fix(cis): skip squashfs blacklist on Ubuntu to preserve snap functionality
This commit is contained in:
@@ -1,23 +1,28 @@
|
|||||||
---
|
---
|
||||||
- name: Disable Kernel Modules
|
- name: Disable Kernel Modules
|
||||||
|
vars:
|
||||||
|
cis_modules_base:
|
||||||
|
- freevxfs
|
||||||
|
- jffs2
|
||||||
|
- hfs
|
||||||
|
- hfsplus
|
||||||
|
- cramfs
|
||||||
|
- udf
|
||||||
|
- usb-storage
|
||||||
|
- dccp
|
||||||
|
- sctp
|
||||||
|
- rds
|
||||||
|
- tipc
|
||||||
|
cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
|
||||||
|
cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
dest: /mnt/etc/modprobe.d/cis.conf
|
dest: /mnt/etc/modprobe.d/cis.conf
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
content: |
|
content: |
|
||||||
# CIS LVL 3 Restrictions
|
# CIS LVL 3 Restrictions
|
||||||
install freevxfs /bin/false
|
{% for mod in cis_modules_all %}
|
||||||
install jffs2 /bin/false
|
install {{ mod }}{{ ' ' * (16 - mod | length) }}/bin/false
|
||||||
install hfs /bin/false
|
{% endfor %}
|
||||||
install hfsplus /bin/false
|
|
||||||
install cramfs /bin/false
|
|
||||||
# Note: disabling squashfs breaks snap (Ubuntu). Remove for snap-dependent hosts.
|
|
||||||
install squashfs /bin/false
|
|
||||||
install udf /bin/false
|
|
||||||
install usb-storage /bin/false
|
|
||||||
install dccp /bin/false
|
|
||||||
install sctp /bin/false
|
|
||||||
install rds /bin/false
|
|
||||||
install tipc /bin/false
|
|
||||||
|
|
||||||
- name: Remove old USB rules file
|
- name: Remove old USB rules file
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
|||||||
Reference in New Issue
Block a user