---
- name: Disable Kernel Modules
  ansible.builtin.copy:
    dest: /mnt/etc/modprobe.d/cis.conf
    mode: "0644"
    content: |
      # CIS LVL 3 Restrictions
      install freevxfs        /bin/false
      install jffs2           /bin/false
      install hfs             /bin/false
      install hfsplus         /bin/false
      install cramfs          /bin/false
      install squashfs        /bin/false
      install udf             /bin/false
      install usb-storage     /bin/false
      install dccp            /bin/false
      install sctp            /bin/false
      install rds             /bin/false
      install tipc            /bin/false

- name: Remove legacy USB rules file
  ansible.builtin.file:
    path: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
    state: absent

- name: Create USB rules
  ansible.builtin.copy:
    dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.rules
    mode: "0644"
    content: |
      # By default, disable all.
      ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
      # Enable hub devices.
      ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
      # Enable keyboard devices.
      ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
      # PS2-USB converter.
      ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"