diff --git a/defaults/main.yml b/defaults/main.yml index 21f70b0..66e8060 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -205,21 +205,7 @@ rhel9cis_rule_3_4_2_8: true rhel9cis_rule_3_4_2_9: true rhel9cis_rule_3_4_2_10: true rhel9cis_rule_3_4_2_11: true -rhel9cis_rule_3_4_3_1_1: true -rhel9cis_rule_3_4_3_1_2: true -rhel9cis_rule_3_4_3_1_3: true -rhel9cis_rule_3_4_3_2_1: true -rhel9cis_rule_3_4_3_2_2: true -rhel9cis_rule_3_4_3_2_3: true -rhel9cis_rule_3_4_3_2_4: true -rhel9cis_rule_3_4_3_2_5: true -rhel9cis_rule_3_4_3_2_6: true -rhel9cis_rule_3_4_3_3_1: true -rhel9cis_rule_3_4_3_3_2: true -rhel9cis_rule_3_4_3_3_3: true -rhel9cis_rule_3_4_3_3_4: true -rhel9cis_rule_3_4_3_3_5: true -rhel9cis_rule_3_4_3_3_6: true + # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -490,8 +476,6 @@ rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true -#### iptables -rhel9cis_iptables_firewalld_state: masked # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml deleted file mode 100644 index 56ce076..0000000 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed" - package: - name: - - iptables - - iptables-services - state: present - when: - - rhel9cis_rule_3_4_3_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.1 - -- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" - package: - name: nftables - state: absent - when: - - rhel9cis_rule_3_4_3_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.2 - -# The control allows the service it be masked or not installed -# We have chosen not installed -- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables" - block: - - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" - systemd: - name: firewalld - masked: true - state: stopped - when: - - rhel9cis_iptables_firewalld_state == "masked" - - - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service" - package: - name: firewalld - state: absent - when: - - rhel9cis_iptables_firewalld_state == "absent" - when: - - rhel9cis_rule_3_4_3_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.1.3 diff --git a/tasks/section_3/cis_3.4.3.2.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml deleted file mode 100644 index e600ae7..0000000 --- a/tasks/section_3/cis_3.4.3.2.x.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- - -- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - - - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - when: - - rhel9cis_rule_3_4_3_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.1 - -- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_rule_3_4_3_2_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - iptables - - rule_3.4.3.2.2 - -- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports" - block: - - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports" - shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_3_otcp - - - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports" - shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_3_oudp - - - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}" - when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - - - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports" - iptables: - action: append - chain: INPUT - protocol: udp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" - when: rhel9cis_3_4_3_2_3_otcp.stdout is defined - when: - - rhel9cis_rule_3_4_3_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.3 - -- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy" - block: - - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - - - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_3_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.4 - -- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved" - iptables_state: - state: saved - path: /etc/sysconfig/iptables - when: - - rhel9cis_rule_3_4_3_2_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.5 - -- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active" - service: - name: iptables - enabled: yes - state: started - when: - - rhel9cis_rule_3_4_3_2_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - iptables - - rule_3.4.3.2.6 diff --git a/tasks/section_3/cis_3.4.3.3.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml deleted file mode 100644 index 83479db..0000000 --- a/tasks/section_3/cis_3.4.3.3.x.yml +++ /dev/null @@ -1,152 +0,0 @@ ---- - -- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - when: - - rhel9cis_rule_3_4_3_3_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.1 - -- name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_rule_3_4_3_3_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - ip6tables - - rule_3.4.3.3.2 - -- name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports" - block: - - name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" - shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_3_otcp - - - name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - ip_version: ipv6 - with_items: - - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" - when: rhel9cis_3_4_3_3_3_otcp.stdout is defined - when: - - rhel9cis_rule_3_4_3_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.3 - -- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy" - block: - - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_3_3_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.4 - -- name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved" - iptables_state: - state: saved - path: /etc/sysconfig/ip6tables - ip_version: ipv6 - when: - - rhel9cis_rule_3_4_3_3_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.5 - -- name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active" - service: - name: ip6tables - enabled: yes - state: started - when: - - rhel9cis_rule_3_4_3_3_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ip6tables - - rule_3.4.3.3.6 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 7c6dc9b..a263c0b 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -19,17 +19,3 @@ when: - rhel9cis_firewall == "nftables" -- name: "SECTION | 3.4.3.1.x | Configure iptables" - include_tasks: cis_3.4.3.1.x.yml - when: - - rhel9cis_firewall == "iptables" - -- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4" - include_tasks: cis_3.4.3.2.x.yml - when: - - rhel9cis_firewall == "iptables" - -- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6" - include_tasks: cis_3.4.3.3.x.yml - when: - - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e3ca224..c779fb2 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -200,25 +200,6 @@ rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} -# 3.4.3.1 Configure iptables -rhel9cis_rule_3_4_3_1_1: {{ rhel9cis_rule_3_4_3_1_1 }} -rhel9cis_rule_3_4_3_1_2: {{ rhel9cis_rule_3_4_3_1_2 }} -rhel9cis_rule_3_4_3_1_3: {{ rhel9cis_rule_3_4_3_1_3 }} -# 3.4.3.2 iptables ipv4 -rhel9cis_rule_3_4_3_2_1: {{ rhel9cis_rule_3_4_3_2_1 }} -rhel9cis_rule_3_4_3_2_2: {{ rhel9cis_rule_3_4_3_2_2 }} -rhel9cis_rule_3_4_3_2_3: {{ rhel9cis_rule_3_4_3_2_3 }} -rhel9cis_rule_3_4_3_2_4: {{ rhel9cis_rule_3_4_3_2_4 }} -rhel9cis_rule_3_4_3_2_5: {{ rhel9cis_rule_3_4_3_2_5 }} -rhel9cis_rule_3_4_3_2_6: {{ rhel9cis_rule_3_4_3_2_6 }} -# 3.4.3.2 iptables ipv6 -rhel9cis_rule_3_4_3_3_1: {{ rhel9cis_rule_3_4_3_3_1 }} -rhel9cis_rule_3_4_3_3_2: {{ rhel9cis_rule_3_4_3_3_2 }} -rhel9cis_rule_3_4_3_3_3: {{ rhel9cis_rule_3_4_3_3_3 }} -rhel9cis_rule_3_4_3_3_4: {{ rhel9cis_rule_3_4_3_3_4 }} -rhel9cis_rule_3_4_3_3_5: {{ rhel9cis_rule_3_4_3_3_5 }} -rhel9cis_rule_3_4_3_3_6: {{ rhel9cis_rule_3_4_3_3_6 }} - # Section 4 rules # 4.1 Configure System Accounting @@ -459,8 +440,7 @@ rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} -#### iptables -rhel9cis_iptables_firewalld_state: {{ rhel9cis_iptables_firewalld_state }} + # Section 4