--- - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition" when: - required_mount not in mount_names - ubtu24cis_rule_1_1_2_1_1 tags: - level1-server - level1-workstation - audit - mounts - rule_1.1.2.1.1 - NIST800-53R5_CM-7 - tmp vars: warn_control_id: '1.1.2.1.1' required_mount: '/tmp' block: - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - required_mount in mount_names - ubtu24cis_rule_1_1_2_1_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.2 - NIST800-53R5_CM-7 - tmp vars: required_mount: '/tmp' ansible.builtin.set_fact: tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" changed_when: true notify: Writing and remounting tmp - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - required_mount in mount_names - ubtu24cis_rule_1_1_2_1_3 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - tmp vars: required_mount: '/tmp' ansible.builtin.set_fact: tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" changed_when: true notify: Writing and remounting tmp - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - required_mount in mount_names - ubtu24cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - tmp vars: required_mount: '/tmp' ansible.builtin.set_fact: tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" changed_when: true notify: Writing and remounting tmp