RHEL9-CIS/tasks/section_4/cis_4.1.x.yml

---

- name: "4.1.1 | PATCH | Ensure nftables is installed"
  when:
    - rhel9cis_rule_4_1_1
    - rhel9cis_firewall == 'nftables'
  tags:
    - level1-server
    - level1-workstation
    - patch
    - nftables
    - rule_4.1.1
    - NIST800-53R5_CA-9
  ansible.builtin.package:
    name:
      - nftables
    state: present

- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use"
  when:
    - rhel9cis_rule_4_1_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - firewalld
    - nftables
    - rule_4.1.2
  block:
    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables"
      when:
        - item in ansible_facts.packages
        - rhel9cis_firewall == 'nftables'
      ansible.builtin.systemd:
        name: "{{ item }}"
        masked: true
      loop:
        - firewalld

    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld"
      when:
        - item in ansible_facts.packages
        - rhel9cis_firewall == 'firewalld'
      ansible.builtin.systemd:
        name: "{{ item }}"
        masked: true
      loop:
        - nftables

    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed"
      ansible.builtin.package:
        name: "{{ rhel9cis_firewall }}"
        state: installed

    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"  # noqa name[template]
      ansible.builtin.systemd:
        name: "{{ rhel9cis_firewall }}"
        enabled: true
        state: started
section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 13:57:29 +01:00			`---`

			`- name: "4.1.1 \| PATCH \| Ensure nftables is installed"`
			`when:`
			`- rhel9cis_rule_4_1_1`
			`- rhel9cis_firewall == 'nftables'`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- nftables`
			`- rule_4.1.1`
			`- NIST800-53R5_CA-9`
			`ansible.builtin.package:`
			`name:`
			`- nftables`
			`state: present`

			`- name: "4.1.2 \| PATCH \| Ensure a single firewall configuration utility is in use"`
			`when:`
			`- rhel9cis_rule_4_1_2`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- patch`
			`- firewalld`
			`- nftables`
			`- rule_4.1.2`
			`block:`
			`- name: "4.1.2 \| PATCH \| Ensure a single firewall configuration utility is in use \| nftables"`
			`when:`
			`- item in ansible_facts.packages`
			`- rhel9cis_firewall == 'nftables'`
			`ansible.builtin.systemd:`
			`name: "{{ item }}"`
			`masked: true`
			`loop:`
			`- firewalld`

			`- name: "4.1.2 \| PATCH \| Ensure a single firewall configuration utility is in use \| firewalld"`
			`when:`
			`- item in ansible_facts.packages`
			`- rhel9cis_firewall == 'firewalld'`
			`ansible.builtin.systemd:`
			`name: "{{ item }}"`
			`masked: true`
			`loop:`
			`- nftables`

			`- name: "4.1.2 \| PATCH \| Ensure a single firewall configuration utility is in use \| package installed"`
			`ansible.builtin.package:`
			`name: "{{ rhel9cis_firewall }}"`
			`state: installed`

Lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-11 11:49:02 +00:00			`- name: "4.1.2 \| PATCH \| Ensure a single firewall configuration utility is in use \| {{ rhel9cis_firewall }} started and enabled" # noqa name[template]`
section4 v2 initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 13:57:29 +01:00			`ansible.builtin.systemd:`
			`name: "{{ rhel9cis_firewall }}"`
			`enabled: true`
			`state: started`