RHEL9-CIS/tasks/section_2/cis_2.2.x.yml

---

- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed"
  block:
      - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages"
        shell: rpm -qa | grep xorg-x11
        args:
            warn: no
        failed_when: xorg_x11_installed.rc >=2
        check_mode: no
        changed_when: false
        register: xorg_x11_installed

      - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found"
        shell: "dnf remove {{ item }}"
        args:
            warn: no
        with_items:
            - xorg_x11_installed.stdout_lines
        when: xorg_x11_installed.stdout | length > 0
  when:
      - not rhel9cis_xwindows_required
      - rhel9cis_rule_2_2_2
  tags:
      - level1-server
      - scored
      - xwindows
      - patch
      - rule_2.2.2

- name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled "
  service:
      name: rsyncd
      state: stopped
      enabled: no
  when:
      - not rhel9cis_rsyncd_server
      - "'rsyncd' in ansible_facts.packages"
      - rhel9cis_rule_2_2_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.3

- name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled"
  service:
      name: avahi-daemon
      state: stopped
      enabled: no
  when:
      - not rhel9cis_avahi_server
      - "'avahi' in ansible_facts.packages"
      - rhel9cis_rule_2_2_4
  tags:
      - level1-server
      - level1-workstation
      - scored
      - avahi
      - services
      - patch
      - rule_2.2.4

- name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled"
  service:
      name: snmpd
      state: stopped
      enabled: no
  when:
      - not rhel9cis_snmp_server
      - "'net-snmp' in ansible_facts.packages"
      - rhel9cis_rule_2_2_5
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.5

- name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled"
  service:
      name: squid
      state: stopped
      enabled: no
  when:
      - not rhel9cis_squid_server
      - "'squid' in ansible_facts.packages"
      - rhel9cis_rule_2_2_6
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.6

- name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled"
  service:
      name: smb
      state: stopped
      enabled: no
  when:
      - not rhel9cis_smb_server
      - "'samba' in ansible_facts.packages"
      - rhel9cis_rule_2_2_7
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.7

- name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled"
  service:
      name: dovecot
      state: stopped
      enabled: no
  when:
      - not rhel9cis_dovecot_server
      - "'dovecot' in ansible_facts.packages"
      - rhel9cis_rule_2_2_8
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.8

- name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled"
  service:
      name: httpd
      state: stopped
      enabled: no
  when:
      - not rhel9cis_httpd_server
      - "'httpd' in ansible_facts.packages"
      - rhel9cis_rule_2_2_9
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.9

- name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled"
  service:
      name: vsftpd
      state: stopped
      enabled: no
  when:
      - not rhel9cis_vsftpd_server
      - "'vsftpd' in ansible_facts.packages"
      - rhel9cis_rule_2_2_10
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.10

- name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled"
  service:
      name: named
      state: stopped
      enabled: no
  when:
      - not rhel9cis_named_server
      - "'bind' in ansible_facts.packages"
      - rhel9cis_rule_2_2_11
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.11

- name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled"
  service:
      name: nfs-server
      state: stopped
      enabled: no
  when:
      - not rhel9cis_nfs_rpc_server
      - "'nfs-utils' in ansible_facts.packages"
      - rhel9cis_rule_2_2_12
  tags:
      - level1-server
      - level1-workstation
      - scored
      - nfs
      - services
      - patch
      - rule_2.2.12

- name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled"
  service:
      name: rpcbind
      state: stopped
      enabled: no
  when:
      - not rhel9cis_nfs_rpc_server
      - "'rpcbind' in ansible_facts.packages"
      - rhel9cis_rule_2_2_13
  tags:
      - level1-server
      - level1-workstation
      - scored
      - rpc
      - services
      - patch
      - rule_2.2.7

- name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled"
  service:
      name: slapd
      state: stopped
      enabled: no
  when:
      - not rhel9cis_ldap_server
      - "'openldap-servers' in ansible_facts.packages"
      - rhel9cis_rule_2_2_14
  tags:
      - level1-server
      - level1-workstation
      - scored
      - ldap
      - services
      - patch
      - rule_2.2.6

- name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled"
  service:
      name: dhcpd
      state: stopped
      enabled: no
  when:
      - not rhel9cis_dhcp_server
      - "'dhcp' in ansible_facts.packages"
      - rhel9cis_rule_2_2_15
  tags:
      - level1-server
      - level1-workstation
      - scored
      - dhcp
      - services
      - patch
      - rule_2.2.15

- name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled"
  service:
      name: cups
      state: stopped
      enabled: no
  when:
      - not rhel9cis_cups_server
      - "'cups' in ansible_facts.packages"
      - rhel9cis_rule_2_2_16
  tags:
      - level1-server
      - level2-workstation
      - scored
      - cups
      - services
      - patch
      - rule_2.2.16

- name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled"
  service:
      name: ypserv
      state: stopped
      enabled: no
  when:
      - not rhel9cis_nis_server
      - "'ypserv' in ansible_facts.packages"
      - rhel9cis_rule_2_2_17
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.17

- name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode"
  lineinfile:
      dest: /etc/postfix/main.cf
      regexp: "^(#)?inet_interfaces"
      line: "inet_interfaces = loopback-only"
  notify: restart postfix
  when:
      - not rhel9cis_is_mail_server
      - "'postfix' in ansible_facts.packages"
      - rhel9cis_rule_2_2_18
  tags:
      - level1-server
      - level1-workstation
      - patch
      - rule_2.2.1
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`

			`- name: "2.2.2 \| L1 \| PATCH \| Ensure X Window System is not installed"`
			`block:`
			`- name: "2.2.2 \| L1 \| AUDIT \| Ensure X Window System is not installed \| capture xorg-x11 packages"`
			`shell: rpm -qa \| grep xorg-x11`
			`args:`
			`warn: no`
			`failed_when: xorg_x11_installed.rc >=2`
			`check_mode: no`
			`changed_when: false`
			`register: xorg_x11_installed`

			`- name: "2.2.2 \| L1 \| PATCH \| Ensure X Window System is not installed \| remove packages if found"`
			`shell: "dnf remove {{ item }}"`
			`args:`
			`warn: no`
			`with_items:`
			`- xorg_x11_installed.stdout_lines`
			`when: xorg_x11_installed.stdout \| length > 0`
			`when:`
			`- not rhel9cis_xwindows_required`
			`- rhel9cis_rule_2_2_2`
			`tags:`
			`- level1-server`
			`- scored`
			`- xwindows`
			`- patch`
			`- rule_2.2.2`

			`- name: "2.2.3 \| L1 \| PATCH \| Ensure rsync service is not enabled "`
			`service:`
			`name: rsyncd`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_rsyncd_server`
			`- "'rsyncd' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_3`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.3`

			`- name: "2.2.4 \| L1 \| PATCH \| Ensure Avahi Server is not enabled"`
			`service:`
			`name: avahi-daemon`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_avahi_server`
			`- "'avahi' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_4`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- scored`
			`- avahi`
			`- services`
			`- patch`
			`- rule_2.2.4`

			`- name: "2.2.5 \| L1 \| PATCH \| Ensure SNMP Server is not enabled"`
			`service:`
			`name: snmpd`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_snmp_server`
			`- "'net-snmp' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_5`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.5`

			`- name: "2.2.6 \| L1 \| PATCH \| Ensure HTTP Proxy Server is not enabled"`
			`service:`
			`name: squid`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_squid_server`
			`- "'squid' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_6`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.6`

			`- name: "2.2.7 \| L1 \| PATCH \| Ensure Samba is not enabled"`
			`service:`
			`name: smb`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_smb_server`
			`- "'samba' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_7`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.7`

			`- name: "2.2.8 \| L1 \| PATCH \| Ensure IMAP and POP3 server is not enabled"`
			`service:`
			`name: dovecot`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_dovecot_server`
			`- "'dovecot' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_8`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.8`

			`- name: "2.2.9 \| L1 \| PATCH \| Ensure HTTP server is not enabled"`
			`service:`
			`name: httpd`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_httpd_server`
			`- "'httpd' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_9`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.9`

			`- name: "2.2.10 \| L1 \| PATCH \| Ensure FTP Server is not enabled"`
			`service:`
			`name: vsftpd`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_vsftpd_server`
			`- "'vsftpd' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_10`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.10`

			`- name: "2.2.11 \| L1 \| PATCH \| Ensure DNS Server is not enabled"`
			`service:`
			`name: named`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_named_server`
			`- "'bind' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_11`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.11`

			`- name: "2.2.12 \| L1 \| PATCH \| Ensure NFS is not enabled"`
			`service:`
			`name: nfs-server`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_nfs_rpc_server`
			`- "'nfs-utils' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_12`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- scored`
			`- nfs`
			`- services`
			`- patch`
			`- rule_2.2.12`

			`- name: "2.2.13 \| L1 \| PATCH \| Ensure RPC is not enabled"`
			`service:`
			`name: rpcbind`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_nfs_rpc_server`
			`- "'rpcbind' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_13`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- scored`
			`- rpc`
			`- services`
			`- patch`
			`- rule_2.2.7`

			`- name: "2.2.14 \| L1 \| PATCH \| Ensure LDAP server is not enabled"`
			`service:`
			`name: slapd`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_ldap_server`
			`- "'openldap-servers' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_14`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- scored`
			`- ldap`
			`- services`
			`- patch`
			`- rule_2.2.6`

			`- name: "2.2.15 \| L1 \| PATCH \| Ensure DHCP Server is not enabled"`
			`service:`
			`name: dhcpd`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_dhcp_server`
			`- "'dhcp' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_15`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- scored`
			`- dhcp`
			`- services`
			`- patch`
			`- rule_2.2.15`

			`- name: "2.2.16 \| L1 \| PATCH \| Ensure CUPS is not enabled"`
			`service:`
			`name: cups`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_cups_server`
			`- "'cups' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_16`
			`tags:`
			`- level1-server`
			`- level2-workstation`
			`- scored`
			`- cups`
			`- services`
			`- patch`
			`- rule_2.2.16`

			`- name: "2.2.17 \| L1 \| PATCH \| Ensure NIS Server is not enabled"`
			`service:`
			`name: ypserv`
			`state: stopped`
			`enabled: no`
			`when:`
			`- not rhel9cis_nis_server`
			`- "'ypserv' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_17`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.17`

			`- name: "2.2.18 \| L1 \| PATCH \| Ensure mail transfer agent is configured for local-only mode"`
			`lineinfile:`
			`dest: /etc/postfix/main.cf`
			`regexp: "^(#)?inet_interfaces"`
			`line: "inet_interfaces = loopback-only"`
			`notify: restart postfix`
			`when:`
			`- not rhel9cis_is_mail_server`
			`- "'postfix' in ansible_facts.packages"`
			`- rhel9cis_rule_2_2_18`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- rule_2.2.1`