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names

- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_tmp_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var/tmp'
when:
- rhel8cis_rule_1_1_4_1
- "'/var/tmp' not in mount_names"
tags:
- level2-server
- level2-workstation
Expand All @@ -47,13 +36,13 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel8cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_4_3 %}nosuid{% endif %}
notify: change_requires_reboot
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_tmp_mount_present is defined
- "'/var/tmp' in mount_names"
- item.mount == "/var/tmp"
- rhel8cis_rule_1_1_4_1 # This is required so the check takes place
- rhel8cis_rule_1_1_4_2 or
Expand Down
21 changes: 5 additions & 16 deletions tasks/section_1/cis_1.1.5.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,31 +2,19 @@

- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log"
block:
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_mount_absent
changed_when: var_log_mount_absent.skipped is undefined
when:
- required_mount not in mount_names

- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names

- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_log_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var/log'
when:
- rhel8cis_rule_1_1_5_1
- "'/var/log' not in mount_names"
tags:
- level2-server
- level2-workstation
Expand All @@ -36,6 +24,7 @@
- rule_1.1.5.1
- skip_ansible_lint

# skips if mount is absent
- name: |
"1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
"1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition"
Expand All @@ -46,13 +35,13 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel8cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_5_4 %}nosuid{% endif %}
notify: change_requires_reboot
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_log_mount_present is defined
- "'/var/log' not in mount_names"
- item.mount == "/var/log"
- rhel8cis_rule_1_1_5_1 # This is required so the check takes place
- rhel8cis_rule_1_1_5_2 or
Expand Down
14 changes: 5 additions & 9 deletions tasks/section_1/cis_1.1.6.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,11 @@

- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit"
block:
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_audit_mount_absent
changed_when: var_log_audit_mount_absent.skipped is undefined
when:
- required_mount not in mount_names

- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count"
set_fact:
Expand All @@ -21,12 +19,9 @@
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_log_audit_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/var/log/audit'
when:
- rhel8cis_rule_1_1_6_1
- "'/var/log/audit' not in mount_names"
tags:
- level2-server
- level2-workstation
Expand All @@ -35,6 +30,7 @@
- mounts
- rule_1.1.6.1

# skips if mount is absent
- name: |
"1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition"
"1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition"
Expand All @@ -45,13 +41,13 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel8cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel8cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_6_4 %}nosuid{% endif %}
notify: change_requires_reboot
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- var_log_audit_mount_present is defined
- "'/var/log/audit' not in mount_names"
- item.mount == "/var/log/audit"
- rhel8cis_rule_1_1_6_1 # This is required so the check takes place
- rhel8cis_rule_1_1_6_2 or
Expand Down
21 changes: 5 additions & 16 deletions tasks/section_1/cis_1.1.7.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,31 +2,19 @@

- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home"
block:
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent"
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent"
debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: home_mount_absent
changed_when: home_mount_absent.skipped is undefined
when:
- required_mount not in mount_names

- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- required_mount not in mount_names

- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: home_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/home'
when:
- rhel8cis_rule_1_1_7_1
- "'/home' not in mount_names"
tags:
- level2-server
- level2-workstation
Expand All @@ -36,6 +24,7 @@
- rule_1.1.7.1
- skip_ansible_lint

# skips if mount is absent
- name: |
"1.1.7.2 | PATCH | Ensure nodev option set on /home partition
1.1.7.3 | PATCH | Ensure nosuid option set on /home partition
Expand All @@ -47,13 +36,13 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel8cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel8cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel8cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel8cis_rule_1_1_7_5 %}grpquota{% endif %}
notify: change_requires_reboot
with_items:
- "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: change_requires_reboot
when:
- home_mount_present is defined
- "'/home' not in mount_names"
- item.mount == "/home"
- rhel8cis_rule_1_1_7_1
- rhel8cis_rule_1_1_7_2 or
Expand Down

0 comments on commit f0e8b35

Please sign in to comment.