Merge pull request #38 from ansible-lockdown/mount_controls

update to /tmp mount systemd file
ansible-lockdown · Jul 10, 2024 · 9182775 · 9182775
2 parents d97307e + 12c0312
commit 9182775
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml
@@ -25,7 +25,7 @@
 
 - name: |
          "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition
-          1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition
+          1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
   when:
       - item.mount == "/home"
       - amazon2cis_tmp_svc

diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2
@@ -15,7 +15,7 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %}
+Options=mode=1777,strictatime,{% if amazon2cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if amazon2cis_rule_1_1_2_1_4 %}noexec{% endif %}
 
 # Make 'systemctl enable tmp.mount' work:
 [Install]

diff --git a/vars/audit.yml b/vars/audit.yml
@@ -34,7 +34,7 @@ audit_format: json
 
 audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
 audit_results: |
-      The audit results are: {{ pre_audit_summary }}
+      The {% if not audit_only %}pre remediation{% endif %} audit results are: {{ pre_audit_summary }}
       {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %}
 
       Full breakdown can be found in {{ audit_log_dir }}