sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Updated nftables prereqs for table

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-09-09 13:59:31 +01:00
parent e915a7ae5d
commit 22a1955948
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
1 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
tasks/section_4/cis_4.3.x.yml
View file

@ -1,5 +1,15 @@
---
- name: "OPTIONAL | PATCH | Create Table if doesn't exist and required"
when:
- rhel9cis_nft_tables_autonewtable
- rhel9cis_rule_4_3_1
- rhel9cis_rule_4_3_2
- rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_4
tags: always
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
- name: "4.3.1 | PATCH | Ensure nftables base chains exist"
when:
- rhel9cis_rule_4_3_1
@ -72,10 +82,6 @@
failed_when: false
register: discovered_nftables_outconnectionrule
- name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Create table is doesn't exist"
when: rhel9cis_nft_tables_autonewtable
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
- name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept