--- - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed" block: - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages" shell: rpm -qa | grep xorg-x11 args: warn: no failed_when: xorg_x11_installed.rc >=2 check_mode: no changed_when: false register: xorg_x11_installed - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found" shell: "dnf remove {{ item }}" args: warn: no with_items: - xorg_x11_installed.stdout_lines when: xorg_x11_installed.stdout | length > 0 when: - not rhel9cis_xwindows_required - rhel9cis_rule_2_2_2 tags: - level1-server - scored - xwindows - patch - rule_2.2.2 - name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled " service: name: rsyncd state: stopped enabled: no when: - not rhel9cis_rsyncd_server - "'rsyncd' in ansible_facts.packages" - rhel9cis_rule_2_2_3 tags: - level1-server - level1-workstation - patch - rule_2.2.3 - name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled" service: name: avahi-daemon state: stopped enabled: no when: - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages" - rhel9cis_rule_2_2_4 tags: - level1-server - level1-workstation - scored - avahi - services - patch - rule_2.2.4 - name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled" service: name: snmpd state: stopped enabled: no when: - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation - patch - rule_2.2.5 - name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled" service: name: squid state: stopped enabled: no when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation - patch - rule_2.2.6 - name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled" service: name: smb state: stopped enabled: no when: - not rhel9cis_smb_server - "'samba' in ansible_facts.packages" - rhel9cis_rule_2_2_7 tags: - level1-server - level1-workstation - patch - rule_2.2.7 - name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled" service: name: dovecot state: stopped enabled: no when: - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" - rhel9cis_rule_2_2_8 tags: - level1-server - level1-workstation - patch - rule_2.2.8 - name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled" service: name: httpd state: stopped enabled: no when: - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation - patch - rule_2.2.9 - name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled" service: name: vsftpd state: stopped enabled: no when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" - rhel9cis_rule_2_2_10 tags: - level1-server - level1-workstation - patch - rule_2.2.10 - name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled" service: name: named state: stopped enabled: no when: - not rhel9cis_named_server - "'bind' in ansible_facts.packages" - rhel9cis_rule_2_2_11 tags: - level1-server - level1-workstation - patch - rule_2.2.11 - name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled" service: name: nfs-server state: stopped enabled: no when: - not rhel9cis_nfs_rpc_server - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_12 tags: - level1-server - level1-workstation - scored - nfs - services - patch - rule_2.2.12 - name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled" service: name: rpcbind state: stopped enabled: no when: - not rhel9cis_nfs_rpc_server - "'rpcbind' in ansible_facts.packages" - rhel9cis_rule_2_2_13 tags: - level1-server - level1-workstation - scored - rpc - services - patch - rule_2.2.7 - name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled" service: name: slapd state: stopped enabled: no when: - not rhel9cis_ldap_server - "'openldap-servers' in ansible_facts.packages" - rhel9cis_rule_2_2_14 tags: - level1-server - level1-workstation - scored - ldap - services - patch - rule_2.2.6 - name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled" service: name: dhcpd state: stopped enabled: no when: - not rhel9cis_dhcp_server - "'dhcp' in ansible_facts.packages" - rhel9cis_rule_2_2_15 tags: - level1-server - level1-workstation - scored - dhcp - services - patch - rule_2.2.15 - name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled" service: name: cups state: stopped enabled: no when: - not rhel9cis_cups_server - "'cups' in ansible_facts.packages" - rhel9cis_rule_2_2_16 tags: - level1-server - level2-workstation - scored - cups - services - patch - rule_2.2.16 - name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled" service: name: ypserv state: stopped enabled: no when: - not rhel9cis_nis_server - "'ypserv' in ansible_facts.packages" - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation - patch - rule_2.2.17 - name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode" lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" notify: restart postfix when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation - patch - rule_2.2.1