mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2026-05-09 23:33:53 +00:00
Improved logic for masked steps
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
5783bf4ce4
commit
5dfa35a487
1 changed files with 44 additions and 45 deletions
|
|
@ -28,8 +28,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: autofs
|
name: autofs
|
||||||
enabled: false
|
enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
|
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
|
||||||
|
|
@ -60,8 +60,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
loop:
|
loop:
|
||||||
- avahi-daemon.socket
|
- avahi-daemon.socket
|
||||||
|
|
@ -93,8 +93,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
loop:
|
loop:
|
||||||
- dhcpd.service
|
- dhcpd.service
|
||||||
|
|
@ -126,11 +126,11 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: named.service
|
name: named.service
|
||||||
enabled: false
|
enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
|
- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use"
|
||||||
when: rhel9cis_rule_2_1_5
|
when: rhel9cis_rule_2_1_5
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
|
|
@ -141,7 +141,7 @@
|
||||||
- NIST800-53R5_CM-7
|
- NIST800-53R5_CM-7
|
||||||
- rule_2.1.5
|
- rule_2.1.5
|
||||||
block:
|
block:
|
||||||
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package"
|
- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package"
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_dnsmasq_server
|
- not rhel9cis_dnsmasq_server
|
||||||
- not rhel9cis_dnsmasq_mask
|
- not rhel9cis_dnsmasq_mask
|
||||||
|
|
@ -149,15 +149,15 @@
|
||||||
name: dnsmasq
|
name: dnsmasq
|
||||||
state: absent
|
state: absent
|
||||||
|
|
||||||
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service"
|
- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service"
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_dnsmasq_server
|
- not rhel9cis_dnsmasq_server
|
||||||
- rhel9cis_dnsmasq_mask
|
- rhel9cis_dnsmasq_mask
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: dnsmasq.service
|
name: dnsmasq.service
|
||||||
enabled: false
|
enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
|
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
|
||||||
|
|
@ -187,8 +187,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: smb.service
|
name: smb.service
|
||||||
enabled: false
|
enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
|
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
|
||||||
|
|
@ -218,8 +218,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: vsftpd.service
|
name: vsftpd.service
|
||||||
enabled: false
|
enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
|
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
|
||||||
|
|
@ -252,8 +252,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
loop:
|
loop:
|
||||||
- "dovecot.socket"
|
- "dovecot.socket"
|
||||||
|
|
@ -288,8 +288,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: nfs-server.service
|
name: nfs-server.service
|
||||||
enabled: false
|
enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
|
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
|
||||||
|
|
@ -318,8 +318,8 @@
|
||||||
- rhel9cis_nis_mask
|
- rhel9cis_nis_mask
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: ypserv.service
|
name: ypserv.service
|
||||||
enabled: false
|
enabled: "{{ ('ypserv' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('ypserv' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
|
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
|
||||||
|
|
@ -347,8 +347,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
loop:
|
loop:
|
||||||
- "cups.socket"
|
- "cups.socket"
|
||||||
|
|
@ -381,8 +381,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
loop:
|
loop:
|
||||||
- rpcbind.service
|
- rpcbind.service
|
||||||
|
|
@ -415,8 +415,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
loop:
|
loop:
|
||||||
- 'rsyncd.socket'
|
- 'rsyncd.socket'
|
||||||
|
|
@ -448,8 +448,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: snmpd.service
|
name: snmpd.service
|
||||||
enabled: false
|
enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
|
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
|
||||||
|
|
@ -479,8 +479,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: telnet.socket
|
name: telnet.socket
|
||||||
enabled: false
|
enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
|
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
|
||||||
|
|
@ -509,8 +509,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
enabled: false
|
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
loop:
|
loop:
|
||||||
- 'tftp.socket'
|
- 'tftp.socket'
|
||||||
|
|
@ -543,8 +543,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: squid.service
|
name: squid.service
|
||||||
enabled: false
|
enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
|
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
|
||||||
|
|
@ -583,8 +583,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: httpd.service
|
name: httpd.service
|
||||||
enabled: false
|
enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
|
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
|
||||||
|
|
@ -594,8 +594,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: ngnix.service
|
name: ngnix.service
|
||||||
enabled: false
|
enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
|
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
|
||||||
|
|
@ -624,8 +624,8 @@
|
||||||
notify: Systemd daemon reload
|
notify: Systemd daemon reload
|
||||||
ansible.builtin.systemd:
|
ansible.builtin.systemd:
|
||||||
name: xinetd.service
|
name: xinetd.service
|
||||||
enabled: false
|
enabled: "{{ ('xinetd' in ansible_facts.packages) | ternary(false, omit) }}"
|
||||||
state: stopped
|
state: "{{ ('xinetd' in ansible_facts.packages) | ternary('stopped', omit) }}"
|
||||||
masked: true
|
masked: true
|
||||||
|
|
||||||
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
|
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
|
||||||
|
|
@ -633,8 +633,7 @@
|
||||||
- not rhel9cis_xwindow_server
|
- not rhel9cis_xwindow_server
|
||||||
- rhel9cis_rule_2_1_20
|
- rhel9cis_rule_2_1_20
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level2-server
|
||||||
- level1-workstation
|
|
||||||
- automated
|
- automated
|
||||||
- patch
|
- patch
|
||||||
- xwindow
|
- xwindow
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue