diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 4381911..fb0f119 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -297,14 +297,14 @@ failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ] register: discovered_fs_modules_loaded - - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Output Warning" + - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Output Warning" when: discovered_fs_modules_loaded.stdout | length > 0 ansible.builtin.debug: msg: | "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task {{ discovered_fs_modules_loaded.stdout_lines}}" - - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning" + - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning" when: discovered_fs_modules_loaded.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 770753e..d64c3a7 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -86,4 +86,3 @@ group: root mode: '0644' notify: Systemd restart tmp.mount - diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 6fd1303..cf45245 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -12,8 +12,8 @@ - rule_1_1_2.3.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.3.1' - required_mount: '/home' + warn_control_id: '1.1.2.3.1' + required_mount: '/home' block: - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent" ansible.builtin.debug: @@ -40,7 +40,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.builtin.mount: + ansible.posix.mount: name: /home src: "{{ item.device }}" fstype: "{{ item.fstype }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 85df1b2..a2b0695 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -25,8 +25,8 @@ # skips if mount is absent - name: | - "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" - "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" + "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition + 1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" when: - item.mount == "/var" - rhel9cis_rule_1_1_2_4_2 or @@ -40,7 +40,7 @@ - rule_1_1_2.4.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.builtin.mount: + ansible.posix.mount: name: /var src: "{{ item.device }}" fstype: "{{ item.fstype }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index dba75f5..6e630e4 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -26,9 +26,9 @@ # skips if mount is absent - name: | - "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" - "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" - "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition + 1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition + 1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" when: - item.mount == "/var/tmp" - rhel9cis_rule_1_1_2_5_2 or @@ -44,7 +44,7 @@ - rule_1_1_2.5.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.builtin.mount: + ansible.posix.mount: name: /var/tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 00e0711..dea5d85 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -12,8 +12,8 @@ - rule_1_1_2.6.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.6.1' - required_mount: '/var/log' + warn_control_id: '1.1.2.6.1' + required_mount: '/var/log' block: - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" ansible.builtin.debug: @@ -24,9 +24,9 @@ file: warning_facts.yml - name: | - "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" - "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" - "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition + 1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition + 1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" when: - item.mount == "/var/log" - rhel9cis_rule_1_1_2_6_2 or @@ -42,7 +42,7 @@ - rule_1_1_2.6.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.builtin.mount: + ansible.posix.mount: name: /var/log src: "{{ item.device }}" fstype: "{{ item.fstype }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 8e59fe6..2747e49 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -24,19 +24,9 @@ file: warning_facts.yml - name: | - "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" - "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" - "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" - ansible.builtin.mount: - name: /var/log/audit - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - notify: Change_requires_reboot + "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition + 1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition + 1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" when: - item.mount == "/var/log/audit" - rhel9cis_rule_1_1_2_7_2 or @@ -52,3 +42,13 @@ - rule_1_1_2.7.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + ansible.posix.mount: + name: /var/log/audit + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %} + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" + notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.3.x.yml_AIDE b/tasks/section_1/cis_1.3.x.yml_AIDE deleted file mode 100644 index fa2d6a5..0000000 --- a/tasks/section_1/cis_1.3.x.yml_AIDE +++ /dev/null @@ -1,78 +0,0 @@ ---- - -- name: "1.3.1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" - ansible.builtin.package: - name: aide - state: present - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" - ansible.builtin.shell: /usr/sbin/aide --init - args: - creates: /var/lib/aide/aide.db.new.gz - when: not ansible_check_mode - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing" - ansible.builtin.wait_for: - path: /var/lib/aide/aide.db.new.gz - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB" - ansible.builtin.copy: - src: /var/lib/aide/aide.db.new.gz - dest: /var/lib/aide/aide.db.gz - remote_src: true - when: - - rhel9cis_config_aide - - rhel9cis_rule_1_3_1 - tags: - - level1-server - - level1-workstation - - aide - - patch - - rule_1.3.1 - -- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" - ansible.builtin.cron: - name: Run AIDE integrity check - cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" - user: "{{ rhel9cis_aide_cron['cron_user'] }}" - minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ rhel9cis_aide_cron['aide_job'] }}" - when: - - rhel9cis_rule_1_3_2 - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - aide - - file_integrity - - patch - - rule_1.3.2 - -- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - ansible.builtin.blockinfile: - path: /etc/aide.conf - marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" - block: | - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - validate: aide -D --config %s - when: - - rhel9cis_rule_1_3_3 - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - aide - - file_integrity - - patch - - rule_1.3.3 diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 7c015a2..259e106 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -15,8 +15,8 @@ msg: "Captured in prelim to ensure not LEGACY. Runs handler to update" changed_when: true notify: - - Update Crypto Policy - - Set Crypto Policy + - Update Crypto Policy + - Set Crypto Policy - name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration" when: @@ -36,7 +36,7 @@ state: absent notify: Restart sshd -- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support" +- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion" when: - rhel9cis_rule_1_6_3 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" @@ -49,7 +49,7 @@ - rule_1.6.3 - NIST800-53R5_SC-6 block: - - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion" + - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod @@ -92,7 +92,6 @@ ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-WEAKMAC' }}" - - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh" when: - rhel9cis_rule_1_6_5 @@ -124,7 +123,7 @@ - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh" when: - rhel9cis_rule_1_6_6 - - "'NO-SSHCHACHA20' not in rhel9cis_crypto_policy_module" + - "'NO-SSHWEAKMAC' not in rhel9cis_crypto_policy_module" tags: - level1-server - level1-workstation @@ -136,8 +135,8 @@ block: - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion" ansible.builtin.template: - src: etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2 - dest: /etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod + src: etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2 + dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod owner: root group: root mode: '0640' @@ -147,7 +146,7 @@ - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: - rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHCHACHA20' }}" + rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKMAC' }}" - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh" when: diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index b29aa15..427eb79 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -51,7 +51,6 @@ mode: '0644' notify: Reload dconf - - name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled" when: - rhel9cis_rule_1_8_3 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 34e57f2..a3df3eb 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -51,8 +51,8 @@ - not rhel9cis_avahi_mask ansible.builtin.package: name: - - avahi-autoipd - - avahi + - avahi-autoipd + - avahi state: absent - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service" @@ -255,8 +255,8 @@ - not rhel9cis_message_mask ansible.builtin.package: name: - - dovecot - - cyrus-imapd + - dovecot + - cyrus-imapd state: absent - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service" @@ -451,32 +451,32 @@ - "'net-snmp' in ansible_facts.packages" - rhel9cis_rule_2_1_14 tags: - - level1-server - - level1-workstation - - automation - - patch - - snmp - - NIST800-53R5_CM-7 - - rule_2.1.14 + - level1-server + - level1-workstation + - automation + - patch + - snmp + - NIST800-53R5_CM-7 + - rule_2.1.14 block: - - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package" - when: - - not rhel9cis_net_snmp_server - - not rhel9cis_net_snmp_mask - ansible.builtin.package: - name: net-snmp - state: absent + - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package" + when: + - not rhel9cis_net_snmp_server + - not rhel9cis_net_snmp_mask + ansible.builtin.package: + name: net-snmp + state: absent - - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service" - when: - - not rhel9cis_net_snmp_server - - rhel9cis_net_snmp_mask - notify: Systemd_daemon_reload - ansible.builtin.systemd: - name: snmpd.service - enabled: false - state: stopped - masked: true + - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service" + when: + - not rhel9cis_net_snmp_server + - rhel9cis_net_snmp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: snmpd.service + enabled: false + state: stopped + masked: true - name: "2.1.15 | PATCH | Ensure telnet server services are not in use" when: @@ -669,20 +669,20 @@ - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: - - not rhel9cis_xwindow_server - - "'xorg-x11-server-common' in ansible_facts.packages" - - rhel9cis_rule_2_1_20 + - not rhel9cis_xwindow_server + - "'xorg-x11-server-common' in ansible_facts.packages" + - rhel9cis_rule_2_1_20 tags: - - level1-server - - level1-workstation - - automated - - patch - - xwindow - - NIST800-53R5_CM-11 - - rule_2.1.20 + - level1-server + - level1-workstation + - automated + - patch + - xwindow + - NIST800-53R5_CM-11 + - rule_2.1.20 ansible.builtin.package: - name: xorg-x11-server-common - state: absent + name: xorg-x11-server-common + state: absent - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" when: diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 02ae663..6e373fa 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -2,16 +2,16 @@ - name: "SECTION | 2.1 | Special Purpose Services" ansible.builtin.import_tasks: - file: cis_2.1.x.yml + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Service Clients" ansible.builtin.import_tasks: - file: cis_2.2.x.yml + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Time Synchronization" ansible.builtin.import_tasks: - file: cis_2.3.x.yml + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Job Schedulers" ansible.builtin.import_tasks: - file: cis_2.4.x.yml + file: cis_2.4.x.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 3f93858..5c76ab6 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -3,82 +3,93 @@ # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Ensure IPv6 status is identified" - block: - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv6_route: true - - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - - not rhel9cis_ipv6_required - - rhel9cis_rule_3_1_1 + - not rhel9cis_ipv6_required + - rhel9cis_rule_3_1_1 tags: - - level1-server - - level1-workstation - - manual - - patch - - ipv6 - - networking - - rule_3.1.1 + - level1-server + - level1-workstation + - manual + - patch + - ipv6 + - networking + - rule_3.1.1 + - NIST800-53R5_CM-7 + block: + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true + + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" - block: - - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available | if wlan exists" - ansible.builtin.shell: rpm -q NetworkManager - changed_when: false - failed_when: false - check_mode: false - register: rhel_09_nmcli_available - - - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - ansible.builtin.shell: nmcli radio wifi - register: rhel_09_wifi_enabled - changed_when: rhel_09_wifi_enabled.stdout != "disabled" - failed_when: false - when: rhel_09_nmcli_available.rc == 0 - - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - ansible.builtin.shell: nmcli radio all off - changed_when: false - failed_when: false - when: rhel_09_wifi_enabled is changed # noqa no-handler when: - - rhel9cis_rule_3_1_2 - - "'wlan' in ansible_facts.interfaces" + - rhel9cis_rule_3_1_2 + - discover_wireless_adapters.rc == 0 tags: - - level1-server - - patch - - wireless - - rule_3.1.2 - -- name: "3.1.3 | PATCH | Ensure TIPC is disabled" + - level1-server + - patch + - rule_3.1.2 + - wireless + - NIST800-53R5_CM-7 + vars: + warn_control_id: '3.1.2' block: - - name: "3.1.3 | PATCH | Ensure TIPC is disabled" - ansible.builtin.template: - src: "etc/modprobe.d/modprobe.conf.j2" - dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' - owner: root - group: root - loop: - - tipc - # note the item used in the template + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" + when: "'network-manager' in ansible_facts.packages" + ansible.builtin.shell: nmcli radio wifi + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_3_1_2_wifi_status - - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist tipc(\\s|$)" - line: "blacklist tipc" - create: true - mode: '0600' + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" + when: + - "'network-manager' in ansible_facts.packages" + - "'enabled' in rhel9cis_3_1_2_wifi_status.stdout" + ansible.builtin.shell: nmcli radio all off + changed_when: rhel9cis_3_1_2_nmcli_radio_off.rc == 0 + register: rhel9cis_3_1_2_nmcli_radio_off + + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" + when: "'network-manager' not in ansible_facts.packages" + ansible.builtin.debug: + msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" + + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" + when: "'network-manager' not in ansible_facts.packages" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" when: - - rhel9cis_rule_3_1_3 + - rhel9cis_rule_3_1_3 tags: - - level2-server - - level2-workstation - - patch - - tipc - - rule_3.1.3 + - level1-server + - level2-workstation + - patch + - bluetooth + - rule_3.1.3 + - NIST800-53R5_CM-7 + block: + - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg" + when: + - not rhel9cis_bluetooth_service + - not rhel9cis_bluetooth_mask + ansible.builtin.package: + name: bluez + state: absent + + - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | mask" + when: + - not rhel9cis_bluetooth_service + - rhel9cis_bluetooth_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: bluetooth.service + enabled: false + state: stopped + masked: true diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index cc5567f..bc210ae 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,52 +1,121 @@ --- -- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" - block: - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | IPv6" - block: - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - ansible.builtin.set_fact: - rhel9cis_flush_ipv6_route: true - - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - - when: rhel9cis_ipv6_required +- name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" when: - - not rhel9cis_is_router - - rhel9cis_rule_3_2_1 + - rhel9cis_rule_3_2_1 tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.1 - -- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" + - level2-server + - level2-workstation + - patch + - rule_3.2.1 + - dccp + - NIST800-53R5_CM-7 + - NIST800-53R5_SI-4 block: - - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/dccp.conf + regexp: '^(#)?install dccp(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install dccp /bin/true + - blacklist dccp + + - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist cramfs(\\s|$)" + line: "blacklist cramfs" + create: true + mode: '0600' + +- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" when: - - not rhel9cis_is_router - - rhel9cis_rule_3_2_2 + - rhel9cis_rule_3_2_2 tags: - - level1-server - - level1-workstation - - patch - - sysctl - - rule_3.2.2 + - level2-server + - level2-workstation + - patch + - rule_3.2.2 + - tipc + - NIST800-53R5_CM-7 + - NIST800-53R5_SI-4 + block: + - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/tipc.conf + regexp: '^(#)?install tipc(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install tipc /bin/true + - blacklist tipc + + - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist tipc(\\s|$)" + line: "blacklist tipc" + create: true + mode: '0600' + +- name: "3.2.3 | PATCH | Ensure rds kernel module is not available" + when: + - rhel9cis_rule_3_2_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_3.2.3 + - rds + - NIST800-53R5_CM-7 + - NIST800-53R5_SI-4 + block: + - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/rds.conf + regexp: '^(#)?install rds(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install rds /bin/true + - blacklist rds + + - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist rds(\\s|$)" + line: "blacklist rds" + create: true + mode: '0600' + +- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" + when: + - rhel9cis_rule_3_2_4 + tags: + - level2-server + - level2-workstation + - patch + - rule_3.2.4 + - sctp + - NIST800-53R5_CM-7 + - NIST800-53R5_SI-4 + block: + - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/sctp.conf + regexp: '^(#)?install sctp(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install sctp /bin/true + - blacklist sctp + + - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist sctp(\\s|$)" + line: "blacklist sctp" + create: true + mode: '0600' diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index e8f3a5f..2f73979 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,194 +1,306 @@ --- -- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" - ansible.builtin.set_fact: - rhel9cis_flush_ipv6_route: true - - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - when: rhel9cis_ipv6_required +- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled" when: - - rhel9cis_rule_3_3_1 + - not rhel9cis_is_router + - rhel9cis_rule_3_3_1 tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.1 - -- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.1 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - ansible.builtin.set_fact: - rhel9cis_flush_ipv6_route: true - - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - when: rhel9cis_ipv6_required - when: - - rhel9cis_rule_3_3_2 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.2 - -- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - block: - - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - when: - - rhel9cis_rule_3_3_3 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.3 - -- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - block: - - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - when: - - rhel9cis_rule_3_3_4 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.4 - -- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - block: - - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - when: - - rhel9cis_rule_3_3_5 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.5 - -- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - block: - - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - when: - - rhel9cis_rule_3_3_6 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.6 - -- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - block: - - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - when: - - rhel9cis_rule_3_3_7 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.7 - -- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - block: - - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true - rhel9cis_flush_ipv4_route: true - - - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - when: - - rhel9cis_rule_3_3_8 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.3.8 - -- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - block: - - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" - ansible.builtin.set_fact: - rhel9cis_sysctl_update: true + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6" + when: rhel9cis_ipv6_required + block: + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" + ansible.builtin.set_fact: rhel9cis_flush_ipv6_route: true - - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" - ansible.builtin.debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + +- name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled" when: - - rhel9cis_ipv6_required - - rhel9cis_rule_3_3_9 + - not rhel9cis_is_router + - rhel9cis_rule_3_3_2 tags: - - level2-server - - level2-workstation - - sysctl - - patch - - rule_3.3.9 + - level1-server + - level1-workstation + - patch + - sysctl + - rule_3.3.2 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + - name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + +- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" + when: + - rhel9cis_rule_3_3_3 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.3 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + + - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + +- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" + when: + - rhel9cis_rule_3_3_4 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.4 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + + - name: 3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + +- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" + when: + - rhel9cis_rule_3_3_5 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + when: rhel9cis_ipv6_required + block: + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" + ansible.builtin.set_fact: + rhel9cis_flush_ipv6_route: true + + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + +- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" + when: + - rhel9cis_rule_3_3_6 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.6 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + + - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + + - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6" + when: rhel9cis_ipv6_required + block: + - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact" + ansible.builtin.set_fact: + rhel9cis_flush_ipv6_route: true + + - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + +- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + when: + - rhel9cis_rule_3_3_7 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.7 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + +- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted" + when: + - rhel9cis_rule_3_3_8 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.8 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6" + when: rhel9cis_ipv6_required + block: + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" + ansible.builtin.set_fact: + rhel9cis_flush_ipv6_route: true + + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + +- name: "3.3.9 | PATCH | Ensure suspicious packets are logged" + when: + - rhel9cis_rule_3_3_9 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.9 + - NIST800-53R5_AU-3 + block: + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + +- name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" + when: + - rhel9cis_rule_3_3_10 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.10 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true + + - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + +- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted" + when: + - rhel9cis_ipv6_required + - rhel9cis_rule_3_3_11 + tags: + - level2-server + - level2-workstation + - sysctl + - patch + - rule_3.3.11 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" + ansible.builtin.set_fact: + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true + + - name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml deleted file mode 100644 index 8a7e721..0000000 --- a/tasks/section_3/cis_3.4.1.x.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: "3.4.1.1 | PATCH | Ensure nftables is installed" - ansible.builtin.package: - name: - - nftables - state: present - when: - - rhel9cis_rule_3_4_1_1 - - rhel9cis_firewall == 'nftables' - tags: - - level1-server - - level1-workstation - - patch - - nftables - - rule_3.4.1.1 - -- name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" - block: - - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" - ansible.builtin.systemd: - name: "{{ item }}" - masked: true - loop: - - firewalld - when: - - item in ansible_facts.packages - - rhel9cis_firewall == 'nftables' - - - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" - ansible.builtin.systemd: - name: "{{ item }}" - masked: true - loop: - - nftables - when: - - item in ansible_facts.packages - - rhel9cis_firewall == 'firewalld' - - - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" - ansible.builtin.package: - name: "{{ rhel9cis_firewall }}" - state: installed - - - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" - ansible.builtin.systemd: - name: "{{ rhel9cis_firewall }}" - enabled: true - state: started - - when: - - rhel9cis_rule_3_4_1_2 - tags: - - level1-server - - level1-workstation - - patch - - firewalld - - nftables - - rule_3.4.1.2 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml deleted file mode 100644 index ee57e5b..0000000 --- a/tasks/section_3/cis_3.4.2.x.yml +++ /dev/null @@ -1,301 +0,0 @@ ---- - -- name: "3.4.2.1 | PATCH | Ensure firewalld default zone is set" - block: - - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" - ansible.builtin.shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" - changed_when: false - failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) - register: firewalld_zone_set - - - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" - ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - when: firewalld_zone_set.rc != 0 - when: - - rhel9cis_firewall == "firewalld" - - rhel9cis_rule_3_4_2_1 - tags: - - level1-server - - level1-workstation - - patch - - firewalld - - rule_3.4.2.1 - -- name: "3.4.2.2 | AUDIT | Ensure at least one nftables table exists" - block: - - name: "3.4.2.2 | AUDIT | Ensure a table exists | Check for tables" - ansible.builtin.command: nft list tables - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_2_nft_tables - - - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Show existing tables" - ansible.builtin.debug: - msg: - - "Below are the current nft tables, please review" - - "{{ rhel9cis_3_4_2_2_nft_tables.stdout_lines }}" - when: rhel9cis_3_4_2_2_nft_tables.stdout | length > 0 - - - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables" - ansible.builtin.debug: - msg: - - "Warning!! You currently have no nft tables, please review your setup" - - 'Use the command "nft create table inet " to create a new table' - when: - - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.2.2 | PATCH | Ensure a table exists | Create table if needed" - ansible.builtin.command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - failed_when: false - when: rhel9cis_nft_tables_autonewtable - vars: - warn_control_id: '3.4.2.2' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_2 - tags: - - level1-server - - level1-workstation - - patch - - nftables - - rule_3.4.2.2 - -- name: "3.4.2.3 | PATCH | Ensure nftables base chains exist" - block: - - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - ansible.builtin.shell: nft list ruleset | grep 'hook input' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_3_input_chains - - - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - ansible.builtin.shell: nft list ruleset | grep 'hook forward' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_3_forward_chains - - - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - ansible.builtin.shell: nft list ruleset | grep 'hook output' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_3_output_chains - - - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Display chains for review" - ansible.builtin.debug: - msg: - - "Below are the current INPUT chains" - - "{{ rhel9cis_3_4_2_3_input_chains.stdout_lines }}" - - "Below are the current FORWARD chains" - - "{{ rhel9cis_3_4_2_3_forward_chains.stdout_lines }}" - - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_3_4_2_3_output_chains.stdout_lines }}" - when: not rhel9cis_nft_tables_autochaincreate - - - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed" - ansible.builtin.shell: "{{ item }}" - failed_when: false - loop: - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - when: rhel9cis_nft_tables_autochaincreate - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_3 - tags: - - level1-server - - level1-workstation - - patch - - nftables - - rule_3.4.2.3 - -- name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured" - block: - - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather iif lo accept existence | nftables" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_4_iiflo - - - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip saddr existence | nftables" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_4_ipsaddr - - - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip6 saddr existence | nftables" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_4_ip6saddr - - - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set iif lo accept rule | nftables" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_4_iiflo.stdout' - - - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip sddr rule | nftables" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ipsaddr.stdout' - - - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip6 saddr rule | nftables" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ip6saddr.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_4 - tags: - - level1-server - - level1-workstation - - patch - - nftables - - rule_3.4.2.4 - -- name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" - ansible.posix.firewalld: - rich_rule: "{{ item }}" - zone: "{{ rhel9cis_default_zone }}" - permanent: true - immediate: true - state: enabled - loop: - - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop - - rule family="ipv6" source address="::1" destination not address="::1" drop - when: - - rhel9cis_firewall == "firewalld" - - rhel9cis_rule_3_4_2_4 - tags: - - level1-server - - level1-workstation - - patch - - nftables - - rule_3.4.2.4 - -- name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports" - block: - - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_3_4_2_5_servicesport - - - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - ansible.builtin.debug: - msg: - - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" - when: - - rhel9cis_rule_3_4_2_5 - - rhel9cis_firewall == "firewalld" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.4.2.5 - -- name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" - block: - - name: "3.4.2.6 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_inconnectionrule - - - name: "3.4.2.6| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_outconnectionrule - - - name: "3.4.2.6| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - - - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - - - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - - - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' - - - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' - - - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_6 - tags: - - level1-server - - level1-workstation - - patch - - nftables - - rule_3.4.2.6 - -- name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy" - block: - - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_7_inputpolicy - - - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_7_forwardpolicy - - - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_7_outputpolicy - - - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_7_sshallowcheck - - - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_7_sshallowcheck.stdout' - - - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_7_inputpolicy.stdout' - - - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_7_forwardpolicy.stdout' - - - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_7_outputpolicy.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_7 - tags: - - level1-server - - level1-workstation - - patch - - nftables - - rule_3.4.2.7 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 34553d7..bd4442d 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,21 +1,13 @@ --- -- name: "SECTION | 3.1.x | Disable unused network protocols and devices" +- name: "SECTION | 3.1.x | Configure Network Devices" ansible.builtin.import_tasks: - file: cis_3.1.x.yml + file: cis_3.1.x.yml -- name: "SECTION | 3.2.x | Network Parameters (Host Only)" +- name: "SECTION | 3.2.x | Configure Network Kernel Modules" ansible.builtin.import_tasks: - file: cis_3.2.x.yml + file: cis_3.2.x.yml -- name: "SECTION | 3.3.x | Network Parameters (host and Router)" +- name: "SECTION | 3.3.x | Configure Network Kernel Parameters" ansible.builtin.import_tasks: - file: cis_3.3.x.yml - -- name: "SECTION | 3.4.1.x | Firewall configuration" - ansible.builtin.import_tasks: - file: cis_3.4.1.x.yml - -- name: "SECTION | 3.4.2.x | Configure firewall" - ansible.builtin.import_tasks: - file: cis_3.4.2.x.yml + file: cis_3.3.x.yml