infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/filesystem.yml

---
- name: Gather current mount facts
  ansible.builtin.set_fact:
    cis_current_mount_paths: "{{ ansible_mounts | map(attribute='mount') | list }}"

- name: Report filesystem mount option mode
  ansible.builtin.debug:
    msg: >-
      {{ 'OK: Mount option management is enabled for configured targets.'
         if cis_manage_mount_options | bool
         else 'WARNING: Mount option management is disabled. No production filesystems will be remounted.' }}

- name: Show configured mount option recommendations
  ansible.builtin.debug:
    msg: "Review {{ item.path }} for options: {{ item.options | join(',') }}"
  loop: "{{ cis_mount_option_targets }}"
  loop_control:
    label: "{{ item.path }}"
  when: not cis_manage_mount_options | bool

- name: Persist configured mount options without remounting
  ansible.posix.mount:
    path: "{{ item.path }}"
    src: "{{ cis_mount_fact.device }}"
    fstype: "{{ cis_mount_fact.fstype }}"
    state: present
    opts: "{{ ((cis_mount_fact.options | default('defaults')).split(',') + item.options) | unique | join(',') }}"
  loop: "{{ cis_mount_option_targets }}"
  loop_control:
    label: "{{ item.path }}"
  vars:
    cis_mount_fact: "{{ ansible_mounts | selectattr('mount', 'equalto', item.path) | list | first | default({}) }}"
  when:
    - cis_manage_mount_options | bool
    - item.path in cis_current_mount_paths
  register: cis_mount_option_results
Add Debian 13 and Ubuntu 26.04 CIS-inspired hardening playbook 2026-05-06 08:56:45 +00:00			`---`
			`- name: Gather current mount facts`
			`ansible.builtin.set_fact:`
			`cis_current_mount_paths: "{{ ansible_mounts \| map(attribute='mount') \| list }}"`

			`- name: Report filesystem mount option mode`
			`ansible.builtin.debug:`
			`msg: >-`
			`{{ 'OK: Mount option management is enabled for configured targets.'`
			`if cis_manage_mount_options \| bool`
			`else 'WARNING: Mount option management is disabled. No production filesystems will be remounted.' }}`

			`- name: Show configured mount option recommendations`
			`ansible.builtin.debug:`
			`msg: "Review {{ item.path }} for options: {{ item.options \| join(',') }}"`
			`loop: "{{ cis_mount_option_targets }}"`
			`loop_control:`
			`label: "{{ item.path }}"`
			`when: not cis_manage_mount_options \| bool`

			`- name: Persist configured mount options without remounting`
			`ansible.posix.mount:`
			`path: "{{ item.path }}"`
			`src: "{{ cis_mount_fact.device }}"`
			`fstype: "{{ cis_mount_fact.fstype }}"`
			`state: present`
			`opts: "{{ ((cis_mount_fact.options \| default('defaults')).split(',') + item.options) \| unique \| join(',') }}"`
			`loop: "{{ cis_mount_option_targets }}"`
			`loop_control:`
			`label: "{{ item.path }}"`
			`vars:`
			`cis_mount_fact: "{{ ansible_mounts \| selectattr('mount', 'equalto', item.path) \| list \| first \| default({}) }}"`
			`when:`
			`- cis_manage_mount_options \| bool`
			`- item.path in cis_current_mount_paths`
			`register: cis_mount_option_results`