Merge pull request #18 from danielkubat/harden

Use template to generate modprobe settings
2024-09-28 23:04:10 +00:00 · 2020-12-11 18:16:09 -07:00 · 2020-12-11 18:16:09 -07:00 · 3f85cb863a
commit 3f85cb863a
parent 1f20af2331 10f14194fe
2 changed files with 9 additions and 8 deletions
--- a/ansible/playbooks/tasks/harden.yml
+++ b/ansible/playbooks/tasks/harden.yml
@ -175,7 +175,7 @@
        dest: "/etc/audit/rules.d/collection.rules"
        owner: root
        group: root
-        mode: '600'
+        mode: '0600'
        backup: true
      notify:
        - regenerate_auditd_rules
@ -207,15 +207,12 @@
        - efi

    - name: disable unused filesystems
-      lineinfile:
+      template:
+        src: "etc/modprobe.d/cis.conf.j2"
        dest: "/etc/modprobe.d/cis.conf"
-        owner: root
-        group: root
+        owner: 'root'
+        group: 'root'
        mode: '0644'
-        line: "install {{ item }} /bin/true"
-        state: present
-        create: true
-      with_items: "{{ modprobe_unused_filesystems }}"
      tags:
        - harden

--- a/ansible/playbooks/templates/etc/modprobe.d/cis.conf.j2
+++ b/ansible/playbooks/templates/etc/modprobe.d/cis.conf.j2
@ -0,0 +1,4 @@
+# Generated by Ansible
+{% for fs in modprobe_unused_filesystems %}
+install {{ fs }} /bin/true
+{% endfor %}