CIS role split and permission safety

2025-12-27 22:27:26 +01:00
parent f62dba3ed6
commit dda1287f23
9 changed files with 261 additions and 249 deletions
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -0,0 +1,38 @@
+---
+- name: Disable Kernel Modules
+  ansible.builtin.copy:
+    dest: /mnt/etc/modprobe.d/cis.conf
+    mode: "0644"
+    content: |
+      # CIS LVL 3 Restrictions
+      install freevxfs        /bin/false
+      install jffs2           /bin/false
+      install hfs             /bin/false
+      install hfsplus         /bin/false
+      install cramfs          /bin/false
+      install squashfs        /bin/false
+      install udf             /bin/false
+      install usb-storage     /bin/false
+      install dccp            /bin/false
+      install sctp            /bin/false
+      install rds             /bin/false
+      install tipc            /bin/false
+
+- name: Remove legacy USB rules file
+  ansible.builtin.file:
+    path: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
+    state: absent
+
+- name: Create USB rules
+  ansible.builtin.copy:
+    dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.rules
+    mode: "0644"
+    content: |
+      # By default, disable all.
+      ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
+      # Enable hub devices.
+      ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
+      # Enable keyboard devices.
+      ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
+      # PS2-USB converter.
+      ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"