--- - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition" when: - required_mount not in prelim_mount_names - ubtu24cis_rule_1_1_2_1_1 tags: - level1-server - level1-workstation - audit - mounts - rule_1.1.2.1.1 - NIST800-53R5_CM-7 vars: warn_control_id: "1.1.2.1.1" required_mount: "/tmp" block: - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount" ansible.builtin.command: findmnt -kn "{{ required_mount }}" changed_when: false failed_when: discovered_tmp_mount.rc not in [ 0, 1 ] register: discovered_tmp_mount - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" when: discovered_tmp_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present" when: discovered_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml # via fstab - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - prelim_mount_point_fs_and_options[mount_point] is defined - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu24cis_rule_1_1_2_1_2 - not ubtu24cis_tmp_svc tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.2 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 vars: mount_point: "/tmp" required_option: nodev notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - prelim_mount_point_fs_and_options[mount_point] is defined - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu24cis_rule_1_1_2_1_3 - not ubtu24cis_tmp_svc tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 vars: mount_point: "/tmp" required_option: nosuid notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - prelim_mount_point_fs_and_options[mount_point] is defined - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu24cis_rule_1_1_2_1_4 - not ubtu24cis_tmp_svc tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 vars: mount_point: "/tmp" required_option: noexec notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when # via systemd - name: | "1.1.2.1.1 | PATCH | Ensure /tmp is configured 1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition 1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition 1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" when: - ubtu24cis_tmp_svc - ubtu24cis_rule_1_1_2_1_1 or ubtu24cis_rule_1_1_2_1_2 or ubtu24cis_rule_1_1_2_1_3 or ubtu24cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.1 - rule_1.1.2.1.2 - rule_1.1.2.1.3 - rule_1.1.2.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 vars: mount_point: "/tmp" ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root group: root mode: 'go-wx' notify: *mount_option_notify