removed iptables - not valid in rh9

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -205,21 +205,7 @@ rhel9cis_rule_3_4_2_8: true
 rhel9cis_rule_3_4_2_9: true
 rhel9cis_rule_3_4_2_10: true
 rhel9cis_rule_3_4_2_11: true
-rhel9cis_rule_3_4_3_1_1: true
-rhel9cis_rule_3_4_3_1_2: true
-rhel9cis_rule_3_4_3_1_3: true
-rhel9cis_rule_3_4_3_2_1: true
-rhel9cis_rule_3_4_3_2_2: true
-rhel9cis_rule_3_4_3_2_3: true
-rhel9cis_rule_3_4_3_2_4: true
-rhel9cis_rule_3_4_3_2_5: true
-rhel9cis_rule_3_4_3_2_6: true
-rhel9cis_rule_3_4_3_3_1: true
-rhel9cis_rule_3_4_3_3_2: true
-rhel9cis_rule_3_4_3_3_3: true
-rhel9cis_rule_3_4_3_3_4: true
-rhel9cis_rule_3_4_3_3_5: true
-rhel9cis_rule_3_4_3_3_6: true
+
 
 # Section 4 rules
 rhel9cis_rule_4_1_1_1: true
@@ -490,8 +476,6 @@ rhel9cis_nft_tables_autonewtable: true
 rhel9cis_nft_tables_tablename: filter
 rhel9cis_nft_tables_autochaincreate: true
 
-#### iptables
-rhel9cis_iptables_firewalld_state: masked
 
 # Warning Banner Content (issue, issue.net, motd)
 rhel9cis_warning_banner: |

tasks/section_3/cis_3.4.3.1.x.yml

@@ -1,59 +0,0 @@
----
-
-- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed"
-  package:
-      name:
-          - iptables
-          - iptables-services
-      state: present
-  when:
-      - rhel9cis_rule_3_4_3_1_1
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.1.1
-
-- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables"
-  package:
-      name: nftables
-      state: absent
-  when:
-      - rhel9cis_rule_3_4_3_1_2
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.1.2
-
-# The control allows the service it be masked or not installed
-# We have chosen not installed
-- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables"
-  block:
-      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
-        systemd:
-            name: firewalld
-            masked: true
-            state: stopped
-        when:
-            - rhel9cis_iptables_firewalld_state == "masked"
-
-      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
-        package:
-            name: firewalld
-            state: absent
-        when:
-            - rhel9cis_iptables_firewalld_state == "absent"
-  when:
-      - rhel9cis_rule_3_4_3_1_3
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.1.3

tasks/section_3/cis_3.4.3.2.x.yml

@@ -1,163 +0,0 @@
----
-
-- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured"
-  block:
-      - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT"
-        iptables:
-            action: append
-            chain: INPUT
-            in_interface: lo
-            jump: ACCEPT
-
-      - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT"
-        iptables:
-            action: append
-            chain: OUTPUT
-            out_interface: lo
-            jump: ACCEPT
-
-      - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
-        iptables:
-            action: append
-            chain: INPUT
-            source: 127.0.0.0/8
-            jump: DROP
-  when:
-      - rhel9cis_rule_3_4_3_2_1
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.2.1
-
-- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured"
-  iptables:
-      action: append
-      chain: '{{ item.chain }}'
-      protocol: '{{ item.protocol }}'
-      match: state
-      ctstate: '{{ item.ctstate }}'
-      jump: ACCEPT
-  with_items:
-      - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
-      - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
-      - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
-      - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }
-      - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
-      - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
-  when:
-      - rhel9cis_rule_3_4_3_2_2
-  tags:
-      - level1-server
-      - level1-workstation
-      - manual
-      - patch
-      - iptables
-      - rule_3.4.3.2.2
-
-- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports"
-  block:
-      - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports"
-        shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
-        changed_when: false
-        failed_when: false
-        register: rhel9cis_3_4_3_2_3_otcp
-
-      - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports"
-        shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
-        changed_when: false
-        failed_when: false
-        register: rhel9cis_3_4_3_2_3_oudp
-
-      - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports"
-        iptables:
-            action: append
-            chain: INPUT
-            protocol: tcp
-            destination_port: "{{ item }}"
-            match: state
-            ctstate: NEW
-            jump: ACCEPT
-        with_items:
-            - "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}"
-        when: rhel9cis_3_4_3_2_3_otcp.stdout is defined
-
-      - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports"
-        iptables:
-            action: append
-            chain: INPUT
-            protocol: udp
-            destination_port: "{{ item }}"
-            match: state
-            ctstate: NEW
-            jump: ACCEPT
-        with_items:
-            - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}"
-        when: rhel9cis_3_4_3_2_3_otcp.stdout is defined
-  when:
-      - rhel9cis_rule_3_4_3_2_3
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.2.3
-
-- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy"
-  block:
-      - name: "3.4.3.2.4 | PATCH |  Ensure iptables default deny firewall policy | Configure ssh to be allowed"
-        iptables:
-            chain: INPUT
-            protocol: tcp
-            destination_port: "22"
-            jump: ACCEPT
-
-      - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
-        iptables:
-            policy: DROP
-            chain: "{{ item }}"
-        with_items:
-            - INPUT
-            - FORWARD
-            - OUTPUT
-  when:
-      - rhel9cis_rule_3_4_3_2_4
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.2.4
-
-- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved"
-  iptables_state:
-      state: saved
-      path: /etc/sysconfig/iptables
-  when:
-      - rhel9cis_rule_3_4_3_2_5
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.2.5
-
-- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active"
-  service:
-      name: iptables
-      enabled: yes
-      state: started
-  when:
-      - rhel9cis_rule_3_4_3_2_6
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - iptables
-      - rule_3.4.3.2.6

tasks/section_3/cis_3.4.3.3.x.yml

@@ -1,152 +0,0 @@
----
-
-- name: "3.4.3.3.1 | PATCH |  Ensure ip6tables loopback traffic is configured"
-  block:
-      - name: "3.4.3.3.1 | PATCH |  Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT"
-        iptables:
-            action: append
-            chain: INPUT
-            in_interface: lo
-            jump: ACCEPT
-            ip_version: ipv6
-
-      - name: "3.4.3.3.1 | PATCH |  Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT"
-        iptables:
-            action: append
-            chain: OUTPUT
-            out_interface: lo
-            jump: ACCEPT
-            ip_version: ipv6
-
-      - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
-        iptables:
-            action: append
-            chain: INPUT
-            source: ::1
-            jump: DROP
-            ip_version: ipv6
-  when:
-      - rhel9cis_rule_3_4_3_3_1
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - ip6tables
-      - rule_3.4.3.3.1
-
-- name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured"
-  iptables:
-      action: append
-      chain: '{{ item.chain }}'
-      protocol: '{{ item.protocol }}'
-      match: state
-      ctstate: '{{ item.ctstate }}'
-      jump: ACCEPT
-      ip_version: ipv6
-  with_items:
-      - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
-      - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
-      - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
-      - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }
-      - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
-      - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
-  when:
-      - rhel9cis_rule_3_4_3_3_2
-  tags:
-      - level1-server
-      - level1-workstation
-      - manual
-      - patch
-      - ip6tables
-      - rule_3.4.3.3.2
-
-- name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports"
-  block:
-      - name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports"
-        shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
-        changed_when: false
-        failed_when: false
-        register: rhel9cis_3_4_3_3_3_otcp
-
-      - name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports"
-        iptables:
-            action: append
-            chain: INPUT
-            protocol: tcp
-            destination_port: "{{ item }}"
-            match: state
-            ctstate: NEW
-            jump: ACCEPT
-            ip_version: ipv6
-        with_items:
-            - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}"
-        when: rhel9cis_3_4_3_3_3_otcp.stdout is defined
-  when:
-      - rhel9cis_rule_3_4_3_3_3
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - ip6tables
-      - rule_3.4.3.3.3
-
-- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy"
-  block:
-      - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed"
-        iptables:
-            chain: INPUT
-            protocol: tcp
-            destination_port: "22"
-            jump: ACCEPT
-            ip_version: ipv6
-
-      - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
-        iptables:
-            policy: DROP
-            chain: "{{ item }}"
-            ip_version: ipv6
-        with_items:
-            - INPUT
-            - FORWARD
-            - OUTPUT
-  when:
-      - rhel9cis_rule_3_4_3_3_4
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - ip6tables
-      - rule_3.4.3.3.4
-
-- name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved"
-  iptables_state:
-      state: saved
-      path: /etc/sysconfig/ip6tables
-      ip_version: ipv6
-  when:
-      - rhel9cis_rule_3_4_3_3_5
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - ip6tables
-      - rule_3.4.3.3.5
-
-- name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active"
-  service:
-      name: ip6tables
-      enabled: yes
-      state: started
-  when:
-      - rhel9cis_rule_3_4_3_3_6
-  tags:
-      - level1-server
-      - level1-workstation
-      - automated
-      - patch
-      - ip6tables
-      - rule_3.4.3.3.6

tasks/section_3/main.yml

@@ -19,17 +19,3 @@
   when:
   - rhel9cis_firewall == "nftables"
 
-- name: "SECTION | 3.4.3.1.x | Configure iptables"
-  include_tasks: cis_3.4.3.1.x.yml
-  when:
-  - rhel9cis_firewall == "iptables"
-
-- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4"
-  include_tasks: cis_3.4.3.2.x.yml
-  when:
-  - rhel9cis_firewall == "iptables"
-
-- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6"
-  include_tasks: cis_3.4.3.3.x.yml
-  when:
-  - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required )

templates/ansible_vars_goss.yml.j2

@@ -200,25 +200,6 @@ rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }}
 rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }}
 rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }}
 rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }}
-# 3.4.3.1 Configure iptables
-rhel9cis_rule_3_4_3_1_1: {{ rhel9cis_rule_3_4_3_1_1 }}
-rhel9cis_rule_3_4_3_1_2: {{ rhel9cis_rule_3_4_3_1_2 }}
-rhel9cis_rule_3_4_3_1_3: {{ rhel9cis_rule_3_4_3_1_3 }}
-# 3.4.3.2 iptables ipv4
-rhel9cis_rule_3_4_3_2_1: {{ rhel9cis_rule_3_4_3_2_1 }}
-rhel9cis_rule_3_4_3_2_2: {{ rhel9cis_rule_3_4_3_2_2 }}
-rhel9cis_rule_3_4_3_2_3: {{ rhel9cis_rule_3_4_3_2_3 }}
-rhel9cis_rule_3_4_3_2_4: {{ rhel9cis_rule_3_4_3_2_4 }}
-rhel9cis_rule_3_4_3_2_5: {{ rhel9cis_rule_3_4_3_2_5 }}
-rhel9cis_rule_3_4_3_2_6: {{ rhel9cis_rule_3_4_3_2_6 }}
-# 3.4.3.2 iptables ipv6
-rhel9cis_rule_3_4_3_3_1: {{ rhel9cis_rule_3_4_3_3_1 }}
-rhel9cis_rule_3_4_3_3_2: {{ rhel9cis_rule_3_4_3_3_2 }}
-rhel9cis_rule_3_4_3_3_3: {{ rhel9cis_rule_3_4_3_3_3 }}
-rhel9cis_rule_3_4_3_3_4: {{ rhel9cis_rule_3_4_3_3_4 }}
-rhel9cis_rule_3_4_3_3_5: {{ rhel9cis_rule_3_4_3_3_5 }}
-rhel9cis_rule_3_4_3_3_6: {{ rhel9cis_rule_3_4_3_3_6 }}
-
 
 #  Section 4 rules
 # 4.1 Configure System Accounting
@@ -459,8 +440,7 @@ rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }}
 rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }}
 rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }}
 rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
-#### iptables
-rhel9cis_iptables_firewalld_state: {{ rhel9cis_iptables_firewalld_state }}
+
 
 # Section 4