45 lines
1.4 KiB
YAML
45 lines
1.4 KiB
YAML
---
|
|
- name: Disable Kernel Modules
|
|
vars:
|
|
cis_modules_base:
|
|
- freevxfs
|
|
- jffs2
|
|
- hfs
|
|
- hfsplus
|
|
- cramfs
|
|
- udf
|
|
- usb-storage
|
|
- dccp
|
|
- sctp
|
|
- rds
|
|
- tipc
|
|
cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
|
|
cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
|
|
ansible.builtin.copy:
|
|
dest: /mnt/etc/modprobe.d/cis.conf
|
|
mode: "0644"
|
|
content: |
|
|
# CIS LVL 3 Restrictions
|
|
{% for mod in cis_modules_all %}
|
|
install {{ mod }}{{ ' ' * (16 - mod | length) }}/bin/false
|
|
{% endfor %}
|
|
|
|
- name: Remove old USB rules file
|
|
ansible.builtin.file:
|
|
path: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
|
|
state: absent
|
|
|
|
- name: Create USB rules
|
|
ansible.builtin.copy:
|
|
dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.rules
|
|
mode: "0644"
|
|
content: |
|
|
# By default, disable all.
|
|
ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
|
|
# Enable hub devices.
|
|
ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
|
|
# Enable keyboard devices.
|
|
ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
|
|
# PS2-USB converter.
|
|
ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"
|