From 4dfacd9e3bfb3d1964f16c710efaaa85c66cce09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 12:50:41 +0100 Subject: [PATCH] updated server/service vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 18 +++++-- tasks/section_2/cis_2.2.x.yml | 99 ++++++++++++++++++++++++++--------- 2 files changed, 89 insertions(+), 28 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 68ea1dd..cbac9b4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -444,16 +444,26 @@ rhel9cis_vsftpd_server: false rhel9cis_tftp_server: false rhel9cis_httpd_server: false rhel9cis_nginx_server: false -rhel9cis_dovecot_cyrus_server: false +rhel9cis_dovecot_server: false +rhel9cis_imap_server: false rhel9cis_samba_server: false rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_nis_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -rhel9cis_nfs_server: false -rhel9cis_rpc_server: false -rhel9cis_rsync_server: false +# Note the options +# Packages are used for client services and Server- only remove if you dont use the client service +# +rhel9cis_use_nfs: + - service: false + - server: false +rhel9_use_rpc: + - service: false + - server: false +rhel9cis_use_rsync: + - service: false + - server: false #### 2.3 Service clients rhel9cis_ypbind_required: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index bd93fbd..9c0dc86 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -73,7 +73,7 @@ tags: - level1-server - level1-workstation - - audtomated + - automated - patch - dhcp - rule_2.2.5 @@ -160,7 +160,7 @@ - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel9cis_rule_2_2_9 + - rhel9cis_rule_2_2_10 tags: - level1-server - level1-workstation @@ -172,14 +172,26 @@ - rule_2.2.9 - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" - package: - name: - - dovecot - - cyrus-imapd - state: absent + block: + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - dovecot + state: absent + when: + - not rhel9cis_dovecot_server + - "'dovecot' in ansible_facts.packages" + + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - cyrus-imapd + state: absent + when: + - not rhel9cis_imap_server + - "'cyrus-imapd' in ansible_facts.packages" + when: - - not rhel9cis_dovecot_cyrus_server - - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - rhel9cis_rule_2_2_11 tags: - level1-server @@ -290,13 +302,26 @@ - rule_2.2.17 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" - package: - name: nfs-utils - state: absent + block: + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" + package: + name: nfs-utils + state: absent + when: + - not rhel9cis_use_nfs.server + - not rhel9cis_use_nfs.service + + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" + systemd: + name: nfs-server + masked: true + enabled: false + when: + - not rhel9cis_use_nfs.server + - rhel9cis_use_nfs.service when: - - not rhel9cis_nfs_server - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_18 tags: @@ -309,13 +334,26 @@ - rule_2.2.18 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" - package: - name: rpcbind - state: absent + block: + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" + package: + name: rpcbind + state: absent + when: + - not rhel9cis_use_rpc.server + - not rhel9cis_use_rpc.service + + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + systemd: + name: rpcbind.socket + masked: true + enabled: false + when: + - rhel9cis_use_rpc.server + - not rhel9cis_use_rpc.service when: - - not rhel9cis_rpc_server - "'rpcbind' in ansible_facts.packages" - rhel9cis_rule_2_2_19 tags: @@ -327,13 +365,26 @@ - rule_2.2.19 # The name title of the service says mask the service, but the fix allows for both options -# We went with removing to remove the security/update overhead with having the package installed +# Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.20 | PATCH | Ensure rsync service is not enabled " - package: - name: rsync - state: absent + block: + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package" + package: + name: rsync + state: absent + when: + - not rhel9cis_use_rsync.server + - not rhel9cis_use_rsync.service + + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" + systemd: + name: rsyncd + masked: true + enabled: false + when: + - rhel9cis_use_rsync.server + - not rhel9cis_use_rsync.service when: - - not rhel9cis_rsync_server - "'rsync' in ansible_facts.packages" - rhel9cis_rule_2_2_20 tags: