fix(cis): skip squashfs blacklist on Ubuntu to preserve snap functionality

2026-02-21 00:38:47 +01:00
parent 40a9ee9882
commit fbd57e0603
1 changed files with 18 additions and 13 deletions
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -1,23 +1,28 @@
 ---
 - name: Disable Kernel Modules
+  vars:
+    cis_modules_base:
+      - freevxfs
+      - jffs2
+      - hfs
+      - hfsplus
+      - cramfs
+      - udf
+      - usb-storage
+      - dccp
+      - sctp
+      - rds
+      - tipc
+    cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
+    cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
  ansible.builtin.copy:
    dest: /mnt/etc/modprobe.d/cis.conf
    mode: "0644"
    content: |
      # CIS LVL 3 Restrictions
-      install freevxfs        /bin/false
-      install jffs2           /bin/false
-      install hfs             /bin/false
-      install hfsplus         /bin/false
-      install cramfs          /bin/false
-      # Note: disabling squashfs breaks snap (Ubuntu). Remove for snap-dependent hosts.
-      install squashfs        /bin/false
-      install udf             /bin/false
-      install usb-storage     /bin/false
-      install dccp            /bin/false
-      install sctp            /bin/false
-      install rds             /bin/false
-      install tipc            /bin/false
+      {% for mod in cis_modules_all %}
+      install {{ mod }}{{ ' ' * (16 - mod | length) }}/bin/false
+      {% endfor %}

 - name: Remove old USB rules file
  ansible.builtin.file: