--- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" when: ubtu24cis_rule_1_5_1 tags: - level1-server - level1-workstation - patch - rule_1.5.1 - NIST800-53R5_CM-6 - aslr ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' state: present sysctl_file: "{{ ubtu24cis_sysctl_kernel_conf }}" reload: true sysctl_set: true ignoreerrors: true - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" when: ubtu24cis_rule_1_5_2 tags: - level1-server - level1-workstation - patch - rule_1.5.2 - NIST800-53R5_CM-6 - ptrace ansible.posix.sysctl: name: kernel.yama.ptrace_scope value: "{{ ubtu24_ptrace_value }}" state: present sysctl_file: "{{ ubtu24cis_sysctl_kernel_conf }}" reload: true sysctl_set: true ignoreerrors: true - name: "1.5.3 | PATCH | Ensure core dumps are restricted" when: ubtu24cis_rule_1_5_3 tags: - level1-server - level1-workstation - patch - rule_1.5.3 - NIST800-53R5_CM-6 - coredump block: - name: "1.5.3 | PATCH | Ensure core dumps are restricted | kernel sysctl" ansible.posix.sysctl: name: fs.suid_dumpable value: '0' state: present sysctl_file: "{{ ubtu24cis_sysctl_kernel_conf }}" reload: true sysctl_set: true ignoreerrors: true - name: "1.5.3 | PATCH | Ensure core dumps are restricted | security limits" ansible.builtin.lineinfile: path: /etc/security/limits.d/99_zero_core.conf regexp: '^\* hard core' line: '* hard core 0' create: true owner: root group: root mode: 'go-r' - name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf" ansible.builtin.lineinfile: path: /etc/sysctl.conf regexp: '^fs.suid_dumpable' line: fs.suid_dumpable=0 owner: root group: root mode: 'go-r' notify: Reload systemctl - name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf" ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" create: true owner: root group: root mode: 'go-r' loop: - { regexp: '^Storage', line: 'Storage=none' } - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } - name: "1.5.4 | PATCH | Ensure prelink is not installed" when: - ubtu24cis_rule_1_5_4 - "'prelink' in ansible_facts.packages" tags: - level1-server - level1-workstation - patch - rule_1.5.4 - NIST800-53R5_CM-1 - NIST800-53R5_CM-3 - NIST800-53R5_CM-6 - prelink block: - name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal" ansible.builtin.command: prelink -ua changed_when: false failed_when: false - name: "1.5.4 | PATCH | Ensure prelink is not installed| Remove prelink package" ansible.builtin.package: name: prelink state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled" when: ubtu24cis_rule_1_5_5 tags: - level1-server - level1-workstation - patch - rule_1.5.5 - NIST800-53R5_NA - apport block: - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | disable" ansible.builtin.lineinfile: path: /etc/default/apport regexp: ^enabled line: enabled=0 create: true owner: root group: root mode: 'go-r' - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" when: - "'apport' in ansible_facts.packages" ansible.builtin.package: name: apport state: absent purge: "{{ ubtu24cis_purge_apt }}"