Merge pull request #492 from konstruktoid/modules

merge kernel module tasks
konstruktoid · Jan 16, 2024 · 2ce8406 · 2ce8406
2 parents 8e4c376 + 0a0ce77
commit 2ce8406
Show file tree

Hide file tree

Showing 6 changed files with 80 additions and 85 deletions.
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -803,7 +803,7 @@
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
       ansible.builtin.shell: |
         set -o pipefail
-        grep 'install {{ item }} /bin/true' /etc/modprobe.d/blockblacklisted.conf
+        grep 'install {{ item }} /bin/true' /etc/modprobe.d/blacklist-blocked.conf
       args:
         executable: /bin/bash
       register: modprobe_blockblacklisted

diff --git a/tasks/disablefs.yml b/tasks/disablefs.yml
diff --git a/tasks/disablemod.yml → tasks/disablemodules.yml b/tasks/disablemod.yml → tasks/disablemodules.yml
@@ -1,26 +1,4 @@
 ---
-- name: Disable misc kernel modules
-  become: true
-  ansible.builtin.lineinfile:
-    dest: /etc/modprobe.d/disablemod.conf
-    line: install {{ item }} /bin/true
-    mode: "0644"
-    owner: root
-    group: root
-    state: present
-    create: true
-  with_items:
-    - "{{ misc_modules_blocklist }}"
-  tags:
-    - modprobe
-    - CCE-80832-9
-    - CCE-82005-0
-    - CCE-82059-7
-    - CIS-UBUNTU2004-1.1.24
-    - M1034
-    - M1038
-    - M1042
-
 - name: Stat blacklisted kernel modules
   environment:
     PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
@@ -33,7 +11,6 @@
   changed_when: false
   failed_when: modprobe_blacklist.rc != 0
   register: modprobe_blacklist
-  when: block_blacklisted | bool
   tags:
     - modprobe
     - M1034
@@ -43,7 +20,7 @@
 - name: Block blacklisted kernel modules
   become: true
   ansible.builtin.lineinfile:
-    dest: /etc/modprobe.d/blockblacklisted.conf
+    dest: /etc/modprobe.d/blacklist-blocked.conf
     line: install {{ item }} /bin/true
     mode: "0644"
     owner: root
@@ -52,7 +29,6 @@
     create: true
   with_items:
     - "{{ modprobe_blacklist.stdout_lines | sort }}"
-  when: block_blacklisted | bool
   tags:
     - modprobe
     - M1034

diff --git a/tasks/disablenet.yml b/tasks/disablenet.yml
diff --git a/tasks/kernelmodules.yml b/tasks/kernelmodules.yml
@@ -0,0 +1,73 @@
+---
+- name: Disable kernel file system modules
+  become: true
+  ansible.builtin.lineinfile:
+    dest: /etc/modprobe.d/disablefs.conf
+    line: install {{ item }} /bin/true
+    mode: "0644"
+    owner: root
+    group: root
+    state: present
+    create: true
+  with_items:
+    - "{{ fs_modules_blocklist }}"
+  tags:
+    - modprobe
+    - CCE-80835-2
+    - CCE-81031-7
+    - CIS-UBUNTU2004-1.1.1.1
+    - CIS-UBUNTU2004-1.1.1.2
+    - CIS-UBUNTU2004-1.1.1.3
+    - CIS-UBUNTU2004-1.1.1.4
+    - CIS-UBUNTU2004-1.1.1.5
+    - CIS-UBUNTU2004-1.1.1.5
+    - CIS-UBUNTU2004-1.1.1.6
+    - CIS-UBUNTU2004-1.1.1.7
+    - M1038
+    - M1042
+
+- name: Disable kernel network modules
+  become: true
+  ansible.builtin.lineinfile:
+    dest: /etc/modprobe.d/disablenet.conf
+    line: install {{ item }} /bin/true
+    mode: "0644"
+    owner: root
+    group: root
+    state: present
+    create: true
+  with_items:
+    - "{{ net_modules_blocklist }}"
+  tags:
+    - modprobe
+    - CCE-80834-5
+    - CCE-82028-2
+    - CCE-82297-3
+    - CIS-UBUNTU2004-3.4.1
+    - CIS-UBUNTU2004-3.4.2
+    - CIS-UBUNTU2004-3.4.3
+    - CIS-UBUNTU2004-3.4.4
+    - M1038
+    - M1042
+
+- name: Disable misc kernel modules
+  become: true
+  ansible.builtin.lineinfile:
+    dest: /etc/modprobe.d/disablemod.conf
+    line: install {{ item }} /bin/true
+    mode: "0644"
+    owner: root
+    group: root
+    state: present
+    create: true
+  with_items:
+    - "{{ misc_modules_blocklist }}"
+  tags:
+    - modprobe
+    - CCE-80832-9
+    - CCE-82005-0
+    - CCE-82059-7
+    - CIS-UBUNTU2004-1.1.24
+    - M1034
+    - M1038
+    - M1042
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -23,13 +23,9 @@
   ansible.builtin.include_tasks:
     file: sysctl.yml
 
-- name: Disable kernel network modules
+- name: Disable kernel modules
   ansible.builtin.include_tasks:
-    file: disablenet.yml
-
-- name: Disable file system kernel modules
-  ansible.builtin.include_tasks:
-    file: disablefs.yml
+    file: kernelmodules.yml
 
 - name: Disable IPv6
   ansible.builtin.include_tasks:
@@ -113,9 +109,10 @@
   ansible.builtin.include_tasks:
     file: apparmor.yml
 
-- name: Disable misc kernel modules
+- name: Block blacklisted kernel modules
   ansible.builtin.include_tasks:
-    file: disablemod.yml
+    file: disablemodules.yml
+  when: block_blacklisted
 
 - name: Disable wireless interfaces
   ansible.builtin.include_tasks: