---

- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition"
  when:
    - ubtu24cis_rule_1_1_2_2_1
  tags:
    - level1-server
    - level1-workstation
    - audit
    - mounts
    - rule_1.1.2.2.1
    - NIST800-53R5_CM-7
  vars:
    warn_control_id: '1.1.2.2.1'
    required_mount: '/dev/shm'
  block:
    - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount"
      ansible.builtin.command: findmnt -kn "{{ required_mount }}"
      changed_when: false
      failed_when: discovered_shm_mount.rc not in [ 0, 1 ]
      register: discovered_shm_mount

    - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
      when: discovered_shm_mount is undefined
      ansible.builtin.debug:
        msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"

    - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present"
      when: discovered_shm_mount is undefined
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: |
    "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition
    1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition
    1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
  when:
    - discovered_shm_mount is defined
    - ubtu24cis_rule_1_1_2_2_2 or
      ubtu24cis_rule_1_1_2_2_3 or
      ubtu24cis_rule_1_1_2_2_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - mounts
    - rule_1.1.2.2.1
    - rule_1.1.2.2.2
    - rule_1.1.2.2.3
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  notify: Set_reboot_required
  ansible.posix.mount:
    name: /dev/shm
    src: tmpfs
    fstype: tmpfs
    state: mounted
    opts: defaults,{% if ubtu24cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_2_4 %}noexec{% endif %}