diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 978cb7f..9682347 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -75,6 +75,57 @@ - section1 - always +- name: "PRELIM | Check for UAS running for usb-storage" + block: + - name: "PRELIM | AUDIT | Check if UAS kernel module is running" + ansible.builtin.shell: "lsmod | grep uas" + register: discovered_uas_status + changed_when: false + failed_when: false + ignore_errors: true + + - name: "PRELIM | AUDIT | Find mounted devices" + ansible.builtin.command: lsblk -o NAME,MOUNTPOINT | grep -v '^$' + register: discovered_mounted_devices + changed_when: false + failed_when: false + ignore_errors: true + when: discovered_uas_status.rc == 0 + + - name: "PRELIM | PATCH | Unmount devices" + ansible.builtin.command: + cmd: "umount /dev/{{ item }}" + loop: "{{ discovered_mounted_devices.stdout_lines | map('split', ' ') | map('first') | list }}" + changed_when: false + failed_when: false + ignore_errors: true + when: discovered_uas_status.rc == 0 + + - name: "PRELIM | PATCH | Unload UAS kernel module" + community.general.modprobe: + name: uas + state: absent + when: discovered_uas_status.rc == 0 + + - name: "PRELIM | AUDIT | Verify UAS module is unloaded" + ansible.builtin.shell: "lsmod | grep uas" + changed_when: false + failed_when: false + ignore_errors: true + register: discovered_uas_check + + - name: "PRELIM | AUDIT | Output UAS unload status" + ansible.builtin.debug: + msg: "The UAS module has been successfully unloaded." + when: discovered_uas_check.rc != 0 + when: + - debian11cis_rule_1_1_10 + tags: + - level1-server + - level2-workstation + - patch + - always + - name: "PRELIM | Check for avahi-daemon service" ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" register: avahi_service_status