1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
# platform = multi_platform_all
# reboot = false
# strategy = unknown
# complexity = low
# disruption = medium
- name: "Detect if {{{ PARAMETER }}} can be found on {{{ PATH }}}"
find:
path: {{{ PATH }}}
contains: '^\s*{{{ PARAMETER }}}'
register: {{{ rule_id }}}_config_files
- name: "Configure {{{ PARAMETER }}} - default file"
ini_file:
dest: {{{ PATH }}}/00-security-settings
section: {{{ SECTION }}}
option: {{{ PARAMETER }}}
value: "{{{ VALUE }}}"
create: yes
when: {{{ rule_id }}}_config_files is defined and {{{ rule_id }}}_config_files.matched == 0
- name: "Configure {{{ PARAMETER }}} - existing files"
ini_file:
dest: "{{ item.path }}"
section: {{{ SECTION }}}
option: {{{ PARAMETER }}}
value: "{{{ VALUE }}}"
create: yes
with_items: "{{ {{{ rule_id }}}_config_files.files }}"
when: {{{ rule_id }}}_config_files is defined and {{{ rule_id }}}_config_files.matched > 0
- name: "Detect if lock for {{{ PARAMETER }}} can be found on {{{ PATH }}}"
find:
path: {{{ LOCK_PATH }}}
contains: '^\s*{{{ PARAMETER }}}'
register: {{{ rule_id }}}_lock_files
- name: "Prevent user modification {{{ PARAMETER }}} - default file"
lineinfile:
path: {{{ LOCK_PATH }}}/00-security-settings-lock
regexp: '^/{{{ SECTION }}}/{{{ PARAMETER }}}$'
line: '/{{{ SECTION }}}/{{{ PARAMETER }}}'
create: yes
when: {{{ rule_id }}}_lock_files is defined and {{{ rule_id }}}_lock_files.matched == 0
- name: "Prevent user modification {{{ PARAMETER }}} - existing files"
lineinfile:
path: "{{ item.path }}"
regexp: '^/{{{ SECTION }}}/{{{ PARAMETER }}}$'
line: '/{{{ SECTION }}}/{{{ PARAMETER }}}'
create: yes
with_items: "{{ {{{ rule_id }}}_lock_files.files }}"
when: {{{ rule_id }}}_lock_files is defined and {{{ rule_id }}}_lock_files.matched > 0
- name: "Dconf Update - {{{ PARAMETER }}}"
command: dconf update
|
