Add RHEL 9 CIS-inspired hardening playbook

infra-run/ansible/roles/cis-rhel9-hardening/tasks/filesystem.yml

@@ -0,0 +1,36 @@
+---
+- name: Gather current mount facts
+  ansible.builtin.set_fact:
+    cis_current_mount_paths: "{{ ansible_mounts | map(attribute='mount') | list }}"
+
+- name: Report filesystem mount option mode
+  ansible.builtin.debug:
+    msg: >-
+      {{ 'OK: Mount option management is enabled for configured targets.'
+         if cis_manage_mount_options | bool
+         else 'WARNING: Mount option management is disabled. No production filesystems will be remounted.' }}
+
+- name: Show configured mount option recommendations
+  ansible.builtin.debug:
+    msg: "Review {{ item.path }} for options: {{ item.options | join(',') }}"
+  loop: "{{ cis_mount_option_targets }}"
+  loop_control:
+    label: "{{ item.path }}"
+  when: not cis_manage_mount_options | bool
+
+- name: Persist configured mount options without remounting
+  ansible.posix.mount:
+    path: "{{ item.path }}"
+    src: "{{ cis_mount_fact.device }}"
+    fstype: "{{ cis_mount_fact.fstype }}"
+    state: present
+    opts: "{{ ((cis_mount_fact.options | default('defaults')).split(',') + item.options) | unique | join(',') }}"
+  loop: "{{ cis_mount_option_targets }}"
+  loop_control:
+    label: "{{ item.path }}"
+  vars:
+    cis_mount_fact: "{{ ansible_mounts | selectattr('mount', 'equalto', item.path) | list | first | default({}) }}"
+  when:
+    - cis_manage_mount_options | bool
+    - item.path in cis_current_mount_paths
+  register: cis_mount_option_results