tidy up vars

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-04-01 17:09:53 +01:00 · 2022-04-01 17:09:53 +01:00 · 2d21f8a98e
commit 2d21f8a98e
parent 2565df6047
10 changed files with 45 additions and 99 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -114,8 +114,6 @@ rhel9cis_rule_1_4_3: true
 rhel9cis_rule_1_5_1: true
 rhel9cis_rule_1_5_2: true
 rhel9cis_rule_1_5_3: true
 rhel9cis_rule_1_6_1: true
 rhel9cis_rule_1_6_2: true
 rhel9cis_rule_1_6_1_1: true
 rhel9cis_rule_1_6_1_2: true
 rhel9cis_rule_1_6_1_3: true
@ -137,7 +135,6 @@ rhel9cis_rule_1_8_4: true
 rhel9cis_rule_1_8_5: true
 rhel9cis_rule_1_9: true
 rhel9cis_rule_1_10: true
 rhel9cis_rule_1_11: true
 # Section 2 rules
 rhel9cis_rule_2_1_1: true
@ -469,11 +466,6 @@ rhel9cis_firewall: firewalld
 ##### firewalld
 rhel9cis_default_zone: public
 rhel9cis_int_zone: customzone
 rhel9cis_interface: eth0
 rhel9cis_firewall_services:
    - ssh
    - dhcpv6-client
 #### nftables
 rhel9cis_nft_tables_autonewtable: true
@ -541,13 +533,6 @@ rhel9cis_sshd:
    # allowgroups: systems dba
    # denyusers:
    # denygroups:
 rhel9cis_pam_faillock:
    attempts: 5
    interval: 900
    unlock_time: 900
    fail_for_root: no
    remember: 5
    pwhash: sha512
 # 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE
 rhel9cis_ssh_loglevel: INFO
@ -580,11 +565,7 @@ rhel9cis_pass:
 rhel9cis_syslog: rsyslog
 rhel9cis_rsyslog_ansiblemanaged: true
-rhel9cis_vartmp:
+
    source: /tmp
    fstype: none
    opts: "defaults,nodev,nosuid,noexec,bind"
    enabled: false
 ## PAM
 rhel9cis_pam_password:
    minlen: "14"
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -56,13 +56,11 @@
        check_mode: false
        register: system_wide_crypto_policy
  when:
-      - rhel9cis_rule_1_10 or
+      - rhel9cis_rule_1_10
        rhel9cis_rule_1_11
  tags:
      - level1-server
      - level1-workstation
-      - rule_1.10 or
+      - rule_1.10
        rule_1.11
      - crypto
 - name: "PRELIM | if systemd coredump"
@ -70,11 +68,11 @@
      path: /etc/systemd/coredump.conf
  register: systemd_coredump
  when:
-      - rhel9cis_rule_1_6_1
+      - rhel9cis_rule_1_5_1
  tags:
      - level1-server
      - level1-workstation
-      - rule_1.6.1
+      - rule_1.5.1
      - systemd
 - name: "PRELIM | Section 1.1 | Create list of mount points"
--- a/tasks/section_3/cis_3.2.x.yml
+++ b/tasks/section_3/cis_3.2.x.yml
@ -1,51 +1,55 @@
 ---
- name: "3.2.1 | PATCH | Ensure source routed packets are not accepted"
+- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled"
  block:
-      - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted"
+      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
-        debug:
+        sysctl:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            name: net.ipv4.ip_forward
-        notify: 
+            value: '0'
-            - update sysctl
+            state: present
-            - sysctl flush ipv4 route table
+            reload: yes
            ignoreerrors: yes
        notify: sysctl flush ipv4 route table
-      - name: "3.2.1 | PATCH | Ensure source routed packets are not accepted"
+      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
-        debug:
+        sysctl:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            name: net.ipv6.conf.all.forwarding
-        notify:
+            value: '0'
-            - sysctl flush ipv6 route table
+            state: present
-            - update sysctl
+            reload: yes
            ignoreerrors: yes
        notify: sysctl flush ipv6 route table
        when: rhel9cis_ipv6_required
  when:
      - not rhel9cis_is_router
      - rhel9cis_rule_3_2_1
  tags:
      - level1-server
      - level1-workstation
      - automated
      - sysctl
      - patch
      - rule_3.2.1
- name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted"
+- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
-  block:
+  sysctl:
-      - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted"
+      name: '{{ item.name }}'
-        debug:
+      value: '{{ item.value }}'
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+      sysctl_set: yes
-        notify: 
+      state: present
-            - update sysctl
+      reload: yes
-            - sysctl flush ipv4 route table
+      ignoreerrors: yes
-
+  notify: sysctl flush ipv4 route table
-      - name: "3.2.2 | PATCH | Ensure ICMP redirects are not accepted"
+  with_items:
-        debug:
+      - { name: net.ipv4.conf.all.send_redirects, value: 0 }
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+      - { name: net.ipv4.conf.default.send_redirects, value: 0 }
        notify:
            - sysctl flush ipv6 route table
            - update sysctl
        when: rhel9cis_ipv6_required
  when:
      - not rhel9cis_is_router
      - rhel9cis_rule_3_2_2
  tags:
      - level1-server
      - level1-workstation
-      - sysctl
+      - automated
      - patch
-      - rule_3.2.2
+      - sysctl
      - rule_3.2.2
--- a/tasks/section_3/cis_3.4.1.x.yml
+++ b/tasks/section_3/cis_3.4.1.x.yml
@ -8,7 +8,6 @@
      state: present
  when:
      - rhel9cis_rule_3_4_1_1
      - rhel9cis_firewall == "firewalld"
  tags:
      - level1-server
      - level1-workstation
@ -34,7 +33,6 @@
            state: absent
  when:
      - rhel9cis_rule_3_4_1_2
      - rhel9cis_firewall == "firewalld"
  tags:
      - level1-server
      - level1-workstation
@ -49,7 +47,6 @@
      state: stopped
      masked: yes
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_1_3
  tags:
      - level1-server
@ -65,7 +62,6 @@
      state: started
      enabled: yes
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_1_4
  tags:
      - level1-server
@ -78,7 +74,6 @@
 - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set"
  command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_1_5
  tags:
      - level1-server
@ -103,7 +98,6 @@
                - "The items below are the policies tied to the interfaces, please correct as needed"
                - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}"
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_1_6
  tags:
      - level1-server
@ -127,7 +121,6 @@
                - "The items below are the services and ports that are accepted, please correct as needed"
                - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}"
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_1_7
  tags:
      - level1-server
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@ -5,7 +5,6 @@
      name: nftables
      state: present
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_1
  tags:
      - level1-server
@ -22,7 +21,6 @@
      name: firewalld
      state: absent
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_2
  tags:
      - level1-server
@ -49,7 +47,6 @@
            name: iptables-service
            state: absent
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_3
  tags:
      - level1-server
@ -107,7 +104,6 @@
        failed_when: no
        when: rhel9cis_nft_tables_autonewtable
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_5
  tags:
      - level1-server
@ -159,7 +155,6 @@
            - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
        when: rhel9cis_nft_tables_autochaincreate
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_6
  tags:
      - level1-server
@ -201,7 +196,6 @@
        command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
        when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout'
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_7
  tags:
      - level1-server
@ -249,7 +243,6 @@
        command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
        when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout'
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_8
  tags:
      - level1-server
@ -301,7 +294,6 @@
        command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
        when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout'
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_9
  tags:
      - level1-server
@ -316,7 +308,6 @@
      name: nftables
      enabled: yes
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_10
  tags:
      - level1-server
@ -333,7 +324,6 @@
      insertafter: EOF
      line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}"
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_11
  tags:
      - level1-server
--- a/tasks/section_3/cis_3.4.3.1.x.yml
+++ b/tasks/section_3/cis_3.4.3.1.x.yml
@ -7,7 +7,6 @@
          - iptables-services
      state: present
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_1_1
  tags:
      - level1-server
@ -22,7 +21,6 @@
      name: nftables
      state: absent
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_1_2
  tags:
      - level1-server
@ -39,7 +37,6 @@
      name: firewalld
      state: absent
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_1_3
  tags:
      - level1-server
--- a/tasks/section_3/cis_3.4.3.2.x.yml
+++ b/tasks/section_3/cis_3.4.3.2.x.yml
@ -23,7 +23,6 @@
            source: 127.0.0.0/8
            jump: DROP
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_2_1
  tags:
      - level1-server
@ -49,7 +48,6 @@
      - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
      - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_2_2
  tags:
      - level1-server
@ -99,7 +97,6 @@
            - "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}"
        when: rhel9cis_3_4_3_2_3_otcp.stdout is defined
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_2_3
  tags:
      - level1-server
@ -128,7 +125,6 @@
            - OUTPUT
  when:
      - rhel9cis_rule_3_4_3_2_4
      - rhel9cis_firewall == "iptables"
  tags:
      - level1-server
      - level1-workstation
@ -143,7 +139,6 @@
      path: /etc/sysconfig/iptables
  when:
      - rhel9cis_rule_3_4_3_2_5
      - rhel9cis_firewall == "iptables"
  tags:
      - level1-server
      - level1-workstation
@ -158,7 +153,6 @@
      enabled: yes
      state: started
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_2_6
  tags:
      - level1-server
--- a/tasks/section_3/cis_3.4.3.3.x.yml
+++ b/tasks/section_3/cis_3.4.3.3.x.yml
@ -26,9 +26,7 @@
            jump: DROP
            ip_version: ipv6
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_3_1
      - rhel9cis_ipv6_required
  tags:
      - level1-server
      - level1-workstation
@ -54,9 +52,7 @@
      - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
      - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_3_2
      - rhel9cis_ipv6_required
  tags:
      - level1-server
      - level1-workstation
@ -87,9 +83,7 @@
            - "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}"
        when: rhel9cis_3_4_3_3_3_otcp.stdout is defined
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_3_3
      - rhel9cis_ipv6_required
  tags:
      - level1-server
      - level1-workstation
@ -118,9 +112,7 @@
            - FORWARD
            - OUTPUT
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_3_4
      - rhel9cis_ipv6_required
  tags:
      - level1-server
      - level1-workstation
@ -135,8 +127,6 @@
      path: /etc/sysconfig/ip6tables
      ip_version: ipv6
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_ipv6_required
      - rhel9cis_rule_3_4_3_3_5
  tags:
      - level1-server
@ -152,7 +142,6 @@
      enabled: yes
      state: started
  when:
      - rhel9cis_firewall == "iptables"
      - rhel9cis_rule_3_4_3_3_6
  tags:
      - level1-server
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -73,11 +73,11 @@ rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }}
 rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }}
 rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }}
 rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }}
 rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }}
 rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }}
 rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }}
 rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }}
-rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }}
+
 rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }}
 rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }}
 rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }}
 rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }}
@ -94,7 +94,7 @@ rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }}
 rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }}
 rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
 rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
-rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }}
+
 # section 2 rules
 rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }}
--- a/vars/is_container.yml
+++ b/vars/is_container.yml
@ -41,7 +41,7 @@ rhel9cis_rule_5_1_8: false
 # crypto
 rhel9cis_rule_1_10: false
-rhel9cis_rule_1_11: false
+
 # grub
 rhel9cis_rule_1_5_1: false
@ -87,7 +87,7 @@ rhel9cis_rule_4_2_2_2: false
 rhel9cis_rule_4_2_2_3: false
 # systemd
-rhel9cis_rule_1_6_1: false
+
 # Users/passwords/accounts
 rhel9cis_rule_5_5_2: false