Fixing issue infosec-pss-gov/security-crafter-baseline-automations/an…

…sible-lockdown#38 by "blacklisting" the necessary modules along making them not loadable. Also, fixing the regexp for rule 1.1.10 so that the Ansible module modifies the needed file correctly. Signed-off-by: Diana-Maria Dumitru <[email protected]>
ipruteanu-sie · Aug 25, 2023 · 5bf80d7 · 5bf80d7
1 parent 41ac171
commit 5bf80d7
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
@@ -1,17 +1,19 @@
 ---
-
 - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled"
   block:
       - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config"
         ansible.builtin.lineinfile:
             dest: /etc/modprobe.d/cramfs.conf
             regexp: '^(#)?install cramfs(\\s|$)'
-            line: install cramfs /bin/false
+            line: "{{ item }}"
             create: true
+        loop:
+            - install cramfs /bin/true
+            - blacklist cramfs
 
       - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
         community.general.modprobe:
-            name: cramfs
+            name: "cramfs"
             state: absent
         when: ansible_connection != 'docker'
   when:
@@ -30,8 +32,11 @@
         ansible.builtin.lineinfile:
             dest: /etc/modprobe.d/squashfs.conf
             regexp: '^(#)?install squashfs(\\s|$)'
-            line: install squashfs /bin/false
+            line: "{{ item }}"
             create: true
+        loop:
+            - install squashfs /bin/false
+            - blacklist squashfs
 
       - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
         community.general.modprobe:
@@ -55,8 +60,11 @@
         ansible.builtin.lineinfile:
             dest: /etc/modprobe.d/udf.conf
             regexp: '^(#)?install udf(\\s|$)'
-            line: install udf /bin/true
+            line: "{{ item }}"
             create: true
+        loop:
+            - install udf /bin/true
+            - blacklist udf
 
       - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf"
         community.general.modprobe:

diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml
@@ -5,9 +5,12 @@
       - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/usb_storage.conf
-            regexp: '^install usb-storage'
-            line: 'install usb-storage /bin/true'
+            regexp: '^(#)?install usb-storage(\\s|$)'
+            line: "{{ item }}"
             create: true
+        loop:
+            - install usb-storage /bin/true
+            - blacklist usb-storage
 
       - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module"
         community.general.modprobe: