Mateusz Suski
74 lines
3.0 KiB
YAML
74 lines
3.0 KiB
YAML
---
|
|
- name: Determine root filesystem free space
|
|
ansible.builtin.set_fact:
|
|
cis_root_mount: "{{ ansible_mounts | selectattr('mount', 'equalto', '/') | list | first | default({}) }}"
|
|
|
|
- name: Calculate root filesystem free space in MB
|
|
ansible.builtin.set_fact:
|
|
cis_root_free_mb: "{{ ((cis_root_mount.size_available | default(0) | int) / 1024 / 1024) | round(0, 'floor') | int }}"
|
|
|
|
- name: Detect containerized runtime
|
|
ansible.builtin.set_fact:
|
|
cis_container_detected: >-
|
|
{{
|
|
ansible_virtualization_type | default('') in cis_container_virtualization_types
|
|
or ansible_env.container | default('') | length > 0
|
|
}}
|
|
|
|
- name: Check for apt
|
|
ansible.builtin.stat:
|
|
path: /usr/bin/apt-get
|
|
register: cis_apt_check
|
|
|
|
- name: Report platform precheck status
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "OK: Facts gathered for {{ ansible_distribution }} {{ ansible_distribution_version }}."
|
|
- "OK: Root filesystem free space is {{ cis_root_free_mb }} MB."
|
|
- >-
|
|
{{ 'OK: apt package manager detected.'
|
|
if cis_apt_check.stat.exists else 'CRITICAL: apt package manager was not found.' }}
|
|
- >-
|
|
{{ 'OK: systemd service manager detected.'
|
|
if ansible_service_mgr == 'systemd' else 'CRITICAL: systemd service manager is required.' }}
|
|
- >-
|
|
{{ 'WARNING: Containerized environment detected; service and kernel controls may be limited.'
|
|
if cis_container_detected else 'OK: No containerized runtime detected from Ansible facts.' }}
|
|
|
|
- name: Fail when operating system is unsupported
|
|
ansible.builtin.assert:
|
|
that:
|
|
- >-
|
|
(ansible_distribution == 'Debian'
|
|
and ansible_distribution_major_version == cis_supported_debian_major_version)
|
|
or
|
|
(ansible_distribution == 'Ubuntu'
|
|
and ansible_distribution_version is version(cis_supported_ubuntu_version, '=='))
|
|
fail_msg: >-
|
|
CRITICAL: This role supports only Debian 13 / Trixie and Ubuntu Server 26.04 LTS.
|
|
Detected {{ ansible_distribution }} {{ ansible_distribution_version }}.
|
|
success_msg: "OK: Supported Debian/Ubuntu platform detected."
|
|
|
|
- name: Fail when systemd is unavailable
|
|
ansible.builtin.assert:
|
|
that:
|
|
- ansible_service_mgr == 'systemd'
|
|
fail_msg: "CRITICAL: systemd is required for this operational hardening role."
|
|
success_msg: "OK: systemd is available."
|
|
|
|
- name: Fail when apt is unavailable
|
|
ansible.builtin.assert:
|
|
that:
|
|
- cis_apt_check.stat.exists
|
|
fail_msg: "CRITICAL: apt-get is required for this Debian/Ubuntu hardening role."
|
|
success_msg: "OK: apt-get is available."
|
|
|
|
- name: Fail when root filesystem free space is below safety threshold
|
|
ansible.builtin.assert:
|
|
that:
|
|
- cis_root_free_mb | int >= cis_min_root_free_mb | int
|
|
fail_msg: >-
|
|
CRITICAL: Root filesystem has {{ cis_root_free_mb }} MB free.
|
|
Minimum required free space is {{ cis_min_root_free_mb }} MB.
|
|
success_msg: "OK: Root filesystem free space meets the safety threshold."
|