Rewriting tasks for rule 1.1.2.x according to this issue: https://cod…

…e.siemens.com/cybersecurity/automated_hardening_tech/scapolite/python-libscapolite/libscapolite-automation-unix/-/issues/107 Signed-off-by: Diana-Maria Dumitru <[email protected]>
ansible-lockdown · Jan 29, 2024 · 05c2a5a · 05c2a5a
1 parent 6328cf2
commit 05c2a5a
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 52 deletions.
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,9 +1,43 @@
 ---
+- name: Writing the tmp file | tmp_systemd
+  ansible.builtin.template:
+      src: etc/systemd/system/tmp.mount.j2
+      dest: /etc/systemd/system/tmp.mount
+      owner: root
+      group: root
+      mode: '0644'
+  with_items:
+      - "{{ ansible_facts.mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
+  when:
+      - "'/tmp' in mount_names"
+      - item.mount == "/tmp"
+      - tmp_mnt_type == 'tmp_systemd'
+  listen: Writing and remounting tmp
+
+- name: Writing the tmp file | fstab
+  ansible.posix.mount:
+      path: /tmp
+      src: "{{ item.device }}"
+      state: present
+      fstype: "{{ item.fstype }}"
+      opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }}
+  with_items:
+      - "{{ ansible_facts.mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
+  when:
+      - "'/tmp' in mount_names"
+      - tmp_mnt_type == 'fstab'
+      - item.mount == "/tmp" 
+  listen: Writing and remounting tmp 
 
 - name: Remount tmp
   ansible.posix.mount:
       path: /tmp
       state: remounted
+  listen: Writing and remounting tmp
 
 - name: Remount var
   ansible.posix.mount:

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -59,6 +59,23 @@
   tags:
       - always
 
+- name: Initialize the mount options variable
+  block:
+       - name: Initializing the var if there is no /tmp mount
+         ansible.builtin.set_fact:
+           tmp_partition_mount_options: []
+         when: "'/tmp' not in mount_names"
+
+       - name: Initializing the var if there is a /tmp mount            
+         ansible.builtin.set_fact:
+           tmp_partition_mount_options: "{{ item.options }}"
+         loop: "{{ ansible_facts.mounts }}"
+         when: 
+             - item.mount == "/tmp"
+             - "'/tmp' in mount_names"
+  tags:
+      -always
+
 - name: "PRELIM | Run apt update"
   ansible.builtin.package:
       update_cache: true

diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml
@@ -23,68 +23,41 @@
       - rule_1.1.2.1
       - tmp
 
-- name: |
-    "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | tmp_systemd"
-    "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | tmp_systemd"
-    "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | tmp_systemd"
-  ansible.builtin.template:
-      src: etc/systemd/system/tmp.mount.j2
-      dest: /etc/systemd/system/tmp.mount
-      owner: root
-      group: root
-      mode: '0644'
-  notify: Remount tmp
-  with_items:
-      - "{{ ansible_facts.mounts }}"
-  loop_control:
-      label: "{{ item.device }}"
-  when:
-      - "'/tmp' in mount_names"
-      - item.mount == "/tmp"
-      - tmp_mnt_type == 'tmp_systemd'
-      - ubtu22cis_rule_1_1_2_2 or
-        ubtu22cis_rule_1_1_2_3 or
-        ubtu22cis_rule_1_1_2_4
-  tags:
+- name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition"
+  ansible.builtin.set_fact:
+    tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}"
+  notify: Writing and remounting tmp
+  when: ubtu22cis_rule_1_1_2_2 
+  tags: 
       - level1-server
       - level1-workstation
       - automated
       - patch
       - rule_1.1.2.2
-      - rule_1.1.2.3
-      - rule_1.1.2.4
       - tmp
 
-- name: |
-    "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | fstab"
-    "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | fstab"
-    "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | fstab"
-  ansible.posix.mount:
-      path: /tmp
-      src: "{{ item.device }}"
-      state: present
-      fstype: "{{ item.fstype }}"
-      opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
-  notify: remount tmp
-  with_items:
-      - "{{ ansible_facts.mounts }}"
-  loop_control:
-      label: "{{ item.device }}"
-  when:
-      - "'/tmp' in mount_names"
-      - tmp_mnt_type == 'fstab'
-      - item.mount == "/tmp"
-      - ubtu22cis_rule_1_1_2_1 or
-        ubtu22cis_rule_1_1_2_2 or
-        ubtu22cis_rule_1_1_2_3 or
-        ubtu22cis_rule_1_1_2_4
-  tags:
+- name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition"
+  ansible.builtin.set_fact:
+    tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}"
+  notify: Writing and remounting tmp
+  when: ubtu22cis_rule_1_1_2_3 
+  tags: 
       - level1-server
       - level1-workstation
       - automated
       - patch
-      - rule_1.1.2.2
-      - rule_1.1.2.2
       - rule_1.1.2.3
+      - tmp
+
+- name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition"
+  ansible.builtin.set_fact:
+    tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}"
+  notify: Writing and remounting tmp
+  when: ubtu22cis_rule_1_1_2_4 
+  tags: 
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
       - rule_1.1.2.4
       - tmp
diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2
@@ -10,7 +10,7 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options: {% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
+Options: {{ tmp_partition_mount_options | unique | join(',') }}
 
 [Install]
 WantedBy=local-fs.target