colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_1/cis_1.1.2.1.x.yml

85 lines
2.2 KiB
YAML
Raw Blame History

---
- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition"
when:
- required_mount not in mount_names
- ubtu24cis_rule_1_1_2_1_1
tags:
- level1-server
- level1-workstation
- audit
- mounts
- rule_1.1.2.1.1
- NIST800-53R5_CM-7
- tmp
vars:
warn_control_id: '1.1.2.1.1'
required_mount: '/tmp'
block:
- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent"
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
- name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
when:
- required_mount in mount_names
- ubtu24cis_rule_1_1_2_1_2
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.1.2
- NIST800-53R5_CM-7
- tmp
vars:
required_mount: '/tmp'
ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nodev'] }}"
changed_when: true
notify: Writing and remounting tmp
- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition"
when:
- required_mount in mount_names
- ubtu24cis_rule_1_1_2_1_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.1.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
- tmp
vars:
required_mount: '/tmp'
ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nosuid'] }}"
changed_when: true
notify: Writing and remounting tmp
- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition"
when:
- required_mount in mount_names
- ubtu24cis_rule_1_1_2_1_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.1.4
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
- tmp
vars:
required_mount: '/tmp'
ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['noexec'] }}"
changed_when: true
notify: Writing and remounting tmp
Reference in New Issue View Git Blame Copy Permalink