colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated mountpoint vars correctly 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 10:10:14 +00:00
parent de47c63145
commit b2cded315b
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
8 changed files with 58 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
tasks/prelim.yml
View File

@ -25,7 +25,7 @@
- name: PRELIM | AUDIT | Section 1.1 | Create list of mount points - name: PRELIM | AUDIT | Section 1.1 | Create list of mount points
tags: always tags: always
ansible.builtin.set_fact: ansible.builtin.set_fact:
mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" prelim_mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options
tags: always tags: always
@ -34,22 +34,22 @@
ansible.builtin.shell: | ansible.builtin.shell: |
mount | awk '{print $1, $3, $5, $6}' mount | awk '{print $1, $3, $5, $6}'
changed_when: false changed_when: false
register: mount_output register: prelim_mount_output
- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact
ansible.builtin.set_fact: ansible.builtin.set_fact:
mount_point_fs_and_options: >- prelim_mount_point_fs_and_options: >-
{%- set mount_point_fs_and_options = {} -%} {%- set prelim_mount_point_fs_and_options = {} -%}
{%- for line in mount_output.stdout_lines -%} {%- for line in prelim_mount_output.stdout_lines -%}
{%- set fields = line.split() -%} {%- set fields = line.split() -%}
{%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%}
{%- endfor -%} {%- endfor -%}
{{ mount_point_fs_and_options }} {{ prelim_mount_point_fs_and_options }}
- name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting"
when: ubtu24cis_debug_mount_data when: ubtu24cis_debug_mount_data
ansible.builtin.debug: ansible.builtin.debug:
msg: "{{ mount_point_fs_and_options }}" msg: "{{ prelim_mount_point_fs_and_options }}"
- name: Include audit specific variables - name: Include audit specific variables
when: when:

20
tasks/section_1/cis_1.1.2.1.x.yml
View File

@ -2,7 +2,7 @@
- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition" - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition"
when: when:
- required_mount not in mount_names - required_mount not in prelim_mount_names
- ubtu24cis_rule_1_1_2_1_1 - ubtu24cis_rule_1_1_2_1_1
tags: tags:
- level1-server - level1-server
@ -34,8 +34,8 @@
# via fstab # via fstab
- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- ubtu24cis_rule_1_1_2_1_2 - ubtu24cis_rule_1_1_2_1_2
- not ubtu24cis_tmp_svc - not ubtu24cis_tmp_svc
tags: tags:
@ -52,15 +52,15 @@
notify: &mount_option_notify notify: &mount_option_notify
- "Remount {{ mount_point }}" - "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: | prelim_mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options'] - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- ubtu24cis_rule_1_1_2_1_3 - ubtu24cis_rule_1_1_2_1_3
- not ubtu24cis_tmp_svc - not ubtu24cis_tmp_svc
tags: tags:
@ -81,8 +81,8 @@
- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- ubtu24cis_rule_1_1_2_1_4 - ubtu24cis_rule_1_1_2_1_4
- not ubtu24cis_tmp_svc - not ubtu24cis_tmp_svc
tags: tags:

14
tasks/section_1/cis_1.1.2.2.x.yml
View File

@ -3,7 +3,7 @@
- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_2_1 - ubtu24cis_rule_1_1_2_2_1
- required_mount not in mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -33,7 +33,7 @@
- name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" - name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_2_2 - ubtu24cis_rule_1_1_2_2_2
tags: tags:
- level1-server - level1-server
@ -49,14 +49,14 @@
notify: &mount_option_notify notify: &mount_option_notify
- "Remount {{ mount_point }}" - "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: | prelim_mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options'] - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" - name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_2_3 - ubtu24cis_rule_1_1_2_2_3
tags: tags:
- level1-server - level1-server
@ -76,7 +76,7 @@
- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" - name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_2_4 - ubtu24cis_rule_1_1_2_2_4
tags: tags:
- level1-server - level1-server

12
tasks/section_1/cis_1.1.2.3.x.yml
View File

@ -2,7 +2,7 @@
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_3_1 - ubtu24cis_rule_1_1_2_3_1
- required_mount not in mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -32,7 +32,7 @@
- name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" - name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_3_2 - ubtu24cis_rule_1_1_2_3_2
tags: tags:
- level1-server - level1-server
@ -48,14 +48,14 @@
notify: &mount_option_notify notify: &mount_option_notify
- "Remount {{ mount_point }}" - "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: | prelim_mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options'] - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" - name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_3_3 - ubtu24cis_rule_1_1_2_3_3
tags: tags:
- level1-server - level1-server

12
tasks/section_1/cis_1.1.2.4.x.yml
View File

@ -3,7 +3,7 @@
- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" - name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_4_1 - ubtu24cis_rule_1_1_2_4_1
- required_mount not in mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -33,7 +33,7 @@
- name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" - name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_4_2 - ubtu24cis_rule_1_1_2_4_2
tags: tags:
- level1-server - level1-server
@ -49,14 +49,14 @@
notify: &mount_option_notify notify: &mount_option_notify
- "Remount {{ mount_point }}" - "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: | prelim_mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options'] - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" - name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_4_3 - ubtu24cis_rule_1_1_2_4_3
tags: tags:
- level1-server - level1-server

14
tasks/section_1/cis_1.1.2.5.x.yml
View File

@ -3,7 +3,7 @@
- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" - name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_5_1 - ubtu24cis_rule_1_1_2_5_1
- required_mount not in mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -33,7 +33,7 @@
- name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" - name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_5_2 - ubtu24cis_rule_1_1_2_5_2
tags: tags:
- level1-server - level1-server
@ -49,14 +49,14 @@
notify: &mount_option_notify notify: &mount_option_notify
- "Remount {{ mount_point }}" - "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: | prelim_mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options'] - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" - name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_5_3 - ubtu24cis_rule_1_1_2_5_3
tags: tags:
- level1-server - level1-server
@ -76,7 +76,7 @@
- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" - name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_5_4 - ubtu24cis_rule_1_1_2_5_4
tags: tags:
- level1-server - level1-server

14
tasks/section_1/cis_1.1.2.6.x.yml
View File

@ -3,7 +3,7 @@
- name: "1/.1 | PATCH | Ensure /var/log is a separate partition" - name: "1/.1 | PATCH | Ensure /var/log is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_6_1 - ubtu24cis_rule_1_1_2_6_1
- required_mount not in mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -33,7 +33,7 @@
- name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" - name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_6_2 - ubtu24cis_rule_1_1_2_6_2
tags: tags:
- level1-server - level1-server
@ -49,14 +49,14 @@
notify: &mount_option_notify notify: &mount_option_notify
- "Remount {{ mount_point }}" - "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: | prelim_mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options'] - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" - name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_6_3 - ubtu24cis_rule_1_1_2_6_3
tags: tags:
- level1-server - level1-server
@ -76,7 +76,7 @@
- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" - name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_6_4 - ubtu24cis_rule_1_1_2_6_4
tags: tags:
- level1-server - level1-server

14
tasks/section_1/cis_1.1.2.7.x.yml
View File

@ -3,7 +3,7 @@
- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" - name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_7_1 - ubtu24cis_rule_1_1_2_7_1
- required_mount not in mount_names - required_mount not in prelim_mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -33,7 +33,7 @@
- name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" - name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_7_2 - ubtu24cis_rule_1_1_2_7_2
tags: tags:
- level1-server - level1-server
@ -49,14 +49,14 @@
notify: &mount_option_notify notify: &mount_option_notify
- "Remount {{ mount_point }}" - "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact ansible.builtin.set_fact: &mount_option_set_fact
mount_point_fs_and_options: | prelim_mount_point_fs_and_options: |
{{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when changed_when: &mount_option_changed_when
- required_option not in mount_point_fs_and_options[mount_point]['original_options'] - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" - name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_7_3 - ubtu24cis_rule_1_1_2_7_3
tags: tags:
- level1-server - level1-server
@ -76,7 +76,7 @@
- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" - name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
when: when:
- mount_point_fs_and_options[mount_point] is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_7_4 - ubtu24cis_rule_1_1_2_7_4
tags: tags:
- level1-server - level1-server