diff --git a/defaults/main.yml b/defaults/main.yml index 9777816..b93995b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -114,8 +114,6 @@ rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true -rhel9cis_rule_1_6_1: true -rhel9cis_rule_1_6_2: true rhel9cis_rule_1_6_1_1: true rhel9cis_rule_1_6_1_2: true rhel9cis_rule_1_6_1_3: true @@ -137,7 +135,6 @@ rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -rhel9cis_rule_1_11: true # Section 2 rules rhel9cis_rule_2_1_1: true @@ -469,11 +466,6 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_int_zone: customzone -rhel9cis_interface: eth0 -rhel9cis_firewall_services: - - ssh - - dhcpv6-client #### nftables rhel9cis_nft_tables_autonewtable: true @@ -541,13 +533,6 @@ rhel9cis_sshd: # allowgroups: systems dba # denyusers: # denygroups: -rhel9cis_pam_faillock: - attempts: 5 - interval: 900 - unlock_time: 900 - fail_for_root: no - remember: 5 - pwhash: sha512 # 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE rhel9cis_ssh_loglevel: INFO @@ -580,11 +565,7 @@ rhel9cis_pass: rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true -rhel9cis_vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: false + ## PAM rhel9cis_pam_password: minlen: "14" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1cb873c..47d1434 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -56,13 +56,11 @@ check_mode: false register: system_wide_crypto_policy when: - - rhel9cis_rule_1_10 or - rhel9cis_rule_1_11 + - rhel9cis_rule_1_10 tags: - level1-server - level1-workstation - - rule_1.10 or - rule_1.11 + - rule_1.10 - crypto - name: "PRELIM | if systemd coredump" @@ -70,11 +68,11 @@ path: /etc/systemd/coredump.conf register: systemd_coredump when: - - rhel9cis_rule_1_6_1 + - rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation - - rule_1.6.1 + - rule_1.5.1 - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 38c9433..f9a759c 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,51 +1,55 @@ --- -- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" + sysctl: + name: net.ipv4.ip_forward + value: '0' + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table - - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + sysctl: + name: net.ipv6.conf.all.forwarding + value: '0' + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv6 route table when: rhel9cis_ipv6_required when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_1 tags: - level1-server - level1-workstation + - automated - sysctl - patch - rule_3.2.1 -- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" + sysctl: + name: '{{ item.name }}' + value: '{{ item.value }}' + sysctl_set: yes + state: present + reload: yes + ignoreerrors: yes + notify: sysctl flush ipv4 route table + with_items: + - { name: net.ipv4.conf.all.send_redirects, value: 0 } + - { name: net.ipv4.conf.default.send_redirects, value: 0 } when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_2 tags: - level1-server - level1-workstation - - sysctl + - automated - patch - - rule_3.2.2 \ No newline at end of file + - sysctl + - rule_3.2.2 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 5bd6a3c..51fb5b0 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -8,7 +8,6 @@ state: present when: - rhel9cis_rule_3_4_1_1 - - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation @@ -34,7 +33,6 @@ state: absent when: - rhel9cis_rule_3_4_1_2 - - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation @@ -49,7 +47,6 @@ state: stopped masked: yes when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_3 tags: - level1-server @@ -65,7 +62,6 @@ state: started enabled: yes when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_4 tags: - level1-server @@ -78,7 +74,6 @@ - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_5 tags: - level1-server @@ -103,7 +98,6 @@ - "The items below are the policies tied to the interfaces, please correct as needed" - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_6 tags: - level1-server @@ -127,7 +121,6 @@ - "The items below are the services and ports that are accepted, please correct as needed" - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_7 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index e5b0c9a..23717c2 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -5,7 +5,6 @@ name: nftables state: present when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server @@ -22,7 +21,6 @@ name: firewalld state: absent when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - level1-server @@ -49,7 +47,6 @@ name: iptables-service state: absent when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -107,7 +104,6 @@ failed_when: no when: rhel9cis_nft_tables_autonewtable when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server @@ -159,7 +155,6 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } when: rhel9cis_nft_tables_autochaincreate when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server @@ -201,7 +196,6 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_7 tags: - level1-server @@ -249,7 +243,6 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_8 tags: - level1-server @@ -301,7 +294,6 @@ command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_9 tags: - level1-server @@ -316,7 +308,6 @@ name: nftables enabled: yes when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 tags: - level1-server @@ -333,7 +324,6 @@ insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: - - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_11 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml index 926c685..5d07856 100644 --- a/tasks/section_3/cis_3.4.3.1.x.yml +++ b/tasks/section_3/cis_3.4.3.1.x.yml @@ -7,7 +7,6 @@ - iptables-services state: present when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_1 tags: - level1-server @@ -22,7 +21,6 @@ name: nftables state: absent when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_2 tags: - level1-server @@ -39,7 +37,6 @@ name: firewalld state: absent when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_1_3 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.2.x.yml b/tasks/section_3/cis_3.4.3.2.x.yml index 3348fb5..e600ae7 100644 --- a/tasks/section_3/cis_3.4.3.2.x.yml +++ b/tasks/section_3/cis_3.4.3.2.x.yml @@ -23,7 +23,6 @@ source: 127.0.0.0/8 jump: DROP when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_1 tags: - level1-server @@ -49,7 +48,6 @@ - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_2 tags: - level1-server @@ -99,7 +97,6 @@ - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}" when: rhel9cis_3_4_3_2_3_otcp.stdout is defined when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_3 tags: - level1-server @@ -128,7 +125,6 @@ - OUTPUT when: - rhel9cis_rule_3_4_3_2_4 - - rhel9cis_firewall == "iptables" tags: - level1-server - level1-workstation @@ -143,7 +139,6 @@ path: /etc/sysconfig/iptables when: - rhel9cis_rule_3_4_3_2_5 - - rhel9cis_firewall == "iptables" tags: - level1-server - level1-workstation @@ -158,7 +153,6 @@ enabled: yes state: started when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_2_6 tags: - level1-server diff --git a/tasks/section_3/cis_3.4.3.3.x.yml b/tasks/section_3/cis_3.4.3.3.x.yml index f3bcfa1..83479db 100644 --- a/tasks/section_3/cis_3.4.3.3.x.yml +++ b/tasks/section_3/cis_3.4.3.3.x.yml @@ -26,9 +26,7 @@ jump: DROP ip_version: ipv6 when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_1 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -54,9 +52,7 @@ - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_2 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -87,9 +83,7 @@ - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}" when: rhel9cis_3_4_3_3_3_otcp.stdout is defined when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_3 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -118,9 +112,7 @@ - FORWARD - OUTPUT when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_4 - - rhel9cis_ipv6_required tags: - level1-server - level1-workstation @@ -135,8 +127,6 @@ path: /etc/sysconfig/ip6tables ip_version: ipv6 when: - - rhel9cis_firewall == "iptables" - - rhel9cis_ipv6_required - rhel9cis_rule_3_4_3_3_5 tags: - level1-server @@ -152,7 +142,6 @@ enabled: yes state: started when: - - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_3_3_6 tags: - level1-server diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index cc0c7bd..f10c74f 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -73,11 +73,11 @@ rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} +rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} -rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} -rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} + rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} @@ -94,7 +94,7 @@ rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} -rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }} + # section 2 rules rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} diff --git a/vars/is_container.yml b/vars/is_container.yml index 33a23e8..1a39591 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -41,7 +41,7 @@ rhel9cis_rule_5_1_8: false # crypto rhel9cis_rule_1_10: false -rhel9cis_rule_1_11: false + # grub rhel9cis_rule_1_5_1: false @@ -87,7 +87,7 @@ rhel9cis_rule_4_2_2_2: false rhel9cis_rule_4_2_2_3: false # systemd -rhel9cis_rule_1_6_1: false + # Users/passwords/accounts rhel9cis_rule_5_5_2: false