updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_2/cis_2.1.x.yml

@@ -0,0 +1,43 @@
+---
+
+- name: "2.1.1 | PATCH | Ensure time synchronization is in use"
+  package:
+      name: "{{ rhel8cis_time_synchronization }}"
+      state: present
+  when:
+      - rhel8cis_rule_2_1_1
+      - not rhel8cis_system_is_container
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - rule_2.1.1
+
+- name: "2.1.2 | PATCH | Ensure chrony is configured"
+  block:
+      - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration"
+        template:
+            src: chrony.conf.j2
+            dest: /etc/chrony.conf
+            owner: root
+            group: root
+            mode: 0644
+
+      - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
+        lineinfile:
+            dest: /etc/sysconfig/chronyd
+            regexp: "^(#)?OPTIONS"
+            line: "OPTIONS=\"-u chrony\""
+            state: present
+            create: yes
+            mode: 0644
+  when:
+      - rhel8cis_time_synchronization == "chrony"
+      - rhel8cis_rule_2_1_2
+      - not rhel8cis_system_is_container
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_2.1.2

tasks/section_2/cis_2.2.x.yml

@@ -1,288 +1,345 @@
 ---
 
-- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed"
-  block:
-      - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages"
-        shell: rpm -qa | grep xorg-x11
-        args:
-            warn: false
-        failed_when: xorg_x11_installed.rc >=2
-        check_mode: false
-        changed_when: false
-        register: xorg_x11_installed
-
-      - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found"
-        shell: "dnf remove {{ item }}"
-        args:
-            warn: false
-        with_items:
-            - xorg_x11_installed.stdout_lines
-        when: xorg_x11_installed.stdout | length > 0
+- name: "2.2.1 | PATCH | Ensure xinetd is not installed"
+  package:
+      name: xinetd
+      state: absent
   when:
-      - not rhel9cis_xwindows_required
-      - rhel9cis_rule_2_2_2
+      - rhel8cis_rule_2_2_1
+      - not rhel8cis_xinetd_server
+      - "'xinetd' in ansible_facts.packages"
   tags:
       - level1-server
-      - scored
-      - xwindows
+      - level1-workstation
+      - automated
       - patch
+      - rule_2.2.1
+
+- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed"
+  package:
+      name: xorg-x11-server-common
+      state: absent
+  when:
+      - rhel8cis_rule_2_2_2
+      - "'xorg-x11-server-common' in ansible_facts.packages"
+  tags:
+      - level1-server
+      - automated
+      - patch
+      - x11
       - rule_2.2.2
 
-- name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled "
-  service:
-      name: rsyncd
-      state: stopped
-      enabled: false
+- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed"
+  package:
+      name:
+          - avahi-autoipd
+          - avahi
+      state: absent
   when:
-      - not rhel9cis_rsyncd_server
-      - "'rsyncd' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_3
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.3
-
-- name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled"
-  service:
-      name: avahi-daemon
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_avahi_server
-      - "'avahi' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_4
-  tags:
-      - level1-server
-      - level1-workstation
-      - scored
-      - avahi
-      - services
-      - patch
-      - rule_2.2.4
-
-- name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled"
-  service:
-      name: snmpd
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_snmp_server
-      - "'net-snmp' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_5
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.5
-
-- name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled"
-  service:
-      name: squid
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_squid_server
-      - "'squid' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_6
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.6
-
-- name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled"
-  service:
-      name: smb
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_smb_server
-      - "'samba' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_7
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.7
-
-- name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled"
-  service:
-      name: dovecot
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_dovecot_server
-      - "'dovecot' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_8
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.8
-
-- name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled"
-  service:
-      name: httpd
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_httpd_server
-      - "'httpd' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_9
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.9
-
-- name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled"
-  service:
-      name: vsftpd
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_vsftpd_server
-      - "'vsftpd' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_10
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.10
-
-- name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled"
-  service:
-      name: named
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_named_server
-      - "'bind' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_11
-  tags:
-      - level1-server
-      - level1-workstation
-      - patch
-      - rule_2.2.11
-
-- name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled"
-  service:
-      name: nfs-server
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_nfs_rpc_server
-      - "'nfs-utils' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_12
-  tags:
-      - level1-server
-      - level1-workstation
-      - scored
-      - nfs
-      - services
-      - patch
-      - rule_2.2.12
-
-- name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled"
-  service:
-      name: rpcbind
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_nfs_rpc_server
-      - "'rpcbind' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_13
-  tags:
-      - level1-server
-      - level1-workstation
-      - scored
-      - rpc
-      - services
-      - patch
-      - rule_2.2.7
-
-- name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled"
-  service:
-      name: slapd
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_ldap_server
-      - "'openldap-servers' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_14
-  tags:
-      - level1-server
-      - level1-workstation
-      - scored
-      - ldap
-      - services
-      - patch
-      - rule_2.2.6
-
-- name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled"
-  service:
-      name: dhcpd
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_dhcp_server
-      - "'dhcp' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_15
-  tags:
-      - level1-server
-      - level1-workstation
-      - scored
-      - dhcp
-      - services
-      - patch
-      - rule_2.2.15
-
-- name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled"
-  service:
-      name: cups
-      state: stopped
-      enabled: false
-  when:
-      - not rhel9cis_cups_server
-      - "'cups' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_16
+      - rhel8cis_rule_2_2_3
+      - not rhel8cis_avahi_server
+      - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
   tags:
       - level1-server
       - level2-workstation
-      - scored
-      - cups
-      - services
+      - automated
       - patch
-      - rule_2.2.16
+      - avahi
+      - rule_2.2.3
 
-- name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled"
-  service:
-      name: ypserv
-      state: stopped
-      enabled: false
+- name: "2.2.4 | PATCH | Ensure CUPS is not installed"
+  package:
+      name: cups
+      state: absent
   when:
-      - not rhel9cis_nis_server
-      - "'ypserv' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_17
+      - not rhel8cis_cups_server
+      - "'cups' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_3
+  tags:
+      - level1-server
+      - automated
+      - patch
+      - cups
+      - rule_2.2.3
+
+- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed"
+  package:
+      name: dhcp-server
+      state: absent 
+  when:
+      - not rhel8cis_dhcp_server
+      - "'dhcp-server' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_5
   tags:
       - level1-server
       - level1-workstation
+      - audtomated
       - patch
+      - dhcp
+      - rule_2.2.5
+
+- name: "2.2.6 | PATCH | Ensure DNS Server is not installed"
+  package:
+      name: bind
+      state: absent
+  when:
+      - not rhel8cis_dns_server
+      - "'bind' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_6
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - dns
+      - rule_2.2.6
+
+- name: "2.2.7 | PATCH | Ensure FTP Server is not installed"
+  package:
+      name: ftp
+      state: absent
+  when:
+      - not rhel8cis_ftp_server
+      - "'ftp' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_7
+  tags:
+      - level1-server
+      - level1-workstation
+      - automation
+      - patch
+      - ftp
+      - rule_2.2.7
+
+- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed"
+  package:
+      name: vsftpd
+      state: absent 
+  when:
+      - not rhel8cis_vsftpd_server
+      - "'vsftpd' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_8
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - vsftpd
+      - rule_2.2.8
+
+- name: "2.2.9 | PACH | Ensure TFTP Server is not installed"
+  package:
+      name: tftp-server
+      state: absent
+  when:
+      - not rhel8cis_tftp_server
+      - "'tftp-server' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_9
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - tftp
+      - rule_2.2.9
+
+- name: "2.2.10 | PATCH | Ensure a web server is not installed"
+  block:
+      - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server"
+        package:
+            name: httpd
+            state: absent
+        when:
+            - not rhel8cis_httpd_server
+            - "'httpd' in ansible_facts.packages"
+
+      - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server"
+        package:
+            name: nginx
+            state: absent
+        when:
+            - not rhel8cis_nginx_server
+            - "'nginx' in ansible_facts.packages"
+  when:
+      - rhel8cis_rule_2_2_9
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - httpd
+      - nginx
+      - webserver
+      - rule_2.2.9
+
+- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
+  package:
+      name:
+          - dovecot
+          - cyrus-imapd
+      state: absent
+  when:
+      - not rhel8cis_dovecot_cyrus_server
+      - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_11
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - dovecot
+      - imap
+      - pop3
+      - rule_2.2.11
+
+- name: "2.2.12 | PATCH | Ensure Samba is not enabled"
+  package:
+      name: samba
+      state: absent
+  when:
+      - not rhel8cis_samba_server
+      - "'samba' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_12
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - samba
+      - rule_2.2.12
+
+- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed"
+  package:
+      name: squid
+      state: absent 
+  when:
+      - not rhel8cis_squid_server
+      - "'squid' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_6
+  tags:
+      - level1-server
+      - level1-workstation
+      - automation
+      - patch
+      - squid
+      - rule_2.2.13
+
+- name: "2.2.14 | PATCH | Ensure net-snmp is not installed"
+  package:
+      name: net-snmp
+      state: absent
+  when:
+      - not rhel8cis_snmp_server
+      - "'net-snmp' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_14
+  tags:
+      - level1-server
+      - level1-workstation
+      - automation
+      - patch
+      - snmp
+      - rule_2.2.14
+
+- name: "2.2.15 | PATCH | Ensure NIS Server is not installed"
+  package:
+      name: ypserv
+      state: absent
+  when:
+      - not rhel8cis_nis_server
+      - "'ypserv' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_17
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - nis
       - rule_2.2.17
 
-- name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode"
+- name: "2.2.16 | PATCH | Ensure telnet-server is not installed"
+  package:
+      name: telnet-server
+      state: absent
+  when:
+      - not rhel8cis_telnet_server
+      - "'telnet-server' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_16
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - telnet
+      - rule_2.2.16
+
+- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode"
   lineinfile:
       dest: /etc/postfix/main.cf
       regexp: "^(#)?inet_interfaces"
       line: "inet_interfaces = loopback-only"
   notify: restart postfix
   when:
-      - not rhel9cis_is_mail_server
+      - not rhel8cis_is_mail_server
       - "'postfix' in ansible_facts.packages"
-      - rhel9cis_rule_2_2_18
+      - rhel8cis_rule_2_2_17
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_2.2.1
+      - postfix
+      - rule_2.2.17
+
+# The name title of the service says mask the service, but the fix allows for both options
+# We went with removing to remove the security/update overhead with having the package installed
+- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked"
+  package:
+      name: nfs-utils
+      state: absent
+  when:
+      - not rhel8cis_nfs_server
+      - "'nfs-utils' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_18
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - nfs
+      - services
+      - rule_2.2.18
+
+# The name title of the service says mask the service, but the fix allows for both options
+# We went with removing to remove the security/update overhead with having the package installed
+- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked"
+  package:
+      name: rpcbind
+      state: absent
+  when:
+      - not rhel8cis_rpc_server
+      - "'rpcbind' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_19
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - rpc
+      - rule_2.2.19
+
+# The name title of the service says mask the service, but the fix allows for both options
+# We went with removing to remove the security/update overhead with having the package installed
+- name: "2.2.20 | PATCH | Ensure rsync service is not enabled "
+  package:
+      name: rsync
+      state: absent
+  when:
+      - not rhel8cis_rsync_server
+      - "'rsync' in ansible_facts.packages"
+      - rhel8cis_rule_2_2_20
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - rsync
+      - rule_2.2.20

tasks/section_2/cis_2.3.x.yml

@@ -1,43 +1,97 @@
 ---
 
-- name: "2.3.1 | L1 | PATCH | Ensure NIS Client is not installed"
+- name: "2.3.1 | PATCH | Ensure NIS Client is not installed"
   package:
       name: ypbind
       state: absent
   when:
-      - not rhel9cis_ypbind_required
+      - not rhel8cis_ypbind_required
       - "'ypbind' in ansible_facts.packages"
-      - rhel9cis_rule_2_3_1
+      - rhel8cis_rule_2_3_1
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
+      - nis
       - rule_2.3.1
 
-- name: "2.3.2 | L1 | PATCH | Ensure telnet client is not installed"
+- name: "2.3.2 | PATCH | Ensure rsh client is not installed"
+  package:
+      name: rsh
+      state: absent
+  when:
+      - not rhel8cis_rsh_required
+      - "'rsh' in ansible_facts.packages"
+      - rhel8cis_rule_2_3_2
+  tags:
+      - level1-server
+      - level2-server
+      - automated
+      - patch
+      - rsh
+      - rule_2.3.2
+
+- name:  "2.3.3 | PATCH | Ensure talk client is not installed"
+  package:
+      name: talk
+      state: absent
+  when:
+      - not rhel8cis_talk_required
+      - "'talk' in ansible_facts.packages"
+      - rhel8cis_rule_2_3_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - talk
+      - rule_2.3.3
+
+- name: "2.3.4 | PATCH | Ensure telnet client is not installed"
   package:
       name: telnet
       state: absent
   when:
-      - not rhel9cis_telnet_required
+      - not rhel8cis_telnet_required
       - "'telnet' in ansible_facts.packages"
-      - rhel9cis_rule_2_3_2
+      - rhel8cis_rule_2_3_4
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_2.3.2
+      - telnet
+      - rule_2.3.4
 
-- name: "2.3.3 | L1 | PATCH | Ensure LDAP client is not installed"
+- name: "2.3.5 | PATCH | Ensure LDAP client is not installed"
   package:
       name: openldap-clients
       state: absent
   when:
-      - not rhel9cis_openldap_clients_required
+      - not rhel8cis_openldap_clients_required
       - "'openldap-clients' in ansible_facts.packages"
-      - rhel9cis_rule_2_3_3
+      - rhel8cis_rule_2_3_5
   tags:
       - level1-server
       - level1-workstation
+      - automated
       - patch
-      - rule_2.3.3
+      - ldap
+      - rule_2.3.5
+
+- name: "2.3.6 | PATCH | Ensure TFTP client is not installed"
+  package:
+      name: tftp
+      state: absent
+  when:
+      - not rhel8cis_tftp_client
+      - "'tftp' in ansible_facts.packages"
+      - rhel8cis_rule_2_3_6
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
+      - tftp
+      - rule_2.3.6

tasks/section_2/cis_2.4.yml

@@ -0,0 +1,26 @@
+---
+
+- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked"
+  block:
+      - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services"
+        shell: systemctl list-units --type=service
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel8cis_2_4_services
+
+      - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services"
+        debug:
+            msg:
+                - "Alert! Below are the list of services, both active and inactive"
+                - "Please review to make sure all are essential"
+                - "{{ rhel8cis_2_4_services.stdout_lines }}"
+  when:
+      - rhel8cis_rule_2_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - manual
+      - audit
+      - services
+      - rule_2.4

tasks/section_2/main.yml

@@ -1,13 +1,13 @@
 ---
 
-- name: "SECTION | 2.1 | xinetd"
-  import_tasks: cis_2.1.1.yml
-
-- name: "SECTION | 2.2.1 | Time Synchronization"
-  import_tasks: cis_2.2.1.x.yml
+- name: "SECTION | 2.1 | Time Synchronization"
+  import_tasks: cis_2.1.x.yml
 
 - name: "SECTION | 2.2 | Special Purpose Services"
   import_tasks: cis_2.2.x.yml
 
 - name: "SECTION | 2.3 | Service Clients"
   import_tasks: cis_2.3.x.yml
+
+- name: "SECTION | 2.4 | Nonessential services removed"
+  import_tasks: cis_2.4.yml