271 lines
7.3 KiB
YAML
271 lines
7.3 KiB
YAML
---
|
|
|
|
- name: "Adding options for /tmp"
|
|
when: not ubtu24cis_tmp_svc
|
|
vars:
|
|
mount_point: '/tmp'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
|
|
state: present
|
|
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
|
|
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
|
|
listen: "Remount /tmp"
|
|
|
|
- name: "Remounting /tmp"
|
|
vars:
|
|
mount_point: '/tmp'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
state: remounted
|
|
listen: "Remount /tmp"
|
|
|
|
- name: "Remounting /tmp systemd"
|
|
vars:
|
|
mount_point: '/tmp'
|
|
ansible.builtin.systemd:
|
|
name: tmp.mount
|
|
state: restarted
|
|
daemon_reload: true
|
|
listen: "Remount /tmp"
|
|
|
|
- name: "Adding options for /dev/shm"
|
|
vars:
|
|
mount_point: '/dev/shm'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
|
|
state: present
|
|
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
|
|
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
|
|
listen: "Remount /dev/shm"
|
|
|
|
- name: "Remounting /dev/shm"
|
|
vars:
|
|
mount_point: '/dev/shm'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
state: remounted
|
|
listen: "Remount /dev/shm"
|
|
|
|
- name: "Adding options for /home"
|
|
vars:
|
|
mount_point: '/home'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
|
|
state: present
|
|
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
|
|
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
|
|
listen: "Remount /home"
|
|
|
|
- name: "Remounting /home"
|
|
vars:
|
|
mount_point: '/home'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
state: remounted
|
|
listen: "Remount /home"
|
|
|
|
- name: "Adding options for /var"
|
|
vars:
|
|
mount_point: '/var'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
|
|
state: present
|
|
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
|
|
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
|
|
listen: "Remount /var"
|
|
|
|
- name: "Remounting /var"
|
|
vars:
|
|
mount_point: '/var'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
state: remounted
|
|
listen: "Remount /var"
|
|
|
|
- name: "Adding options for /var/tmp"
|
|
vars:
|
|
mount_point: '/var/tmp'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
|
|
state: present
|
|
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
|
|
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
|
|
listen: "Remount /var/tmp"
|
|
|
|
- name: "Remounting /var/tmp"
|
|
vars:
|
|
mount_point: '/var/tmp'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
state: remounted
|
|
listen: "Remount /var/tmp"
|
|
|
|
- name: "Adding options for /var/log"
|
|
vars:
|
|
mount_point: '/var/log'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
|
|
state: present
|
|
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
|
|
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
|
|
listen: "Remount /var/log"
|
|
|
|
- name: "Remounting /var/log"
|
|
vars:
|
|
mount_point: '/var/log'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
state: remounted
|
|
listen: "Remount /var/log"
|
|
|
|
- name: "Adding options for /var/log/audit"
|
|
vars:
|
|
mount_point: '/var/log/audit'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
src: "{{ mount_point_fs_and_options[mount_point]['src'] }}"
|
|
state: present
|
|
fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}"
|
|
opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
|
|
listen: "Remount /var/log/audit"
|
|
|
|
- name: "Remounting /var/log/audit"
|
|
vars:
|
|
mount_point: '/var/log/audit'
|
|
ansible.posix.mount:
|
|
path: "{{ mount_point }}"
|
|
state: remounted
|
|
listen: "Remount /var/log/audit"
|
|
- name: Update_Initramfs
|
|
ansible.builtin.command: update-initramfs -u
|
|
changed_when: true
|
|
notify: Set_reboot_required
|
|
|
|
- name: Grub update
|
|
ansible.builtin.command: update-grub
|
|
changed_when: true
|
|
failed_when: false
|
|
notify: Set_reboot_required
|
|
|
|
- name: Restart timeservice
|
|
ansible.builtin.systemd:
|
|
name: "{{ ubtu24cis_time_sync_tool }}"
|
|
state: restarted
|
|
|
|
- name: Reload systemctl
|
|
ansible.builtin.systemd:
|
|
daemon_reload: true
|
|
|
|
- name: Update dconf
|
|
ansible.builtin.command: dconf update
|
|
changed_when: true
|
|
failed_when: false
|
|
|
|
- name: Restart postfix
|
|
ansible.builtin.service:
|
|
name: postfix
|
|
state: restarted
|
|
|
|
- name: Restart syslog service
|
|
ansible.builtin.systemd:
|
|
name: "{{ ubtu24cis_syslog_service }}"
|
|
state: restarted
|
|
|
|
- name: Restart journald
|
|
ansible.builtin.systemd:
|
|
name: systemd-journald
|
|
state: restarted
|
|
|
|
- name: Restart exim4
|
|
ansible.builtin.systemd:
|
|
name: exim4
|
|
state: restarted
|
|
|
|
- name: Flush ipv4 route table
|
|
when: ansible_facts.virtualization_type != "docker"
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.route.flush
|
|
value: '1'
|
|
sysctl_set: true
|
|
|
|
- name: Flush ipv6 route table
|
|
when:
|
|
- ansible_facts.virtualization_type != "docker"
|
|
- ubtu24cis_ipv6_required
|
|
ansible.posix.sysctl:
|
|
name: net.ipv6.route.flush
|
|
value: '1'
|
|
sysctl_set: true
|
|
|
|
- name: Reload ufw
|
|
community.general.ufw:
|
|
state: reloaded
|
|
|
|
- name: Iptables persistent
|
|
ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4"
|
|
changed_when: true
|
|
|
|
- name: Ip6tables persistent
|
|
ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6"
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwunix
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwfaillock
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwfaillock_notify
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwquality
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
|
|
changed_when: true
|
|
|
|
- name: Pam_auth_update_pwhistory
|
|
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
|
|
changed_when: true
|
|
|
|
- name: Auditd rules reload
|
|
when:
|
|
- not prelim_auditd_immutable_check or
|
|
'"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
|
|
ansible.builtin.command: augenrules --load
|
|
changed_when: true
|
|
|
|
- name: Audit_immutable_fact
|
|
when:
|
|
- discovered_audit_rules_updated.changed
|
|
- auditd_immutable_check is defined
|
|
ansible.builtin.debug:
|
|
msg: "Reboot required for auditd to apply new rules as immutable set"
|
|
notify: Set_reboot_required
|
|
|
|
- name: Stop auditd process
|
|
ansible.builtin.shell: systemctl kill auditd
|
|
listen: Restart auditd
|
|
|
|
- name: Start auditd process
|
|
ansible.builtin.systemd_service:
|
|
name: auditd
|
|
state: started
|
|
listen: Restart auditd
|
|
|
|
- name: Restart sshd
|
|
ansible.builtin.systemd:
|
|
name: ssh
|
|
state: restarted
|
|
|
|
- name: Set_reboot_required
|
|
ansible.builtin.set_fact:
|
|
change_requires_reboot: true
|