197 lines
4.7 KiB
YAML
197 lines
4.7 KiB
YAML
---
|
|
|
|
- name: Writing the tmp file | tmp_systemd
|
|
when:
|
|
- "'/tmp' in mount_names"
|
|
- item.mount == "/tmp"
|
|
- tmp_mnt_type == 'tmp_systemd'
|
|
ansible.builtin.template:
|
|
src: etc/systemd/system/tmp.mount.j2
|
|
dest: /etc/systemd/system/tmp.mount
|
|
owner: root
|
|
group: root
|
|
mode: 'u-x,go-wx'
|
|
with_items:
|
|
- "{{ ansible_facts.mounts }}"
|
|
loop_control:
|
|
label: "{{ item.device }}"
|
|
listen: Writing and remounting tmp
|
|
|
|
- name: Writing the tmp file | fstab
|
|
when:
|
|
- "'/tmp' in mount_names"
|
|
- tmp_mnt_type == 'fstab'
|
|
- item.mount == "/tmp"
|
|
ansible.posix.mount:
|
|
path: /tmp
|
|
src: "{{ item.device }}"
|
|
state: present
|
|
fstype: "{{ item.fstype }}"
|
|
opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }}
|
|
with_items:
|
|
- "{{ ansible_facts.mounts }}"
|
|
loop_control:
|
|
label: "{{ item.device }}"
|
|
listen: Writing and remounting tmp
|
|
|
|
- name: Update_Initramfs
|
|
ansible.builtin.command: update-initramfs -u
|
|
changed_when: true
|
|
notify: Set_reboot_required
|
|
|
|
- name: Remount tmp
|
|
when:
|
|
- "'/tmp' in mount_names"
|
|
ansible.posix.mount:
|
|
path: /tmp
|
|
state: remounted
|
|
listen: Writing and remounting tmp
|
|
|
|
- name: Remount var
|
|
ansible.posix.mount:
|
|
path: /var
|
|
state: remounted
|
|
|
|
- name: Remount var_tmp
|
|
ansible.posix.mount:
|
|
path: /var/tmp
|
|
state: remounted
|
|
|
|
- name: Remount var_log
|
|
ansible.posix.mount:
|
|
path: /var/log
|
|
state: remounted
|
|
|
|
- name: Remount var_log_audit
|
|
ansible.posix.mount:
|
|
path: /var/log/audit
|
|
state: remounted
|
|
|
|
- name: Remount home
|
|
ansible.posix.mount:
|
|
path: /home
|
|
state: remounted
|
|
|
|
- name: Remount dev_shm
|
|
ansible.posix.mount:
|
|
path: /dev/shm
|
|
src: /dev/shm
|
|
state: remounted
|
|
|
|
- name: Grub update
|
|
ansible.builtin.command: update-grub
|
|
changed_when: true
|
|
failed_when: false
|
|
notify: Set_reboot_required
|
|
|
|
- name: Restart timeservice
|
|
ansible.builtin.systemd:
|
|
name: "{{ ubtu24cis_time_sync_tool }}"
|
|
state: restarted
|
|
|
|
- name: Reload systemctl
|
|
ansible.builtin.systemd:
|
|
daemon_reload: true
|
|
|
|
- name: Update dconf
|
|
ansible.builtin.command: dconf update
|
|
changed_when: true
|
|
failed_when: false
|
|
|
|
- name: Restart postfix
|
|
ansible.builtin.service:
|
|
name: postfix
|
|
state: restarted
|
|
|
|
- name: Restart syslog service
|
|
ansible.builtin.systemd:
|
|
name: "{{ ubtu24cis_syslog_service }}"
|
|
state: restarted
|
|
|
|
- name: Restart journald
|
|
ansible.builtin.systemd:
|
|
name: systemd-journald
|
|
state: restarted
|
|
|
|
- name: Restart exim4
|
|
ansible.builtin.systemd:
|
|
name: exim4
|
|
state: restarted
|
|
|
|
- name: Flush ipv4 route table
|
|
when: ansible_facts.virtualization_type != "docker"
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.route.flush
|
|
value: '1'
|
|
sysctl_set: true
|
|
|
|
- name: Flush ipv6 route table
|
|
when:
|
|
- ansible_facts.virtualization_type != "docker"
|
|
- ubtu24cis_ipv6_required
|
|
ansible.posix.sysctl:
|
|
name: net.ipv6.route.flush
|
|
value: '1'
|
|
sysctl_set: true
|
|
|
|
- name: Reload ufw
|
|
community.general.ufw:
|
|
state: reloaded
|
|
|
|
- name: Iptables persistent
|
|
ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4"
|
|
changed_when: true
|
|
|
|
- name: Ip6tables persistent
|
|
ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6"
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwunix
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwfaillock
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwfaillock_notify
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwquality
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwhistory
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
|
|
changed_when: true
|
|
|
|
- name: Auditd rules reload
|
|
when:
|
|
- not prelim_auditd_immutable_check or
|
|
'"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
|
|
ansible.builtin.command: augenrules --load
|
|
changed_when: true
|
|
|
|
- name: Audit_immutable_fact
|
|
when:
|
|
- discovered_audit_rules_updated.changed
|
|
- auditd_immutable_check is defined
|
|
ansible.builtin.debug:
|
|
msg: "Reboot required for auditd to apply new rules as immutable set"
|
|
notify: Set_reboot_required
|
|
|
|
- name: Restart auditd
|
|
when: discovered_audit_rules_updated is defined
|
|
tags: skip_ansible_lint
|
|
ansible.builtin.shell: service auditd restart
|
|
|
|
- name: Restart sshd
|
|
ansible.builtin.systemd:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: Set_reboot_required
|
|
ansible.builtin.set_fact:
|
|
change_requires_reboot: true
|