ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge c88d3dec49 into eedb2188c3

Browse source
This commit is contained in:
Michael Hicks 2026-03-24 09:11:06 +08:00 committed by GitHub
commit 6088396b8a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 60 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

94
tasks/section_2/cis_2.1.x.yml
View file

@ -28,8 +28,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: autofs
enabled: false
state: stopped
enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
@ -60,8 +60,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('avahi' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('avahi' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- avahi-daemon.socket
@ -93,8 +93,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- dhcpd.service
@ -126,8 +126,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: named.service
enabled: false
state: stopped
enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
@ -156,8 +156,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: dnsmasq.service
enabled: false
state: stopped
enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
@ -187,8 +187,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: smb.service
enabled: false
state: stopped
enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
@ -218,8 +218,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: vsftpd.service
enabled: false
state: stopped
enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
@ -245,20 +245,30 @@
- cyrus-imapd
state: absent
- name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service"
- name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service dovecot"
when:
- not rhel9cis_message_server
- rhel9cis_message_mask
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('dovecot' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dovecot' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "dovecot.socket"
- "dovecot.service"
- "cyrus-imapd.service"
- name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service cyrus-imapd"
when:
- not rhel9cis_message_server
- rhel9cis_message_mask
notify: Systemd daemon reload
ansible.builtin.systemd:
name: cyrus-imapd.service
enabled: "{{ ('cyrus-imapd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('cyrus-imapd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
when: rhel9cis_rule_2_1_9
@ -288,8 +298,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: nfs-server.service
enabled: false
state: stopped
enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
@ -318,8 +328,8 @@
- rhel9cis_nis_mask
ansible.builtin.systemd:
name: ypserv.service
enabled: false
state: stopped
enabled: "{{ ('ypserv' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('ypserv' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
@ -347,8 +357,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('cups' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('cups' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "cups.socket"
@ -381,8 +391,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('rpcbind' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('rpcbind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- rpcbind.service
@ -415,8 +425,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- 'rsyncd.socket'
@ -448,8 +458,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: snmpd.service
enabled: false
state: stopped
enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
@ -479,8 +489,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: telnet.socket
enabled: false
state: stopped
enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
@ -509,8 +519,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('tftp-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('tftp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- 'tftp.socket'
@ -543,8 +553,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: squid.service
enabled: false
state: stopped
enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
@ -583,8 +593,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: httpd.service
enabled: false
state: stopped
enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
@ -594,8 +604,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: ngnix.service
enabled: false
state: stopped
enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
@ -624,8 +634,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: xinetd.service
enabled: false
state: stopped
enabled: "{{ ('xinetd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('xinetd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"

4
tasks/section_3/cis_3.1.x.yml
View file

@ -105,6 +105,6 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: bluetooth.service
enabled: false
state: stopped
enabled: "{{ ('bluez' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('bluez' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true

4
tasks/section_4/cis_4.1.x.yml
View file

@ -32,6 +32,8 @@
- rhel9cis_firewall == 'nftables'
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ ('firewalld' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('firewalld' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- firewalld
@ -42,6 +44,8 @@
- rhel9cis_firewall == 'firewalld'
ansible.builtin.systemd:
name: "{{ item }}"
enabled: "{{ ('nftables' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('nftables' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- nftables

4
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -72,8 +72,8 @@
- NIST800-53R5_AU-12
ansible.builtin.systemd:
name: "{{ item }}"
state: stopped
enabled: false
enabled: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- systemd-journal-remote.socket