diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml new file mode 100644 index 0000000..ce85507 --- /dev/null +++ b/tasks/section_3/cis_3.3.x.yml @@ -0,0 +1,155 @@ +--- + +- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3_2_1 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.1 + +- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_rule_3_2_2 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.2 + +- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_3 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.3 + +- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_4 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.4 + +- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_5 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.5 + +- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_6 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.6 + +- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_7 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.7 + +- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_2_8 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.2.8 + +- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + block: + - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_ipv6_required + - rhel9cis_rule_3_2_9 + tags: + - level2-server + - level2-workstation + - sysctl + - patch + - rule_3.2.9 diff --git a/templates/etc/99-sysctl.conf.j2 b/templates/etc/99-sysctl.conf.j2 index 61f4dfa..8feb96d 100644 --- a/templates/etc/99-sysctl.conf.j2 +++ b/templates/etc/99-sysctl.conf.j2 @@ -12,64 +12,64 @@ kernel.randomize_va_space = 2 {% endif %} # Network sysctl -{% if rhel9cis_rule_3_1_1 %} -# CIS 3.1.1 -net.ipv4.ip_forward = 0 -{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.forwarding = 0 -{% endif %} -{% endif %} -{% if rhel9cis_rule_3_1_2 %} -# CIS 3.1.2 -net.ipv4.conf.all.send_redirects = 0 -net.ipv4.conf.default.send_redirects = 0 -{% endif %} {% if rhel9cis_rule_3_2_1 %} # CIS 3.2.1 -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.ip_forward = 0 {% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.accept_source_route = 0 -net.ipv6.conf.default.accept_source_route = 0 +net.ipv6.conf.all.forwarding = 0 {% endif %} {% endif %} {% if rhel9cis_rule_3_2_2 %} # CIS 3.2.2 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +{% endif %} +{% if rhel9cis_rule_3_3_1 %} +# CIS 3.3.1 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +{% if rhel9cis_rule_3_3_1 and rhel9cis_ipv6_required %} +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 +{% endif %} +{% endif %} +{% if rhel9cis_rule_3_3_2 %} +# CIS 3.3.2 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 -{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_3_2 and rhel9cis_ipv6_required %} net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 {% endif %} {% endif %} -{% if rhel9cis_rule_3_2_3 %} -# CIS 3.2.3 +{% if rhel9cis_rule_3_3_3 %} +# CIS 3.3.3 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 {% endif %} -{% if rhel9cis_rule_3_2_4 %} -# CIS 3.2.4 +{% if rhel9cis_rule_3_3_4 %} +# CIS 3.3.4 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 {% endif %} -{% if rhel9cis_rule_3_2_5 %} -# CIS 3.2.5 +{% if rhel9cis_rule_3_3_5 %} +# CIS 3.3.5 net.ipv4.icmp_echo_ignore_broadcasts = 1 {% endif %} -{% if rhel9cis_rule_3_2_6 %} -# CIS 3.2.6 +{% if rhel9cis_rule_3_3_6 %} +# CIS 3.3.6 net.ipv4.icmp_ignore_bogus_error_responses = 1 {% endif %} -{% if rhel9cis_rule_3_2_7 %} -# CIS 3.2.7 +{% if rhel9cis_rule_3_3_7 %} +# CIS 3.3.7 net.ipv4.conf.default.rp_filter = 1 {% endif %} -{% if rhel9cis_rule_3_2_8 %} -# CIS 3.2.8 +{% if rhel9cis_rule_3_3_8 %} +# CIS 3.3.8 net.ipv4.tcp_syncookies = 1 {% endif %} -{% if rhel9cis_rule_3_2_9 %} -# CIS 3.2.9 +{% if rhel9cis_rule_3_3_9 %} +# CIS 3.3.9 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 {% endif %} \ No newline at end of file