--- - name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - rhel9cis_rule_2_1_1 - "'autofs' in ansible_facts.packages" tags: - level1-server - level2-workstation - automated - patch - NIST800-53R5_SI-3 - NIST800-53R5_MP-7 - rule_2.1.1 block: - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package" when: - not rhel9cis_autofs_services - not rhel9cis_autofs_mask ansible.builtin.package: name: autofs state: absent - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Mask service" when: - not rhel9cis_autofs_services - rhel9cis_autofs_mask notify: Systemd daemon reload ansible.builtin.systemd: name: autofs enabled: false state: stopped masked: true - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" when: rhel9cis_rule_2_1_2 tags: - level1-server - level2-workstation - automated - patch - avahi - NIST800-53R5_SI-4 - rule_2.1.2 block: - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package" when: - not rhel9cis_avahi_server - not rhel9cis_avahi_mask ansible.builtin.package: name: - avahi-autoipd - avahi state: absent - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service" when: - not rhel9cis_avahi_server - rhel9cis_avahi_mask notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - avahi-daemon.socket - avahi-daemon.service - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" when: rhel9cis_rule_2_1_3 tags: - level1-server - level1-workstation - automated - patch - dhcp - NIST800-53R5_CM-7 - rule_2.1.3 block: - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package" when: - not rhel9cis_dhcp_server - not rhel9cis_dhcp_mask ansible.builtin.package: name: dhcp-server state: absent - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Mask service" when: - not rhel9cis_dhcp_server - rhel9cis_dhcp_mask notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - dhcpd.service - dhcpd6.service - name: "2.1.4 | PATCH | Ensure dns server services are not in use" when: rhel9cis_rule_2_1_4 tags: - level1-server - level1-workstation - automated - patch - dns - NIST800-53R5_CM-7 - rule_2.1.4 block: - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package" when: - not rhel9cis_dns_server - not rhel9cis_dns_mask ansible.builtin.package: name: bind state: absent - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Mask service" when: - not rhel9cis_dns_server - rhel9cis_dns_mask notify: Systemd daemon reload ansible.builtin.systemd: name: named.service enabled: false state: stopped masked: true - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" when: rhel9cis_rule_2_1_5 tags: - level1-server - level1-workstation - automated - patch - dns - NIST800-53R5_CM-7 - rule_2.1.5 block: - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" when: - not rhel9cis_dnsmasq_server - not rhel9cis_dnsmasq_mask ansible.builtin.package: name: dnsmasq state: absent - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" when: - not rhel9cis_dnsmasq_server - rhel9cis_dnsmasq_mask notify: Systemd daemon reload ansible.builtin.systemd: name: dnsmasq.service enabled: false state: stopped masked: true - name: "2.1.6 | PATCH | Ensure samba file server services are not in use" when: rhel9cis_rule_2_1_6 tags: - level1-server - level1-workstation - automated - patch - samba - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - rule_2.1.6 block: - name: "2.1.6 | PATCH | Ensure samba file server services are not in use | Remove package" when: - not rhel9cis_samba_server - not rhel9cis_samba_mask ansible.builtin.package: name: samba state: absent - name: "2.1.6 | PATCH | Ensure samba file server services are not in use | Mask service" when: - not rhel9cis_samba_server - rhel9cis_samba_mask notify: Systemd daemon reload ansible.builtin.systemd: name: smb.service enabled: false state: stopped masked: true - name: "2.1.7 | PATCH | Ensure ftp server services are not in use" when: rhel9cis_rule_2_1_7 tags: - level1-server - level1-workstation - automation - patch - ftp - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - rule_2.1.7 block: - name: "2.1.7 | PATCH | Ensure ftp server services are not in use | Remove package" when: - not rhel9cis_ftp_server - not rhel9cis_ftp_mask ansible.builtin.package: name: vsftpd state: absent - name: "2.1.7 | PATCH | Ensure ftp server services are not in use | Mask service" when: - not rhel9cis_ftp_server - rhel9cis_ftp_mask notify: Systemd daemon reload ansible.builtin.systemd: name: vsftpd.service enabled: false state: stopped masked: true - name: "2.1.8 | PATCH | Ensure message access server services are not in use" when: rhel9cis_rule_2_1_8 tags: - level1-server - level1-workstation - automated - patch - dovecot - imap - pop3 - NIST800-53R5_CM-7 - rule_2.1.8 block: - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package" when: - not rhel9cis_message_server - not rhel9cis_message_mask ansible.builtin.package: name: - dovecot - cyrus-imapd state: absent - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service" when: - not rhel9cis_message_server - rhel9cis_message_mask notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - "dovecot.socket" - "dovecot.service" - "cyrus-imapd.service" - name: "2.1.9 | PATCH | Ensure network file system services are not in use" when: rhel9cis_rule_2_1_9 tags: - level1-server - level1-workstation - automated - patch - nfs - services - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - rule_2.1.9 block: - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package" when: - not rhel9cis_nfs_server - not rhel9cis_nfs_mask ansible.builtin.package: name: nfs-utils state: absent - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Mask service" when: - not rhel9cis_nfs_server - rhel9cis_nfs_mask notify: Systemd daemon reload ansible.builtin.systemd: name: nfs-server.service enabled: false state: stopped masked: true - name: "2.1.10 | PATCH | Ensure nis server services are not in use" when: rhel9cis_rule_2_1_10 tags: - level1-server - level1-workstation - automated - patch - nis - NIST800-53R5_CM-7 - rule_2.1.10 notify: Systemd daemon reload block: - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" when: - not rhel9cis_nis_server - not rhel9cis_nis_mask ansible.builtin.package: name: ypserv state: absent - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Mask service" when: - not rhel9cis_nis_server - rhel9cis_nis_mask ansible.builtin.systemd: name: ypserv.service enabled: false state: stopped masked: true - name: "2.1.11 | PATCH | Ensure print server services are not in use" when: rhel9cis_rule_2_1_11 tags: - level1-server - automated - patch - cups - NIST800-53R5_CM-7 - rule_2.1.11 block: - name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package" when: - not rhel9cis_print_server - not rhel9cis_print_mask ansible.builtin.package: name: cups state: absent - name: "2.1.11 | PATCH | Ensure print server services are not in use | Mask service" when: - not rhel9cis_print_server - rhel9cis_print_mask notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - "cups.socket" - "cups.service" - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" when: rhel9cis_rule_2_1_12 tags: - level1-server - level1-workstation - automated - patch - rpc - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - rule_2.1.12 block: - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package" when: - not rhel9cis_rpc_server - not rhel9cis_rpc_mask ansible.builtin.package: name: rpcbind state: absent - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Mask service" when: - not rhel9cis_rpc_server - rhel9cis_rpc_mask notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - rpcbind.service - rpcbind.socket - name: "2.1.13 | PATCH | Ensure rsync services are not in use" when: rhel9cis_rule_2_1_13 tags: - level1-server - level1-workstation - automated - patch - rsync - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - rule_2.1.13 block: - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package" when: - not rhel9cis_rsync_server - not rhel9cis_rsync_mask ansible.builtin.package: name: rsync-daemon state: absent - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Mask service" when: - not rhel9cis_rsync_server - rhel9cis_rsync_mask notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - 'rsyncd.socket' - 'rsyncd.service' - name: "2.1.14 | PATCH | Ensure snmp services are not in use" when: rhel9cis_rule_2_1_14 tags: - level1-server - level1-workstation - automation - patch - snmp - NIST800-53R5_CM-7 - rule_2.1.14 block: - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package" when: - not rhel9cis_snmp_server - not rhel9cis_snmp_mask ansible.builtin.package: name: net-snmp state: absent - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service" when: - not rhel9cis_snmp_server - rhel9cis_snmp_mask notify: Systemd daemon reload ansible.builtin.systemd: name: snmpd.service enabled: false state: stopped masked: true - name: "2.1.15 | PATCH | Ensure telnet server services are not in use" when: rhel9cis_rule_2_1_15 tags: - level1-server - level1-workstation - automated - patch - telnet - NIST800-53R5_CM-7 - NIST800-53R5_CM-11 - rule_2.1.15 block: - name: "2.1.15 | PATCH | Ensure telnet server services are not in use | Remove package" when: - not rhel9cis_telnet_server - not rhel9cis_telnet_mask ansible.builtin.package: name: telnet-server state: absent - name: "2.1.15 | PATCH | Ensure telnet server services are not in use | Mask service" when: - not rhel9cis_telnet_server - rhel9cis_telnet_mask notify: Systemd daemon reload ansible.builtin.systemd: name: telnet.socket enabled: false state: stopped masked: true - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" when: rhel9cis_rule_2_1_16 tags: - level1-server - level1-workstation - automated - patch - tftp - NIST800-53R5_CM-7 - rule_2.1.16 block: - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package" when: - not rhel9cis_tftp_server - not rhel9cis_tftp_mask ansible.builtin.package: name: tftp-server state: absent - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Mask service" when: - not rhel9cis_tftp_server - rhel9cis_tftp_mask notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - 'tftp.socket' - 'tftp.service' - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" when: rhel9cis_rule_2_1_17 tags: - level1-server - level1-workstation - automation - patch - squid - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - rule_2.1.17 block: - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package" when: - not rhel9cis_squid_server - not rhel9cis_squid_mask ansible.builtin.package: name: squid state: absent - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Mask service" when: - not rhel9cis_squid_server - rhel9cis_squid_mask notify: Systemd daemon reload ansible.builtin.systemd: name: squid.service enabled: false state: stopped masked: true - name: "2.1.18 | PATCH | Ensure web server services are not in use" when: rhel9cis_rule_2_1_18 tags: - level1-server - level1-workstation - automated - patch - httpd - nginx - webserver - NIST800-53R5_CM-7 - rule_2.1.18 block: - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server" when: - not rhel9cis_httpd_server - not rhel9cis_httpd_mask ansible.builtin.package: name: httpd state: absent - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server" when: - not rhel9cis_nginx_server - not rhel9cis_nginx_mask ansible.builtin.package: name: nginx state: absent - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service" when: - not rhel9cis_httpd_server - rhel9cis_httpd_mask notify: Systemd daemon reload ansible.builtin.systemd: name: httpd.service enabled: false state: stopped masked: true - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" when: - not rhel9cis_nginx_server - rhel9cis_nginx_mask notify: Systemd daemon reload ansible.builtin.systemd: name: ngnix.service enabled: false state: stopped masked: true - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" when: rhel9cis_rule_2_1_19 tags: - level1-server - level1-workstation - automated - patch - xinetd - NIST800-53R5_CM-7 - rule_2.1.19 block: - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package" when: - not rhel9cis_xinetd_server - not rhel9cis_xinetd_mask ansible.builtin.package: name: xinetd state: absent - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service" when: - not rhel9cis_xinetd_server - rhel9cis_xinetd_mask notify: Systemd daemon reload ansible.builtin.systemd: name: xinetd.service enabled: false state: stopped masked: true - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: - not rhel9cis_xwindow_server - rhel9cis_rule_2_1_20 tags: - level1-server - level1-workstation - automated - patch - xwindow - NIST800-53R5_CM-11 - rule_2.1.20 ansible.builtin.package: name: xorg-x11-server-common state: absent - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - rhel9cis_rule_2_1_21 tags: - level1-server - level1-workstation - automated - patch - postfix - NIST800-53R5_CM-7 - rule_2.1.21 notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" when: rhel9cis_rule_2_1_22 tags: - level1-server - level1-workstation - manual - audit - services - NIST800-53R5_CM-7 - rule_2.1.22 vars: warn_control_id: '2.1.22' block: - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module changed_when: false failed_when: discovered_running_services.rc not in [ 0, 1 ] check_mode: false register: discovered_running_services - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" ansible.builtin.debug: msg: - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - "{{ discovered_running_services.stdout_lines }}" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" ansible.builtin.import_tasks: file: warning_facts.yml