From bad08c0228b4da6d7f4d7fccb8793f05b4dc267d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 22 Jul 2024 12:43:08 +0100 Subject: [PATCH] section2 v2.0.0 updates Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 754 ++++++++++++++++++++++++++++++++-- tasks/section_2/cis_2.2.x.yml | 412 ++++--------------- tasks/section_2/cis_2.3.x.yml | 92 ++--- tasks/section_2/cis_2.4.yml | 40 -- tasks/section_2/main.yml | 10 +- 5 files changed, 846 insertions(+), 462 deletions(-) delete mode 100644 tasks/section_2/cis_2.4.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 3312843..34e57f2 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -1,40 +1,736 @@ --- -- name: "2.1.1 | PATCH | Ensure time synchronization is in use" - ansible.builtin.package: - name: chrony - state: present +- name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - - rhel9cis_rule_2_1_1 - - not system_is_container + - rhel9cis_rule_2_1_1 + - "'autofs' in ansible_facts.packages" tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.1 - -- name: "2.1.2 | PATCH | Ensure chrony is configured" + - level1-server + - level2-workstation + - automated + - patch + - NIST800-53R5_SI-3 + - NIST800-53R5_MP-7 + - rule_2.1.1 block: - - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" - ansible.builtin.template: - src: etc/chrony.conf.j2 - dest: /etc/chrony.conf - owner: root - group: root - mode: '0644' + - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package" + when: + - not rhel9cis_autofs_services + - not rhel9cis_autofs_mask + ansible.builtin.package: + name: autofs + state: absent - - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" - ansible.builtin.lineinfile: - path: /etc/sysconfig/chronyd - regexp: "^(#)?OPTIONS" - line: "OPTIONS=\"-u chrony\"" - create: true - mode: '0644' + - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Mask service" + when: + - not rhel9cis_autofs_services + - rhel9cis_autofs_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: autofs + enabled: false + state: stopped + masked: true + +- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" when: - - rhel9cis_rule_2_1_2 - - not system_is_container + - rhel9cis_rule_2_1_2 + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + tags: + - level1-server + - level2-workstation + - automated + - patch + - avahi + - NIST800-53R5_SI-4 + - rule_2.1.2 + block: + - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package" + when: + - not rhel9cis_avahi_server + - not rhel9cis_avahi_mask + ansible.builtin.package: + name: + - avahi-autoipd + - avahi + state: absent + + - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service" + when: + - not rhel9cis_avahi_server + - rhel9cis_avahi_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - avahi-daemon.socket + - avahi-daemon.service + +- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" + when: + - "'dhcp-server' in ansible_facts.packages" + - rhel9cis_rule_2_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dhcp + - NIST800-53R5_CM-7 + - rule_2.1.3 + block: + - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package" + when: + - not rhel9cis_dhcp_server + - not rhel9cis_dhcp_mask + ansible.builtin.package: + name: dhcp-server + state: absent + + - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Mask service" + when: + - not rhel9cis_dhcp_server + - rhel9cis_dhcp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - dhcpd.service + - dhcpd6.service + +- name: "2.1.4 | PATCH | Ensure dns server services are not in use" + when: + - "'bind' in ansible_facts.packages" + - rhel9cis_rule_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dns + - NIST800-53R5_CM-7 + - rule_2.1.4 + block: + - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package" + when: + - not rhel9cis_dns_server + - not rhel9cis_dns_mask + ansible.builtin.package: + name: bind + state: absent + + - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Mask service" + when: + - not rhel9cis_dns_server + - rhel9cis_dns_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: named.service + enabled: false + state: stopped + masked: true + +- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" + when: + - "'dnsmasq' in ansible_facts.packages" + - rhel9cis_rule_2_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dns + - NIST800-53R5_CM-7 + - rule_2.1.5 + block: + - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" + when: + - not rhel9cis_dnsmasq_server + - not rhel9cis_dnsmasq_mask + ansible.builtin.package: + name: dnsmasq + state: absent + + - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" + when: + - not rhel9cis_dnsmasq_server + - rhel9cis_dnsmasq_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: dnsmasq.service + enabled: false + state: stopped + masked: true + +- name: "2.1.6 | PATCH | Ensure samba file server services are not in use" + when: + - "'samba' in ansible_facts.packages" + - rhel9cis_rule_2_1_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - samba + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - rule_2.1.6 + block: + - name: "2.1.6 | PATCH | Ensure samba file server services are not in use | Remove package" + when: + - not rhel9cis_samba_server + - not rhel9cis_samba_mask + ansible.builtin.package: + name: samba + state: absent + + - name: "2.1.6 | PATCH | Ensure samba file server services are not in use | Mask service" + when: + - not rhel9cis_samba_server + - rhel9cis_samba_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: smb.service + enabled: false + state: stopped + masked: true + +- name: "2.1.7 | PATCH | Ensure ftp server services are not in use" + when: + - "'ftp' in ansible_facts.packages" + - rhel9cis_rule_2_1_7 + tags: + - level1-server + - level1-workstation + - automation + - patch + - ftp + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - rule_2.1.7 + block: + - name: "2.1.7 | PATCH | Ensure ftp server services are not in use | Remove package" + when: + - not rhel9cis_ftp_server + - not rhel9cis_ftp_mask + ansible.builtin.package: + name: vsftpd + state: absent + + - name: "2.1.7 | PATCH | Ensure ftp server services are not in use | Mask service" + when: + - not rhel9cis_ftp_server + - rhel9cis_ftp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: vsftpd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.8 | PATCH | Ensure message access server services are not in use" + when: + - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" + - rhel9cis_rule_2_1_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dovecot + - imap + - pop3 + - NIST800-53R5_CM-7 + - rule_2.1.8 + block: + - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package" + when: + - not rhel9cis_message_server + - not rhel9cis_message_mask + ansible.builtin.package: + name: + - dovecot + - cyrus-imapd + state: absent + + - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service" + when: + - not rhel9cis_message_server + - rhel9cis_message_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - "dovecot.socket" + - "dovecot.service" + - "cyrus-imapd.service" + +- name: "2.1.9 | PATCH | Ensure network file system services are not in use" + when: + - "'nfs-utils' in ansible_facts.packages" + - rhel9cis_rule_2_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nfs + - services + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - rule_2.1.9 + block: + - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package" + when: + - not rhel9cis_nfs_server + - not rhel9cis_nfs_mask + ansible.builtin.package: + name: nfs-utils + state: absent + + - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Mask service" + when: + - not rhel9cis_nfs_server + - rhel9cis_nfs_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: nfs-server.service + enabled: false + state: stopped + masked: true + +- name: "2.1.10 | PATCH | Ensure nis server services are not in use" + when: + - "'ypserv' in ansible_facts.packages" + - rhel9cis_rule_2_1_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nis + - NIST800-53R5_CM-7 + - rule_2.1.10 + notify: Systemd_daemon_reload + block: + - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" + when: + - not rhel9cis_nis_server + - not rhel9cis_nis_mask + ansible.builtin.package: + name: ypserv + state: absent + + - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Mask service" + when: + - not rhel9cis_nis_server + - rhel9cis_nis_mask + ansible.builtin.systemd: + name: ypserv.service + enabled: false + state: stopped + masked: true + +- name: "2.1.11 | PATCH | Ensure print server services are not in use" + when: + - "'cups' in ansible_facts.packages" + - rhel9cis_rule_2_1_11 + tags: + - level1-server + - automated + - patch + - cups + - NIST800-53R5_CM-7 + - rule_2.1.11 + block: + - name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package" + when: + - not rhel9cis_print_server + - not rhel9cis_print_mask + ansible.builtin.package: + name: cups + state: absent + + - name: "2.1.11 | PATCH | Ensure print server services are not in use | Mask service" + when: + - not rhel9cis_print_server + - rhel9cis_print_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - "cups.socket" + - "cups.service" + +- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" + when: + - "'rpcbind' in ansible_facts.packages" + - rhel9cis_rule_2_1_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rpc + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - rule_2.1.12 + block: + - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package" + when: + - not rhel9cis_rpc_server + - not rhel9cis_rpc_mask + ansible.builtin.package: + name: rpcbind + state: absent + + - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Mask service" + when: + - not rhel9cis_rpc_server + - rhel9cis_rpc_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - rpcbind.service + - rpcbind.socket + +- name: "2.1.13 | PATCH | Ensure rsync services are not in use" + when: + - "'rsync-daemon' in ansible_facts.packages" + - rhel9cis_rule_2_1_13 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rsync + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - rule_2.1.13 + block: + - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package" + when: + - not rhel9cis_rsync_server + - not rhel9cis_rsync_mask + ansible.builtin.package: + name: rsync-daemon + state: absent + + - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Mask service" + when: + - not rhel9cis_rsync_server + - rhel9cis_rsync_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - 'rsyncd.socket' + - 'rsyncd.service' + +- name: "2.1.14 | PATCH | Ensure snmp services are not in use" + when: + - "'net-snmp' in ansible_facts.packages" + - rhel9cis_rule_2_1_14 tags: - level1-server - level1-workstation + - automation - patch - - rule_2.1.2 + - snmp + - NIST800-53R5_CM-7 + - rule_2.1.14 + block: + - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package" + when: + - not rhel9cis_net_snmp_server + - not rhel9cis_net_snmp_mask + ansible.builtin.package: + name: net-snmp + state: absent + + - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service" + when: + - not rhel9cis_net_snmp_server + - rhel9cis_net_snmp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: snmpd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.15 | PATCH | Ensure telnet server services are not in use" + when: + - "'telnet-server' in ansible_facts.packages" + - rhel9cis_rule_2_1_15 + tags: + - level1-server + - level1-workstation + - automated + - patch + - telnet + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 + - rule_2.1.15 + block: + - name: "2.1.15 | PATCH | Ensure telnet server services are not in use | Remove package" + when: + - not rhel9cis_telnet_server + - not rhel9cis_telnet_mask + ansible.builtin.package: + name: telnet-server + state: absent + + - name: "2.1.15 | PATCH | Ensure telnet server services are not in use | Mask service" + when: + - not rhel9cis_telnet_server + - rhel9cis_telnet_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: telnet.socket + enabled: false + state: stopped + masked: true + +- name: "2.1.16 | PATCH | Ensure tftp server services are not in use" + when: + - "'tftp-server' in ansible_facts.packages" + - rhel9cis_rule_2_1_16 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - NIST800-53R5_CM-7 + - rule_2.1.16 + block: + - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package" + when: + - not rhel9cis_tftp_server + - not rhel9cis_tftp_mask + ansible.builtin.package: + name: tftp-server + state: absent + + - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Mask service" + when: + - not rhel9cis_tftp_server + - rhel9cis_tftp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - 'tftp.socket' + - 'tftp.service' + +- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" + when: + - "'squid' in ansible_facts.packages" + - rhel9cis_rule_2_117 + tags: + - level1-server + - level1-workstation + - automation + - patch + - squid + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - rule_2.1.17 + block: + - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package" + when: + - not rhel9cis_squid_server + - not rhel9cis_squid_mask + ansible.builtin.package: + name: squid + state: absent + + - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Mask service" + when: + - not rhel9cis_squid_server + - rhel9cis_squid_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: squid.service + enabled: false + state: stopped + masked: true + +- name: "2.1.18 | PATCH | Ensure web server services are not in use" + when: + - rhel9cis_rule_2_1_18 + tags: + - level1-server + - level1-workstation + - automated + - patch + - httpd + - nginx + - webserver + - NIST800-53R5_CM-7 + - rule_2.1.18 + block: + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server" + when: + - not rhel9cis_httpd_server + - not rhel9cis_httpd_mask + - "'httpd' in ansible_facts.packages" + ansible.builtin.package: + name: httpd + state: absent + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server" + when: + - not rhel9cis_nginx_server + - not rhel9cis_nginx_mask + - "'nginx' in ansible_facts.packages" + ansible.builtin.package: + name: nginx + state: absent + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service" + when: + - not rhel9cis_httpd_server + - rhel9cis_httpd_mask + - "'httpd' in ansible_facts.packages" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: httpd.service + enabled: false + state: stopped + masked: true + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" + when: + - not rhel9cis_nginx_server + - rhel9cis_nginx_mask + - "'nginx' in ansible_facts.packages" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: ngnix.service + enabled: false + state: stopped + masked: true + +- name: "2.1.19 | PATCH | Ensure xinetd services are not in use" + when: + - "'xinetd' in ansible_facts.packages" + - rhel9cis_rule_2_1_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - xinetd + - NIST800-53R5_CM-7 + - rule_2.1.19 + block: + - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package" + when: + - not rhel9cis_xinetd_server + - not rhel9cis_xinetd_mask + ansible.builtin.package: + name: xinetd + state: absent + + - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service" + when: + - not rhel9cis_xinetd_server + - rhel9cis_xinetd_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: xinetd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.20 | PATCH | Ensure X window server services are not in use" + when: + - not rhel9cis_xwindow_server + - "'xorg-x11-server-common' in ansible_facts.packages" + - rhel9cis_rule_2_1_20 + tags: + - level1-server + - level1-workstation + - automated + - patch + - xwindow + - NIST800-53R5_CM-11 + - rule_2.1.20 + ansible.builtin.package: + name: xorg-x11-server-common + state: absent + +- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" + when: + - not rhel9cis_is_mail_server + - "'postfix' in ansible_facts.packages" + - rhel9cis_rule_2_1_21 + tags: + - level1-server + - level1-workstation + - automated + - patch + - postfix + - NIST800-53R5_CM-7 + - rule_2.1.21 + notify: Restart_postfix + ansible.builtin.lineinfile: + path: /etc/postfix/main.cf + regexp: "^(#)?inet_interfaces" + line: "inet_interfaces = loopback-only" + +- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" + when: + - rhel9cis_rule_2_1_22 + tags: + - level1-server + - level1-workstation + - manual + - audit + - services + - NIST800-53R5_CM-7 + - rule_2.1.22 + vars: + warn_control_id: '2.1.22' + block: + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" + ansible.builtin.shell: systemctl list-units --type=service + changed_when: false + failed_when: discovered_running_services.rc not in [ 0, 1 ] + check_mode: false + register: discovered_running_services + + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" + ansible.builtin.debug: + msg: + - "Warning!! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ discovered_running_services.stdout_lines }}" + + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 563ec4b..cdd03b8 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,348 +1,86 @@ --- -- name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed" +- name: "2.2.1 | PATCH | Ensure ftp client is not installed" + when: + - not rhel9cis_ftp_client + - "'ftp' in ansible_facts.packages" + - rhel9cis_rule_2_2_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - ftp + - NIST800-53R5_CM-7 + - rule_2.2.1 ansible.builtin.package: - name: xorg-x11-server-common - state: absent - when: - - rhel9cis_rule_2_2_1 - - "'xorg-x11-server-common' in ansible_facts.packages" - - not rhel9cis_gui - tags: - - level1-server - - patch - - x11 - - rule_2.2.1 + name: ftp + state: absent -- name: "2.2.2 | PATCH | Ensure Avahi Server is not installed" +- name: "2.2.2 | PATCH | Ensure ldap client is not installed" + when: + - not rhel9cis_openldap_clients_required + - "'openldap-clients' in ansible_facts.packages" + - rhel9cis_rule_2_2_2 + tags: + - level2-server + - level2-workstation + - automated + - patch + - ldap + - NIST800-53R5_CM-7 + - rule_2.2.2 ansible.builtin.package: - name: - - avahi-autoipd - - avahi - state: absent - when: - - rhel9cis_rule_2_2_2 - - not rhel9cis_avahi_server - - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" - tags: - - level1-server - - level2-workstation - - patch - - avahi - - rule_2.2.2 + name: openldap-clients + state: absent -- name: "2.2.3 | PATCH | Ensure CUPS is not installed" +- name: "2.2.3 | PATCH | Ensure nis client is not installed" + when: + - not rhel9cis_ypbind_required + - "'ypbind' in ansible_facts.packages" + - rhel9cis_rule_2_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nis + - NIST800-53R5_CM-7 + - rule_2.2.3 ansible.builtin.package: - name: cups - state: absent - when: - - not rhel9cis_cups_server - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_2_3 - tags: - - level1-server - - patch - - cups - - rule_2.2.3 + name: ypbind + state: absent -- name: "2.2.4 | PATCH | Ensure DHCP Server is not installed" +- name: "2.2.4 | PATCH | Ensure telnet client is not installed" + when: + - not rhel9cis_telnet_required + - "'telnet' in ansible_facts.packages" + - rhel9cis_rule_2_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - telnet + - NIST800-53R5_CM-7 + - rule_2.2.4 ansible.builtin.package: - name: dhcp-server - state: absent - when: - - not rhel9cis_dhcp_server - - "'dhcp-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_4 - tags: - - level1-server - - level1-workstation - - patch - - dhcp - - rule_2.2.4 + name: telnet + state: absent -- name: "2.2.5 | PATCH | Ensure DNS Server is not installed" +- name: "2.2.5 | PATCH | Ensure TFTP client is not installed" + when: + - not rhel9cis_tftp_client + - "'tftp' in ansible_facts.packages" + - rhel9cis_rule_2_2_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - NIST800-53R5_CM-7 + - rule_2.2.5 ansible.builtin.package: - name: bind - state: absent - when: - - not rhel9cis_dns_server - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_2_5 - tags: - - level1-server - - level1-workstation - - patch - - dns - - rule_2.2.5 - -- name: "2.2.6 | PATCH | Ensure VSFTP Server is not installed" - ansible.builtin.package: - name: vsftpd - state: absent - when: - - not rhel9cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 - tags: - - level1-server - - level1-workstation - - patch - - vsftpd - - rule_2.2.6 - -- name: "2.2.7 | PACH | Ensure TFTP Server is not installed" - ansible.builtin.package: - name: tftp-server - state: absent - when: - - not rhel9cis_tftp_server - - "'tftp-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_7 - tags: - - level1-server - - level1-workstation - - patch - - tftp - - rule_2.2.7 - -- name: "2.2.8 | PATCH | Ensure a web server is not installed" - block: - - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove httpd server" - ansible.builtin.package: - name: httpd - state: absent - when: - - not rhel9cis_httpd_server - - "'httpd' in ansible_facts.packages" - - - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove nginx server" - ansible.builtin.package: - name: nginx - state: absent - when: - - not rhel9cis_nginx_server - - "'nginx' in ansible_facts.packages" - when: - - rhel9cis_rule_2_2_8 - tags: - - level1-server - - level1-workstation - - patch - - httpd - - nginx - - webserver - - rule_2.2.8 - -- name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" - block: - - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" - ansible.builtin.package: - name: - - dovecot - state: absent - when: - - not rhel9cis_dovecot_server - - "'dovecot' in ansible_facts.packages" - - - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" - ansible.builtin.package: - name: - - cyrus-imapd - state: absent - when: - - not rhel9cis_imap_server - - "'cyrus-imapd' in ansible_facts.packages" - - when: - - rhel9cis_rule_2_2_9 - tags: - - level1-server - - level1-workstation - - patch - - dovecot - - imap - - pop3 - - rule_2.2.9 - -- name: "2.2.10 | PATCH | Ensure Samba is not enabled" - ansible.builtin.package: - name: samba - state: absent - when: - - not rhel9cis_samba_server - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_2_10 - tags: - - level1-server - - level1-workstation - - patch - - samba - - rule_2.2.10 - -- name: "2.2.11 | PATCH | Ensure HTTP Proxy Server is not installed" - ansible.builtin.package: - name: squid - state: absent - when: - - not rhel9cis_squid_server - - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_2_11 - tags: - - level1-server - - level1-workstation - - patch - - squid - - rule_2.2.11 - -- name: "2.2.12 | PATCH | Ensure net-snmp is not installed" - ansible.builtin.package: - name: net-snmp - state: absent - when: - - not rhel9cis_snmp_server - - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_2_12 - tags: - - level1-server - - level1-workstation - - patch - - snmp - - rule_2.2.12 - -- name: "2.2.13 | PATCH | Ensure telnet-server is not installed" - ansible.builtin.package: - name: telnet-server - state: absent - when: - - not rhel9cis_telnet_server - - "'telnet-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_13 - tags: - - level1-server - - level1-workstation - - patch - - telnet - - rule_2.2.13 - -- name: "2.2.14 | PATCH | Ensure dnsmasq is not installed" - ansible.builtin.package: - name: dnsmasq - state: absent - when: - - not rhel9cis_dnsmasq_server - - "'dnsmasq' in ansible_facts.packages" - - rhel9cis_rule_2_2_14 - tags: - - level1-server - - level1-workstation - - patch - - dnsmasq - - rule_2.2.14 - -- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" - ansible.builtin.lineinfile: - path: /etc/postfix/main.cf - regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = loopback-only" - notify: Restart postfix - when: - - not rhel9cis_is_mail_server - - "'postfix' in ansible_facts.packages" - - rhel9cis_rule_2_2_15 - tags: - - level1-server - - level1-workstation - - patch - - postfix - - rule_2.2.15 - -# The name title of the service says mask the service, but the fix allows for both options -# Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" - block: - - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" - ansible.builtin.package: - name: nfs-utils - state: absent - when: - - not rhel9cis_use_nfs_server - - not rhel9cis_use_nfs_service - - - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" - ansible.builtin.systemd: - name: nfs-server - masked: true - state: stopped - when: - - rhel9cis_use_nfs_server - - not rhel9cis_use_nfs_service - when: - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_2_16 - tags: - - level1-server - - level1-workstation - - patch - - nfs - - services - - rule_2.2.16 - -# The name title of the service says mask the service, but the fix allows for both options -# Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" - block: - - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" - ansible.builtin.package: - name: rpcbind - state: absent - when: - - not rhel9cis_use_rpc_server - - not rhel9cis_use_rpc_service - - - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" - ansible.builtin.systemd: - name: rpcbind.socket - masked: true - state: stopped - when: - - rhel9cis_use_rpc_server - - not rhel9cis_use_rpc_service - when: - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 - tags: - - level1-server - - level1-workstation - - patch - - rpc - - rule_2.2.17 - -# The name title of the service says mask the service, but the fix allows for both options -# Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.18 | PATCH | Ensure rsync service is not enabled " - block: - - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsync service is masked | remove package" - ansible.builtin.package: - name: rsync-daemon - state: absent - when: - - not rhel9cis_use_rsync_server - - not rhel9cis_use_rsync_service - - - name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service" - ansible.builtin.systemd: - name: rsyncd - masked: true - state: stopped - when: - - rhel9cis_use_rsync_server - - not rhel9cis_use_rsync_service - when: - - "'rsync' in ansible_facts.packages" - - rhel9cis_rule_2_2_18 - tags: - - level1-server - - level1-workstation - - patch - - rsync - - rule_2.2.18 + name: tftp + state: absent diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index c576a65..dacd624 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,61 +1,51 @@ --- -- name: "2.3.1 | PATCH | Ensure telnet client is not installed" - ansible.builtin.package: - name: telnet - state: absent +- name: "2.3.1 | PATCH | Ensure time synchronization is in use" when: - - not rhel9cis_telnet_required - - "'telnet' in ansible_facts.packages" - - rhel9cis_rule_2_3_1 + - rhel9cis_rule_2_3_1 + - not system_is_container tags: - - level1-server - - level1-workstation - - patch - - telnet - - rule_2.3.1 + - level1-server + - level1-workstation + - patch + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - rule_2.3.1 + ansible.builtin.package: + name: chrony + state: present -- name: "2.3.2 | PATCH | Ensure LDAP client is not installed" - ansible.builtin.package: - name: openldap-clients - state: absent +- name: "2.3.2 | PATCH | Ensure chrony is configured" when: - - not rhel9cis_openldap_clients_required - - "'openldap-clients' in ansible_facts.packages" - - rhel9cis_rule_2_3_2 + - rhel9cis_rule_2_3_2 + - not system_is_container tags: - - level1-server - - level1-workstation - - patch - - ldap - - rule_2.3.2 + - level1-server + - level1-workstation + - patch + - rule_2.3.2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + ansible.builtin.template: + src: etc/chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: '0644' -- name: "2.3.3 | PATCH | Ensure TFTP client is not installed" - ansible.builtin.package: - name: tftp - state: absent +- name: "2.3.3 | PATCH | Ensure chrony is not run as the root user" when: - - not rhel9cis_tftp_client - - "'tftp' in ansible_facts.packages" - - rhel9cis_rule_2_3_3 + - rhel9cis_rule_2_3_3 + - not system_is_container tags: - - level1-server - - level1-workstation - - patch - - tftp - - rule_2.3.3 - -- name: "2.3.4 | PATCH | Ensure FTP client is not installed" - ansible.builtin.package: - name: ftp - state: absent - when: - - not rhel9cis_ftp_client - - "'ftp' in ansible_facts.packages" - - rhel9cis_rule_2_3_4 - tags: - - level1-server - - level1-workstation - - patch - - ftp - - rule_2.3.4 + - level1-server + - level1-workstation + - patch + - rule_2.3.3 + ansible.builtin.lineinfile: + path: /etc/sysconfig/chronyd + regexp: '^OPTIONS="(?!.* -u chrony.*)(.*)"' + line: OPTIONS="\1 -u chrony" + create: true + backrefs: true + mode: '0644' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml deleted file mode 100644 index 15048f6..0000000 --- a/tasks/section_2/cis_2.4.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked" - block: - - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of services" - ansible.builtin.shell: systemctl list-units --type=service - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_2_4_services - - - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets" - ansible.builtin.shell: systemctl list-units --type=socket - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_2_4_sockets - - - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Display list of services" - ansible.builtin.debug: - msg: - - "Warning!! Below are the list of services and sockets, both active and inactive" - - "Please review to make sure all are essential" - - "{{ rhel9cis_2_4_services.stdout_lines }}" - - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - - - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '2.4' - when: - - rhel9cis_rule_2_4 - tags: - - level1-server - - level1-workstation - - manual - - audit - - services - - rule_2.4 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 3e8996a..02ae663 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,17 +1,17 @@ --- -- name: "SECTION | 2.1 | Time Synchronization" +- name: "SECTION | 2.1 | Special Purpose Services" ansible.builtin.import_tasks: file: cis_2.1.x.yml -- name: "SECTION | 2.2 | Special Purpose Services" +- name: "SECTION | 2.2 | Service Clients" ansible.builtin.import_tasks: file: cis_2.2.x.yml -- name: "SECTION | 2.3 | Service Clients" +- name: "SECTION | 2.3 | Time Synchronization" ansible.builtin.import_tasks: file: cis_2.3.x.yml -- name: "SECTION | 2.4 | Nonessential services removed" +- name: "SECTION | 2.4 | Job Schedulers" ansible.builtin.import_tasks: - file: cis_2.4.yml + file: cis_2.4.x.yml