RHEL9-CIS/tasks/section_3/cis_3.4.3.2.x.yml

---

- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured"
  block:
      - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT"
        iptables:
            action: append
            chain: INPUT
            in_interface: lo
            jump: ACCEPT

      - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT"
        iptables:
            action: append
            chain: OUTPUT
            out_interface: lo
            jump: ACCEPT

      - name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
        iptables:
            action: append
            chain: INPUT
            source: 127.0.0.0/8
            jump: DROP
  when:
      - rhel9cis_rule_3_4_3_2_1
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.2.1

- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured"
  iptables:
      action: append
      chain: '{{ item.chain }}'
      protocol: '{{ item.protocol }}'
      match: state
      ctstate: '{{ item.ctstate }}'
      jump: ACCEPT
  with_items:
      - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
      - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
      - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
      - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }
      - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
      - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
  when:
      - rhel9cis_rule_3_4_3_2_2
  tags:
      - level1-server
      - level1-workstation
      - manual
      - patch
      - iptables
      - rule_3.4.3.2.2

- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports"
  block:
      - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports"
        shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_3_2_3_otcp

      - name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports"
        shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_3_2_3_oudp

      - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports"
        iptables:
            action: append
            chain: INPUT
            protocol: tcp
            destination_port: "{{ item }}"
            match: state
            ctstate: NEW
            jump: ACCEPT
        with_items:
            - "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}"
        when: rhel9cis_3_4_3_2_3_otcp.stdout is defined

      - name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports"
        iptables:
            action: append
            chain: INPUT
            protocol: udp
            destination_port: "{{ item }}"
            match: state
            ctstate: NEW
            jump: ACCEPT
        with_items:
            - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}"
        when: rhel9cis_3_4_3_2_3_otcp.stdout is defined
  when:
      - rhel9cis_rule_3_4_3_2_3
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.2.3

- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy"
  block:
      - name: "3.4.3.2.4 | PATCH |  Ensure iptables default deny firewall policy | Configure ssh to be allowed"
        iptables:
            chain: INPUT
            protocol: tcp
            destination_port: "22"
            jump: ACCEPT

      - name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
        iptables:
            policy: DROP
            chain: "{{ item }}"
        with_items:
            - INPUT
            - FORWARD
            - OUTPUT
  when:
      - rhel9cis_rule_3_4_3_2_4
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.2.4

- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved"
  iptables_state:
      state: saved
      path: /etc/sysconfig/iptables
  when:
      - rhel9cis_rule_3_4_3_2_5
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.2.5

- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active"
  service:
      name: iptables
      enabled: yes
      state: started
  when:
      - rhel9cis_rule_3_4_3_2_6
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.2.6
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`---`

updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.1 \| PATCH \| Ensure iptables loopback traffic is configured"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`block:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.1 \| PATCH \| Ensure iptables loopback traffic is configured \| INPUT Loopback ACCEPT"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`iptables:`
			`action: append`
			`chain: INPUT`
			`in_interface: lo`
			`jump: ACCEPT`

updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.1 \| PATCH \| Ensure iptables loopback traffic is configured \| OUTPUT Loopback ACCEPT"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`iptables:`
			`action: append`
			`chain: OUTPUT`
			`out_interface: lo`
			`jump: ACCEPT`

updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.1 \| PATCH \| Ensure iptables loopback traffic is configured \| INPUT Loopback 127.0.0.0/8"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`iptables:`
			`action: append`
			`chain: INPUT`
			`source: 127.0.0.0/8`
			`jump: DROP`
			`when:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- rhel9cis_rule_3_4_3_2_1`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`tags:`
			`- level1-server`
			`- level1-workstation`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- automated`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`- patch`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- iptables`
			`- rule_3.4.3.2.1`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.2 \| PATCH \| Ensure iptables outbound and established connections are configured"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`iptables:`
			`action: append`
			`chain: '{{ item.chain }}'`
			`protocol: '{{ item.protocol }}'`
			`match: state`
			`ctstate: '{{ item.ctstate }}'`
			`jump: ACCEPT`
			`with_items:`
			`- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }`
			`- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }`
			`- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }`
			`- { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }`
			`- { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }`
			`- { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }`
			`when:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- rhel9cis_rule_3_4_3_2_2`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`tags:`
			`- level1-server`
			`- level1-workstation`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- manual`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`- patch`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- iptables`
			`- rule_3.4.3.2.2`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.3 \| PATCH \| Ensure iptables rules exist for all open ports"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`block:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.3 \| AUDIT \| Ensure iptables rules exist for all open ports \| Get list of TCP open ports"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`shell: netstat -ant \|grep "tcp.LISTEN" \| awk '{ print $4 }'\| sed 's/.://'`
			`changed_when: false`
			`failed_when: false`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`register: rhel9cis_3_4_3_2_3_otcp`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.3 \| AUDIT \| Ensure iptables rules exist for all open ports \| Get the list of udp open ports"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`shell: netstat -ant \|grep "udp.LISTEN" \| awk '{ print $4 }'\| sed 's/.://'`
			`changed_when: false`
			`failed_when: false`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`register: rhel9cis_3_4_3_2_3_oudp`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.3 \| PATCH \| Ensure iptables rules exist for all open ports \| Adjust open tcp ports"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`iptables:`
			`action: append`
			`chain: INPUT`
			`protocol: tcp`
			`destination_port: "{{ item }}"`
			`match: state`
			`ctstate: NEW`
			`jump: ACCEPT`
			`with_items:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}"`
			`when: rhel9cis_3_4_3_2_3_otcp.stdout is defined`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.3 \| PATCH \| Ensure iptables rules exist for all open ports \| Adjust open udp ports"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`iptables:`
			`action: append`
			`chain: INPUT`
			`protocol: udp`
			`destination_port: "{{ item }}"`
			`match: state`
			`ctstate: NEW`
			`jump: ACCEPT`
			`with_items:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}"`
			`when: rhel9cis_3_4_3_2_3_otcp.stdout is defined`
			`when:`
			`- rhel9cis_rule_3_4_3_2_3`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- automated`
			`- patch`
			`- iptables`
			`- rule_3.4.3.2.3`

			`- name: "3.4.3.2.4 \| PATCH \| Ensure iptables default deny firewall policy"`
			`block:`
			`- name: "3.4.3.2.4 \| PATCH \| Ensure iptables default deny firewall policy \| Configure ssh to be allowed"`
			`iptables:`
			`chain: INPUT`
			`protocol: tcp`
			`destination_port: "22"`
			`jump: ACCEPT`

			`- name: "3.4.3.2.4 \| PATCH \| Ensure iptables default deny firewall policy \| Set drop items"`
			`iptables:`
			`policy: DROP`
			`chain: "{{ item }}"`
			`with_items:`
			`- INPUT`
			`- FORWARD`
			`- OUTPUT`
			`when:`
			`- rhel9cis_rule_3_4_3_2_4`
			`tags:`
			`- level1-server`
			`- level1-workstation`
			`- automated`
			`- patch`
			`- iptables`
			`- rule_3.4.3.2.4`

			`- name: "3.4.3.2.5 \| PATCH \| Ensure iptables rules are saved"`
			`iptables_state:`
			`state: saved`
			`path: /etc/sysconfig/iptables`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`when:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- rhel9cis_rule_3_4_3_2_5`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`tags:`
			`- level1-server`
			`- level1-workstation`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- automated`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`- patch`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- iptables`
			`- rule_3.4.3.2.5`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- name: "3.4.3.2.6 \| PATCH \| Ensure iptables service is enabled and active"`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`service:`
			`name: iptables`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`enabled: yes`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`state: started`
			`when:`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- rhel9cis_rule_3_4_3_2_6`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`tags:`
			`- level1-server`
			`- level1-workstation`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- automated`
Initial Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-01-07 09:06:18 +00:00			`- patch`
updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2022-03-30 16:18:11 +01:00			`- iptables`
			`- rule_3.4.3.2.6`