added guardrails on enabled and state flags to systemd mask tasks to only disable and stop when the package is installed, otherwise just mask to prevent the service from ever starting should it get installed at a later time. This allows hardening to proceed when the service doesn't exist but masking has been requested. Otherwise the playbook run will fail at a step when the service which comes with the package doesn't already exist

Signed-off-by: Michael Hicks <nooneofconsequence@gmail.com>
2026-03-25 22:37:11 +00:00 · 2026-03-04 10:40:41 -08:00 · 2026-03-04 10:40:41 -08:00 · c4a97079b1
commit c4a97079b1
parent 497b3dc8d9
4 changed files with 61 additions and 46 deletions
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -28,8 +28,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: autofs
-        enabled: false
+        enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
@ -60,8 +60,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('avahi' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('avahi' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - avahi-daemon.socket
@ -93,8 +93,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - dhcpd.service
@ -126,8 +126,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: named.service
-        enabled: false
+        enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
@ -156,8 +156,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: dnsmasq.service
-        enabled: false
+        enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
@ -187,8 +187,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: smb.service
-        enabled: false
+        enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
@ -218,8 +218,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: vsftpd.service
-        enabled: false
+        enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.8 | PATCH | Ensure message access server services are not in use"
@ -245,20 +245,31 @@
          - cyrus-imapd
        state: absent
-    - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service"
+    - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service dovecot"
      when:
        - not rhel9cis_message_server
        - rhel9cis_message_mask
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('dovecot' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('dovecot' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - "dovecot.socket"
        - "dovecot.service"
-        - "cyrus-imapd.service"
+
    - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service cyrus-imapd"
      when:
        - not rhel9cis_message_server
        - rhel9cis_message_mask
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: cyrus-imapd.service
        enabled: "{{ ('cyrus-imapd' in ansible_facts.packages) | ternary(false, omit) }}"
        state: "{{ ('cyrus-imapd' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.9 | PATCH | Ensure network file system services are not in use"
  when: rhel9cis_rule_2_1_9
@ -288,8 +299,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: nfs-server.service
-        enabled: false
+        enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.10 | PATCH | Ensure nis server services are not in use"
@ -318,8 +329,8 @@
        - rhel9cis_nis_mask
      ansible.builtin.systemd:
        name: ypserv.service
-        enabled: false
+        enabled: "{{ ('ypserv' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('ypserv' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.11 | PATCH | Ensure print server services are not in use"
@ -347,8 +358,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('cups' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('cups' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - "cups.socket"
@ -381,8 +392,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('rpcbind' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('rpcbind' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - rpcbind.service
@ -415,8 +426,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - 'rsyncd.socket'
@ -448,8 +459,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: snmpd.service
-        enabled: false
+        enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
@ -479,8 +490,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: telnet.socket
-        enabled: false
+        enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
@ -509,8 +520,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: "{{ item }}"
-        enabled: false
+        enabled: "{{ ('tftp-server' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('tftp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - 'tftp.socket'
@ -543,8 +554,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: squid.service
-        enabled: false
+        enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.18 | PATCH | Ensure web server services are not in use"
@ -583,8 +594,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: httpd.service
-        enabled: false
+        enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
    - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
@ -594,8 +605,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: ngnix.service
-        enabled: false
+        enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
@ -624,8 +635,8 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: xinetd.service
-        enabled: false
+        enabled: "{{ ('xinetd' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('xinetd' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
 - name: "2.1.20 | PATCH | Ensure X window server services are not in use"
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -105,6 +105,6 @@
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: bluetooth.service
-        enabled: false
+        enabled: "{{ ('bluez' in ansible_facts.packages) | ternary(false, omit) }}"
-        state: stopped
+        state: "{{ ('bluez' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
--- a/tasks/section_4/cis_4.1.x.yml
+++ b/tasks/section_4/cis_4.1.x.yml
@ -32,6 +32,8 @@
        - rhel9cis_firewall == 'nftables'
      ansible.builtin.systemd:
        name: "{{ item }}"
        enabled: "{{ ('firewalld' in ansible_facts.packages) | ternary(false, omit) }}"
        state: "{{ ('firewalld' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - firewalld
@ -42,6 +44,8 @@
        - rhel9cis_firewall == 'firewalld'
      ansible.builtin.systemd:
        name: "{{ item }}"
        enabled: "{{ ('nftables' in ansible_facts.packages) | ternary(false, omit) }}"
        state: "{{ ('nftables' in ansible_facts.packages) | ternary('stopped', omit) }}"
        masked: true
      loop:
        - nftables
--- a/tasks/section_6/cis_6.2.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.2.1.x.yml
@ -72,8 +72,8 @@
    - NIST800-53R5_AU-12
  ansible.builtin.systemd:
    name: "{{ item }}"
-    state: stopped
+    enabled: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary(false, omit) }}"
-    enabled: false
+    state: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary('stopped', omit) }}"
    masked: true
  loop:
    - systemd-journal-remote.socket