ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

updated server/service vars

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-04 12:50:41 +01:00
parent 39780562c1
commit 4dfacd9e3b
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
2 changed files with 89 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

18
defaults/main.yml
View file

@ -444,16 +444,26 @@ rhel9cis_vsftpd_server: false
rhel9cis_tftp_server: false
rhel9cis_httpd_server: false
rhel9cis_nginx_server: false
rhel9cis_dovecot_cyrus_server: false
rhel9cis_dovecot_server: false
rhel9cis_imap_server: false
rhel9cis_samba_server: false
rhel9cis_squid_server: false
rhel9cis_snmp_server: false
rhel9cis_nis_server: false
rhel9cis_telnet_server: false
rhel9cis_is_mail_server: false
rhel9cis_nfs_server: false
rhel9cis_rpc_server: false
rhel9cis_rsync_server: false
# Note the options
# Packages are used for client services and Server- only remove if you dont use the client service
#
rhel9cis_use_nfs:
- service: false
- server: false
rhel9_use_rpc:
- service: false
- server: false
rhel9cis_use_rsync:
- service: false
- server: false
#### 2.3 Service clients
rhel9cis_ypbind_required: false

99
tasks/section_2/cis_2.2.x.yml
View file

@ -73,7 +73,7 @@
tags:
- level1-server
- level1-workstation
- audtomated
- automated
- patch
- dhcp
- rule_2.2.5
@ -160,7 +160,7 @@
- not rhel9cis_nginx_server
- "'nginx' in ansible_facts.packages"
when:
- rhel9cis_rule_2_2_9
- rhel9cis_rule_2_2_10
tags:
- level1-server
- level1-workstation
@ -172,14 +172,26 @@
- rule_2.2.9
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
package:
name:
- dovecot
- cyrus-imapd
state: absent
block:
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
package:
name:
- dovecot
state: absent
when:
- not rhel9cis_dovecot_server
- "'dovecot' in ansible_facts.packages"
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
package:
name:
- cyrus-imapd
state: absent
when:
- not rhel9cis_imap_server
- "'cyrus-imapd' in ansible_facts.packages"
when:
- not rhel9cis_dovecot_cyrus_server
- "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
- rhel9cis_rule_2_2_11
tags:
- level1-server
@ -290,13 +302,26 @@
- rule_2.2.17
# The name title of the service says mask the service, but the fix allows for both options
# We went with removing to remove the security/update overhead with having the package installed
# Options available in default/main if to remove the package default is false just mask the server service
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked"
package:
name: nfs-utils
state: absent
block:
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package"
package:
name: nfs-utils
state: absent
when:
- not rhel9cis_use_nfs.server
- not rhel9cis_use_nfs.service
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service"
systemd:
name: nfs-server
masked: true
enabled: false
when:
- not rhel9cis_use_nfs.server
- rhel9cis_use_nfs.service
when:
- not rhel9cis_nfs_server
- "'nfs-utils' in ansible_facts.packages"
- rhel9cis_rule_2_2_18
tags:
@ -309,13 +334,26 @@
- rule_2.2.18
# The name title of the service says mask the service, but the fix allows for both options
# We went with removing to remove the security/update overhead with having the package installed
# Options available in default/main if to remove the package default is false just mask the server service
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked"
package:
name: rpcbind
state: absent
block:
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package"
package:
name: rpcbind
state: absent
when:
- not rhel9cis_use_rpc.server
- not rhel9cis_use_rpc.service
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service"
systemd:
name: rpcbind.socket
masked: true
enabled: false
when:
- rhel9cis_use_rpc.server
- not rhel9cis_use_rpc.service
when:
- not rhel9cis_rpc_server
- "'rpcbind' in ansible_facts.packages"
- rhel9cis_rule_2_2_19
tags:
@ -327,13 +365,26 @@
- rule_2.2.19
# The name title of the service says mask the service, but the fix allows for both options
# We went with removing to remove the security/update overhead with having the package installed
# Options available in default/main if to remove the package default is false just mask the server service
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled "
package:
name: rsync
state: absent
block:
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package"
package:
name: rsync
state: absent
when:
- not rhel9cis_use_rsync.server
- not rhel9cis_use_rsync.service
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service"
systemd:
name: rsyncd
masked: true
enabled: false
when:
- rhel9cis_use_rsync.server
- not rhel9cis_use_rsync.service
when:
- not rhel9cis_rsync_server
- "'rsync' in ansible_facts.packages"
- rhel9cis_rule_2_2_20
tags: