colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/handlers/main.yml

194 lines
4.7 KiB
YAML
Raw Blame History

---
- name: Writing the tmp file | tmp_systemd
when:
- "'/tmp' in mount_names"
- item.mount == "/tmp"
- tmp_mnt_type == 'tmp_systemd'
ansible.builtin.template:
src: etc/systemd/system/tmp.mount.j2
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: '0644'
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
listen: Writing and remounting tmp
- name: Writing the tmp file | fstab
when:
- "'/tmp' in mount_names"
- tmp_mnt_type == 'fstab'
- item.mount == "/tmp"
ansible.posix.mount:
path: /tmp
src: "{{ item.device }}"
state: present
fstype: "{{ item.fstype }}"
opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }}
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
listen: Writing and remounting tmp
- name: Update_Initramfs
ansible.builtin.shell: update-initramfs -u
notify: Set_reboot_required
- name: Remount tmp
ansible.posix.mount:
path: /tmp
state: remounted
when:
- "'/tmp' in mount_names"
listen: Writing and remounting tmp
- name: Remount var
ansible.posix.mount:
path: /var
state: remounted
- name: Remount var_tmp
ansible.posix.mount:
path: /var/tmp
state: remounted
- name: Remount var_log
ansible.posix.mount:
path: /var/log
state: remounted
- name: Remount var_log_audit
ansible.posix.mount:
path: /var/log/audit
state: remounted
- name: Remount home
ansible.posix.mount:
path: /home
state: remounted
- name: Remount dev_shm
ansible.posix.mount:
path: /dev/shm
src: /dev/shm
state: remounted
- name: Grub update
ansible.builtin.shell: update-grub
failed_when: false
notify: Set_reboot_required
- name: Restart timeservice
ansible.builtin.systemd:
name: "{{ ubtu24cis_time_sync_tool }}"
state: restarted
- name: Reload systemctl
ansible.builtin.systemd:
daemon_reload: true
- name: Update dconf
ansible.builtin.shell: dconf update
failed_when: false
- name: Restart postfix
ansible.builtin.service:
name: postfix
state: restarted
- name: Restart syslog service
ansible.builtin.systemd:
name: "{{ ubtu24cis_syslog_service }}"
state: restarted
- name: Restart journald
ansible.builtin.systemd:
name: systemd-journald
state: restarted
- name: Restart exim4
ansible.builtin.systemd:
name: exim4
state: restarted
- name: Flush ipv4 route table
when: ansible_facts.virtualization_type != "docker"
ansible.posix.sysctl:
name: net.ipv4.route.flush
value: '1'
sysctl_set: true
- name: Flush ipv6 route table
when:
- ansible_facts.virtualization_type != "docker"
- ubtu24cis_ipv6_required
ansible.posix.sysctl:
name: net.ipv6.route.flush
value: '1'
sysctl_set: true
- name: Reload ufw
community.general.ufw:
state: reloaded
- name: Iptables persistent
ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
changed_when: ubtu24cis_iptables_save.rc == 0
failed_when: ubtu24cis_iptables_save.rc > 0
register: ubtu24cis_iptables_save
- name: Ip6tables persistent
ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
changed_when: ubtu24cis_ip6tables_save.rc == 0
failed_when: ubtu24cis_ip6tables_save.rc > 0
register: ubtu24cis_ip6tables_save
- name: Pam_auth_update_pwunix
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
- name: Pam_auth_update_pwfaillock
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
- name: Pam_auth_update_pwfaillock_notify
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
- name: Pam_auth_update_pwquality
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
- name: Pam_auth_update_pwhistory
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
- name: Auditd rules reload
when:
- not prelim_auditd_immutable_check or
'"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
ansible.builtin.shell: augenrules --load
- name: Audit_immutable_fact
when:
- audit_rules_updated.changed
- auditd_immutable_check is defined
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Set_reboot_required
- name: Restart auditd
when:
- audit_rules_updated is defined
tags:
- skip_ansible_lint
ansible.builtin.shell: service auditd restart
- name: Restart sshd
ansible.builtin.systemd:
name: ssh
state: restarted
- name: Set_reboot_required
ansible.builtin.set_fact:
change_requires_reboot: true
Reference in New Issue View Git Blame Copy Permalink