RHEL9-CIS/tasks/section_4/cis_4.2.x.yml

---

- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
  when: rhel9cis_rule_4_2_1
  tags:
    - level1-server
    - level1-workstation
    - manual
    - audit
    - rule_4.2.1
    - NIST800-55_CA-9
  block:
    - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
      ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_services_and_ports

    - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
      ansible.builtin.debug:
        msg:
          - "The items below are the services and ports that are accepted, please correct as needed"
          - "{{ discovered_services_and_ports.stdout_lines }}"

- name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld"
  when: rhel9cis_rule_4_2_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - nftables
    - rule_4.2.2
    - NIST800-55_CA-9
  ansible.posix.firewalld:
    rich_rule: "{{ item }}"
    zone: "{{ rhel9cis_default_zone }}"
    permanent: true
    immediate: true
    state: enabled
  loop:
    - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop
    - rule family="ipv6" source address="::1" destination not address="::1" drop
section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 13:57:29 +01:00			`---`

			`- name: "4.2.1 \| AUDIT \| Ensure firewalld drops unnecessary services and ports"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_4_2_1`
section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 13:57:29 +01:00			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- manual`
			`- audit`
			`- rule_4.2.1`
			`- NIST800-55_CA-9`
			`block:`
			`- name: "4.2.1 \| AUDIT \| Ensure firewalld drops unnecessary services and ports \| Get list of services and ports"`
			`ansible.builtin.shell: "firewall-cmd --get-active-zones \| awk '!/:/ {print $1}' \| while read ZN; do firewall-cmd --list-all --zone=$ZN; done"`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
renamed variables Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-09-05 17:36:07 +01:00			`register: discovered_services_and_ports`
section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 13:57:29 +01:00
			`- name: "4.2.1 \| AUDIT \| Ensure firewalld drops unnecessary services and ports \| Show services and ports"`
			`ansible.builtin.debug:`
			`msg:`
			`- "The items below are the services and ports that are accepted, please correct as needed"`
renamed variables Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-09-05 17:36:07 +01:00			`- "{{ discovered_services_and_ports.stdout_lines }}"`
section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 13:57:29 +01:00
			`- name: "4.2.2 \| PATCH \| Ensure firewalld loopback traffic is configured \| firewalld"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_4_2_2`
section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 13:57:29 +01:00			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- nftables`
			`- rule_4.2.2`
			`- NIST800-55_CA-9`
			`ansible.posix.firewalld:`
			`rich_rule: "{{ item }}"`
			`zone: "{{ rhel9cis_default_zone }}"`
			`permanent: true`
			`immediate: true`
			`state: enabled`
			`loop:`
			`- rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop`
			`- rule family="ipv6" source address="::1" destination not address="::1" drop`