75 lines
2.4 KiB
YAML
75 lines
2.4 KiB
YAML
---
|
|
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
|
|
when:
|
|
- ubtu24cis_rule_1_1_2_3_1
|
|
- required_mount not in prelim_mount_names
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- mounts
|
|
- rule_1.1.2.3.1
|
|
- NIST800-53R5_CM-7
|
|
vars:
|
|
warn_control_id: "1.1.2.3.1"
|
|
required_mount: "/home"
|
|
block:
|
|
- name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount"
|
|
ansible.builtin.command: findmnt -kn "{{ required_mount }}"
|
|
changed_when: false
|
|
failed_when: discovered_home_mount.rc not in [ 0, 1 ]
|
|
register: discovered_home_mount
|
|
|
|
- name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent"
|
|
when: discovered_dev_shm_mount is undefined
|
|
ansible.builtin.debug:
|
|
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
|
|
|
|
- name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present"
|
|
when: discovered_dev_shm_mount is undefined
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition"
|
|
when:
|
|
- prelim_mount_point_fs_and_options[mount_point] is defined
|
|
- ubtu24cis_rule_1_1_2_3_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- mounts
|
|
- rule_1.1.2.3.2
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_MP-2
|
|
vars:
|
|
mount_point: "/home"
|
|
required_option: nodev
|
|
notify: &mount_option_notify
|
|
- "Remount {{ mount_point }}"
|
|
ansible.builtin.set_fact: &mount_option_set_fact
|
|
prelim_mount_point_fs_and_options: |
|
|
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
|
|
changed_when: &mount_option_changed_when
|
|
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
|
|
|
|
- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
|
|
when:
|
|
- prelim_mount_point_fs_and_options[mount_point] is defined
|
|
- ubtu24cis_rule_1_1_2_3_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- mounts
|
|
- rule_1.1.2.3.3
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_MP-2
|
|
vars:
|
|
mount_point: "/home"
|
|
required_option: nosuid
|
|
notify: *mount_option_notify
|
|
ansible.builtin.set_fact:
|
|
<<: *mount_option_set_fact
|
|
changed_when: *mount_option_changed_when
|