ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-27 15:33:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Updated 4.3.2

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-09-09 12:10:38 +01:00
parent 7c4c3f9e4d
commit ab3c9cc8aa
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tasks/section_4/cis_4.3.x.yml
View file

@ -72,9 +72,13 @@
failed_when: false
register: discovered_nftables_outconnectionrule
- name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Create table is doesn't exist"
when: rhel9cis_nft_tables_autonewtable
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
- name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'