mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
109 lines
3.5 KiB
YAML
109 lines
3.5 KiB
YAML
---
|
|
|
|
- name: "3.4.2.1 | L1 | PATCH | Ensure firewalld service is enabled and running"
|
|
service:
|
|
name: firewalld
|
|
state: started
|
|
enabled: true
|
|
when:
|
|
- rhel9cis_firewall == "firewalld"
|
|
- rhel9cis_rule_3_4_2_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_3_4_2_1
|
|
|
|
- name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld"
|
|
systemd:
|
|
name: iptables
|
|
enabled: false
|
|
masked: true
|
|
when:
|
|
- rhel9cis_firewall == "firewalld"
|
|
- "'iptables' in ansible_facts.packages"
|
|
- rhel9cis_rule_3_4_2_2
|
|
tags:
|
|
- skip_ansible_lint
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_3_4_2_2
|
|
|
|
- name: "3.4.2.3 | L1 | PATCH | Ensure nftables is not enabled with firewalld"
|
|
systemd:
|
|
name: nftables
|
|
enabled: false
|
|
masked: true
|
|
when:
|
|
- rhel9cis_firewall == "firewalld"
|
|
- "'nftables' in ansible_facts.packages"
|
|
- rhel9cis_rule_3_4_2_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_3_4_2_3
|
|
|
|
- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set"
|
|
shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
|
|
args:
|
|
warn: false
|
|
when:
|
|
- rhel9cis_firewall == "firewalld"
|
|
- rhel9cis_rule_3_4_2_4
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_3.4.2.4
|
|
|
|
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone"
|
|
block:
|
|
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies"
|
|
shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done"
|
|
args:
|
|
warn: false
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: rhel9cis_3_4_2_5_interfacepolicy
|
|
|
|
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy"
|
|
debug:
|
|
msg:
|
|
- "The items below are the policies tied to the interfaces, please correct as needed"
|
|
- "{{ rhel9cis_3_4_2_5_interfacepolicy.stdout_lines }}"
|
|
when:
|
|
- rhel9cis_firewall == "firewalld"
|
|
- rhel9cis_rule_3_4_2_5
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_3.4.2.5
|
|
|
|
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
|
|
block:
|
|
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
|
|
shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
|
|
args:
|
|
warn: false
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: rhel9cis_3_4_2_6_servicesport
|
|
|
|
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
|
|
debug:
|
|
msg:
|
|
- "The items below are the services and ports that are accepted, please correct as needed"
|
|
- "{{ rhel9cis_3_4_2_6_servicesport.stdout_lines }}"
|
|
when:
|
|
- rhel9cis_firewall == "firewalld"
|
|
- rhel9cis_rule_3_4_2_6
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_3.4.2.6
|