update taks for ubuntu 20.04lts and create new handler for daemon reload

.travis.yml

@@ -7,7 +7,7 @@ before_install:
   - sudo apt-get -qq update
   - sudo apt-get install -o Dpkg::Options::="--force-confold" --force-yes -y docker-ce
 install:
-  - pip install ansible[azure] molecule docker-py
+  - pip install ansible[azure]==2.8.5 molecule==2.22 docker-py
 script:
   - make setup
   - molecule test --all

files/etc/modprobe.d/cis-section_01_level1.conf

@@ -3,3 +3,5 @@ install freevxfs /bin/false
 install hfs /bin/false
 install hfsplus /bin/false
 install jffs2 /bin/false
+install usb-storage /bin/true
+install udf /bin/true

files/etc/systemd/system/tmp.mount

@@ -0,0 +1,28 @@
+#SPDX-License-Identifier: LGPL-2.1+
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Temporary Directory (/tmp)
+Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
+Documentation=man:file-hierarchy(7)
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=mode=1777,strictatime,nosuid,nodev,noexecv,
+
+[Install]
+WantedBy=local-fs.target

handlers/main.yml

@@ -20,3 +20,9 @@
     state: restarted
     enabled: true
   listen: "restart openntpd"
+
+- name: ensure daemon reload
+  ansible.builtin.systemd:
+    daemon_reload: true
+    name: daemon_reload
+  listen: "daemon_reload"

tasks/section_01_level1.yml

@@ -55,3 +55,97 @@
     - 99-cis-section-01-level1.conf
   notify: "restart sysctl"
   tags: section01
+
+- name: ensure /tmp is configured
+  lineinfile:
+    path: /etc/default/grub
+    regexp: '^GRUB_CMDLINE_LINUX='
+    line: GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"
+  tags: section01
+
+- name: ensure restart grub
+  shell: update-grub
+  tags: section01
+
+- name: ensure /tmp is configured (Automated)
+  blockinfile:
+    dest: /etc/fstab
+    marker: "#Ensure nodev option set on /dev/shm partition"
+    content: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0
+  notify: "restart sysctl"
+  tags: section01
+
+- name: ensure permissions on bootloader config are configured
+  shell: chown root:root /boot/grub/grub.cfg
+  tags: section01
+
+- name: ensure permissions on bootloader config are configured
+  shell: chmod og-rwx /boot/grub/grub.cfg
+  tags: section01
+
+- name:
+  shell: cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/
+  tags: section01
+
+- name: ensure SELinux is set to enforcing mode
+  lineinfile:
+    path: /etc/systemd/system/tmp.mount
+    regexp: '^Options='
+    line: Options=mode=1777,strictatime,nosuid,nodev,noexec
+  tags: section01
+
+- name: ensure sticky bit is set on all world-writable directories
+  shell: df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'
+  notify: "daemon_reload"
+  tags: secition01
+
+- name: Ensure nodev option set on /dev/shm partition 1/2
+  blockinfile:
+    path: /etc/fstab
+    marker: "#Ensure nodev option set on /dev/shm partition"
+    content: "tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0"
+  notify: "restart sysctl"
+  tags: section01
+
+- name: Ensure nodev option set on /tmp partition 2/2
+  mount:
+    path: /tmp
+    state: unmounted
+  tags: section01
+
+- name: Ensure nodev option set on /dev/shm partition 2/2
+  mount:
+    path: /dev/shm
+    state: unmounted
+  tags: section01
+
+- name: Ensure updates, patches, and additional security software are installed
+  apt:
+    upgrade: dist
+  tags: section01
+
+- name: Ensure AppArmor is enabled in the bootloader configuration
+  shell: update-grub
+  tags: section01
+
+- name: Ensure permissions on bootloader config are configured 1/2
+  file:
+    path: /boot/grub/grub.cfg
+    owner: root
+    group: root
+  tags: section01
+
+- name: Ensure permissions on bootloader config are configured 2/2
+  file:
+    path: /boot/grub/grub.cfg
+    state: touch
+    mode: og-rwx
+  tags: section01
+
+- name: Ensure sudo log file exists (Automated)
+  blockinfile:
+    dest: /etc/sudoers.d/90-cloud-init-users
+    marker: "#Ensure sudo log file exists (Automated) - lvl01"
+    content: 'Defaults    logfile="/var/log/sudo.log"'
+    backup: false
+  tags: section01