From 5bf80d7815633110504a4d27a4fcde1fb382e528 Mon Sep 17 00:00:00 2001
From: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Date: Fri, 25 Aug 2023 07:46:12 +0300
Subject: [PATCH] Fixing issue
 infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis#38
 by "blacklisting" the necessary modules along making them not loadable. Also,
 fixing the regexp for rule 1.1.10 so that the Ansible module modifies the
 needed file correctly.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
---
 tasks/section_1/cis_1.1.1.x.yml | 18 +++++++++++++-----
 tasks/section_1/cis_1.1.10.yml  |  7 +++++--
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
index d2613055..c021417f 100644
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@@ -1,17 +1,19 @@
 ---
-
 - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled"
   block:
       - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config"
         ansible.builtin.lineinfile:
             dest: /etc/modprobe.d/cramfs.conf
             regexp: '^(#)?install cramfs(\\s|$)'
-            line: install cramfs /bin/false
+            line: "{{ item }}"
             create: true
+        loop:
+            - install cramfs /bin/true
+            - blacklist cramfs
 
       - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
         community.general.modprobe:
-            name: cramfs
+            name: "cramfs"
             state: absent
         when: ansible_connection != 'docker'
   when:
@@ -30,8 +32,11 @@
         ansible.builtin.lineinfile:
             dest: /etc/modprobe.d/squashfs.conf
             regexp: '^(#)?install squashfs(\\s|$)'
-            line: install squashfs /bin/false
+            line: "{{ item }}"
             create: true
+        loop:
+            - install squashfs /bin/false
+            - blacklist squashfs
 
       - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
         community.general.modprobe:
@@ -55,8 +60,11 @@
         ansible.builtin.lineinfile:
             dest: /etc/modprobe.d/udf.conf
             regexp: '^(#)?install udf(\\s|$)'
-            line: install udf /bin/true
+            line: "{{ item }}"
             create: true
+        loop:
+            - install udf /bin/true
+            - blacklist udf
 
       - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf"
         community.general.modprobe:
diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml
index 074470be..92434549 100644
--- a/tasks/section_1/cis_1.1.10.yml
+++ b/tasks/section_1/cis_1.1.10.yml
@@ -5,9 +5,12 @@
       - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/usb_storage.conf
-            regexp: '^install usb-storage'
-            line: 'install usb-storage /bin/true'
+            regexp: '^(#)?install usb-storage(\\s|$)'
+            line: "{{ item }}"
             create: true
+        loop:
+            - install usb-storage /bin/true
+            - blacklist usb-storage
 
       - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module"
         community.general.modprobe: