OT-OSM · Shubhanshi-2123 · Oct 9, 2025 · oo4abhishek · Oct 23, 2025 · oo4abhishek
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -7,7 +7,10 @@
   with_items:
     - aidecheck.timer
     - aidecheck
+    - auditd
 
+- name: Rebuild module dependencies
+  command: depmod -a
 - name: Reload systemd units
   systemd:
     daemon_reload: yes

diff --git a/tasks/amazon_linux.yaml b/tasks/amazon_linux.yaml
@@ -0,0 +1,4 @@
+---
+- name: Amazon Linux 2 | Disable kernal  module
+  include_tasks: filesystem_kernel_modules_al2
+
diff --git a/tasks/filesystem_kernel_modules_al2 b/tasks/filesystem_kernel_modules_al2
@@ -0,0 +1,50 @@
+---
+# Configure Filesystem Kernel Modules (CIS 1.1.1.1 - 1.1.1.8)
+# Combined single playbook to disable all unused filesystem kernel modules
+
+- name: "Disable unused filesystem kernel modules"
+  block:
+
+    # ---------------------------------------------------------
+    # Step 1: Create/update modprobe configuration (blockinfile)
+    # ---------------------------------------------------------
+    - name: "Block and blacklist filesystem modules in /etc/modprobe.d/cis.conf"
+      ansible.builtin.blockinfile:
+        path: /etc/modprobe.d/cis.conf
+        create: yes
+        block: |
+          install {{ item.name }} /bin/true
+          blacklist {{ item.name }}
+        marker: "# {mark} {{ item.name }} module disable"
+      loop:
+        - { name: "cramfs", desc: "1.1.1.1 Ensure cramfs kernel module is not available" }
+        - { name: "freevxfs", desc: "1.1.1.2 Ensure freevxfs kernel module is not available" }
+        - { name: "hfs", desc: "1.1.1.3 Ensure hfs kernel module is not available" }
+        - { name: "hfsplus", desc: "1.1.1.4 Ensure hfsplus kernel module is not available" }
+        - { name: "jffs2", desc: "1.1.1.5 Ensure jffs2 kernel module is not available" }
+        - { name: "usb-storage", desc: "1.1.1.8 Ensure usb-storage kernel module is not available" }
+      loop_control:
+        label: "{{ item.desc }}"
+      notify: Rebuild module dependencies
+
+    # ---------------------------------------------------------
+    # Step 2: Unload modules if they’re currently loaded
+    # ---------------------------------------------------------
+    - name: "Unload filesystem modules if loaded"
+      become: true
+      ansible.builtin.command: "modprobe -r {{ item.name }}"
+      register: unload_result
+      failed_when: false
+      changed_when: unload_result.rc == 0
+      loop:
+        - { name: "cramfs" }
+        - { name: "freevxfs" }
+        - { name: "hfs" }
+        - { name: "hfsplus" }
+        - { name: "jffs2" }
+        - { name: "usb-storage" }
+      loop_control:
+        label: "Unload {{ item.name }} module if loaded"
+
+  when: ansible_os_family == "RedHat"
+
diff --git a/tasks/main.yaml b/tasks/main.yaml
@@ -1,16 +1,18 @@
 ---
-- name: Include CIS Stage Specific vars
-  include_vars: cis-{{ cis_Stage }}.yaml
-
-- name: Debian realted Specification
-  include_tasks: configure_Debian.yaml
+- name: Ubuntu related Specification
+  include_tasks: ubuntu.yaml
   when:
     ansible_os_family == 'Debian'
 
-- name: Centos realted Specification
-  include_tasks: configure_RedHat.yaml
+- name: CentOS related Specification
+  include_tasks: centos.yaml
+  when:
+    ansible_os_family == 'RedHat' and ansible_distribution != 'Amazon'
+
+- name: Amazon Linux 2 related Specification
+  include_tasks: amazon_linux.yaml
   when:
-    ansible_os_family == 'RedHat'
+    ansible_distribution == 'Amazon'
 
 # - name: Special purpose services
 #   include_tasks: services.yaml
@@ -35,3 +37,4 @@
 
 # - name: Ensure dccp and sctp is disabled
 #   include_tasks: network_protocol_and_unusedFilesystem.yaml
+