Prelim UAS Check Addition

Signed-off-by: Stephen Williams <[email protected]>
ansible-lockdown · Sep 16, 2024 · 694e291 · 694e291
1 parent dc57985
commit 694e291
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -75,6 +75,57 @@
       - section1
       - always
 
+- name: "PRELIM | Check for UAS running for usb-storage"
+  block:
+      - name: "PRELIM | AUDIT | Check if UAS kernel module is running"
+        ansible.builtin.shell: "lsmod | grep uas"
+        register: discovered_uas_status
+        changed_when: false
+        failed_when: false
+        ignore_errors: true
+
+      - name: "PRELIM | AUDIT | Find mounted devices"
+        ansible.builtin.command: lsblk -o NAME,MOUNTPOINT | grep -v '^$'
+        register: discovered_mounted_devices
+        changed_when: false
+        failed_when: false
+        ignore_errors: true
+        when: discovered_uas_status.rc == 0
+
+      - name: "PRELIM | PATCH | Unmount devices"
+        ansible.builtin.command:
+            cmd: "umount /dev/{{ item }}"
+        loop: "{{ discovered_mounted_devices.stdout_lines | map('split', ' ') | map('first') | list }}"
+        changed_when: false
+        failed_when: false
+        ignore_errors: true
+        when: discovered_uas_status.rc == 0
+
+      - name: "PRELIM | PATCH | Unload UAS kernel module"
+        community.general.modprobe:
+          name: uas
+          state: absent
+        when: discovered_uas_status.rc == 0
+
+      - name: "PRELIM | AUDIT | Verify UAS module is unloaded"
+        ansible.builtin.shell: "lsmod | grep uas"
+        changed_when: false
+        failed_when: false
+        ignore_errors: true
+        register: discovered_uas_check
+
+      - name: "PRELIM | AUDIT | Output UAS unload status"
+        ansible.builtin.debug:
+          msg: "The UAS module has been successfully unloaded."
+        when: discovered_uas_check.rc != 0
+  when:
+      - debian11cis_rule_1_1_10
+  tags:
+      - level1-server
+      - level2-workstation
+      - patch
+      - always
+
 - name: "PRELIM | Check for avahi-daemon service"
   ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2"
   register: avahi_service_status