forked from ansible-lockdown/RHEL9-CIS
v1.0.0 updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
2634fabd41
commit
50e24dfac1
4 changed files with 147 additions and 219 deletions
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "2.1.1 | PATCH | Ensure time synchronization is in use"
|
- name: "2.1.1 | PATCH | Ensure time synchronization is in use"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: chrony
|
name: chrony
|
||||||
state: present
|
state: present
|
||||||
when:
|
when:
|
||||||
|
|
@ -10,14 +10,13 @@
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- rule_2.1.1
|
- rule_2.1.1
|
||||||
|
|
||||||
- name: "2.1.2 | PATCH | Ensure chrony is configured"
|
- name: "2.1.2 | PATCH | Ensure chrony is configured"
|
||||||
block:
|
block:
|
||||||
- name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration"
|
- name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration"
|
||||||
template:
|
ansible.builtin.template:
|
||||||
src: etc/chrony.conf.j2
|
src: etc/chrony.conf.j2
|
||||||
dest: /etc/chrony.conf
|
dest: /etc/chrony.conf
|
||||||
owner: root
|
owner: root
|
||||||
|
|
@ -25,7 +24,7 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
|
- name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
|
||||||
lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/sysconfig/chronyd
|
path: /etc/sysconfig/chronyd
|
||||||
regexp: "^(#)?OPTIONS"
|
regexp: "^(#)?OPTIONS"
|
||||||
line: "OPTIONS=\"-u chrony\""
|
line: "OPTIONS=\"-u chrony\""
|
||||||
|
|
|
||||||
|
|
@ -1,54 +1,38 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "2.2.1 | PATCH | Ensure xinetd is not installed"
|
|
||||||
package:
|
|
||||||
name: xinetd
|
|
||||||
state: absent
|
|
||||||
when:
|
|
||||||
- rhel9cis_rule_2_2_1
|
|
||||||
- not rhel9cis_xinetd_server
|
|
||||||
- "'xinetd' in ansible_facts.packages"
|
|
||||||
tags:
|
|
||||||
- level1-server
|
|
||||||
- level1-workstation
|
|
||||||
- automated
|
|
||||||
- patch
|
|
||||||
- rule_2.2.1
|
|
||||||
|
|
||||||
- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed"
|
- name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: xorg-x11-server-common
|
name: xorg-x11-server-common
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_2_2_2
|
- rhel9cis_rule_2_2_1
|
||||||
- "'xorg-x11-server-common' in ansible_facts.packages"
|
- "'xorg-x11-server-common' in ansible_facts.packages"
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- x11
|
- x11
|
||||||
- rule_2.2.2
|
- rule_2.2.1
|
||||||
|
|
||||||
- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed"
|
- name: "2.2.2 | PATCH | Ensure Avahi Server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- avahi-autoipd
|
- avahi-autoipd
|
||||||
- avahi
|
- avahi
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_2_2_3
|
- rhel9cis_rule_2_2_2
|
||||||
- not rhel9cis_avahi_server
|
- not rhel9cis_avahi_server
|
||||||
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
|
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level2-workstation
|
- level2-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- avahi
|
- avahi
|
||||||
- rule_2.2.3
|
- rule_2.2.2
|
||||||
|
|
||||||
- name: "2.2.4 | PATCH | Ensure CUPS is not installed"
|
- name: "2.2.3 | PATCH | Ensure CUPS is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: cups
|
name: cups
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
|
|
@ -57,124 +41,102 @@
|
||||||
- rhel9cis_rule_2_2_3
|
- rhel9cis_rule_2_2_3
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- cups
|
- cups
|
||||||
- rule_2.2.3
|
- rule_2.2.3
|
||||||
|
|
||||||
- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed"
|
- name: "2.2.4 | PATCH | Ensure DHCP Server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: dhcp-server
|
name: dhcp-server
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_dhcp_server
|
- not rhel9cis_dhcp_server
|
||||||
- "'dhcp-server' in ansible_facts.packages"
|
- "'dhcp-server' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_5
|
- rhel9cis_rule_2_2_4
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- dhcp
|
- dhcp
|
||||||
- rule_2.2.5
|
- rule_2.2.4
|
||||||
|
|
||||||
- name: "2.2.6 | PATCH | Ensure DNS Server is not installed"
|
- name: "2.2.5 | PATCH | Ensure DNS Server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: bind
|
name: bind
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_dns_server
|
- not rhel9cis_dns_server
|
||||||
- "'bind' in ansible_facts.packages"
|
- "'bind' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_6
|
- rhel9cis_rule_2_2_5
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- dns
|
- dns
|
||||||
- rule_2.2.6
|
- rule_2.2.5
|
||||||
|
|
||||||
- name: "2.2.7 | PATCH | Ensure FTP Server is not installed"
|
- name: "2.2.6 | PATCH | Ensure VSFTP Server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: ftp
|
|
||||||
state: absent
|
|
||||||
when:
|
|
||||||
- not rhel9cis_ftp_server
|
|
||||||
- "'ftp' in ansible_facts.packages"
|
|
||||||
- rhel9cis_rule_2_2_7
|
|
||||||
tags:
|
|
||||||
- level1-server
|
|
||||||
- level1-workstation
|
|
||||||
- automated
|
|
||||||
- patch
|
|
||||||
- ftp
|
|
||||||
- rule_2.2.7
|
|
||||||
|
|
||||||
- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed"
|
|
||||||
package:
|
|
||||||
name: vsftpd
|
name: vsftpd
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_vsftpd_server
|
- not rhel9cis_vsftpd_server
|
||||||
- "'vsftpd' in ansible_facts.packages"
|
- "'vsftpd' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_8
|
- rhel9cis_rule_2_2_6
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- vsftpd
|
- vsftpd
|
||||||
- rule_2.2.8
|
- rule_2.2.6
|
||||||
|
|
||||||
- name: "2.2.9 | PACH | Ensure TFTP Server is not installed"
|
- name: "2.2.7 | PACH | Ensure TFTP Server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: tftp-server
|
name: tftp-server
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_tftp_server
|
- not rhel9cis_tftp_server
|
||||||
- "'tftp-server' in ansible_facts.packages"
|
- "'tftp-server' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_9
|
- rhel9cis_rule_2_2_7
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- tftp
|
- tftp
|
||||||
- rule_2.2.9
|
- rule_2.2.7
|
||||||
|
|
||||||
- name: "2.2.10 | PATCH | Ensure a web server is not installed"
|
- name: "2.2.8 | PATCH | Ensure a web server is not installed"
|
||||||
block:
|
block:
|
||||||
- name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server"
|
- name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove httpd server"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: httpd
|
name: httpd
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_httpd_server
|
- not rhel9cis_httpd_server
|
||||||
- "'httpd' in ansible_facts.packages"
|
- "'httpd' in ansible_facts.packages"
|
||||||
|
|
||||||
- name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server"
|
- name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove nginx server"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_nginx_server
|
- not rhel9cis_nginx_server
|
||||||
- "'nginx' in ansible_facts.packages"
|
- "'nginx' in ansible_facts.packages"
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_2_2_10
|
- rhel9cis_rule_2_2_8
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- httpd
|
- httpd
|
||||||
- nginx
|
- nginx
|
||||||
- webserver
|
- webserver
|
||||||
- rule_2.2.9
|
- rule_2.2.8
|
||||||
|
|
||||||
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
|
- name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed"
|
||||||
block:
|
block:
|
||||||
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
|
- name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- dovecot
|
- dovecot
|
||||||
state: absent
|
state: absent
|
||||||
|
|
@ -182,8 +144,8 @@
|
||||||
- not rhel9cis_dovecot_server
|
- not rhel9cis_dovecot_server
|
||||||
- "'dovecot' in ansible_facts.packages"
|
- "'dovecot' in ansible_facts.packages"
|
||||||
|
|
||||||
- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed"
|
- name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- cyrus-imapd
|
- cyrus-imapd
|
||||||
state: absent
|
state: absent
|
||||||
|
|
@ -192,99 +154,94 @@
|
||||||
- "'cyrus-imapd' in ansible_facts.packages"
|
- "'cyrus-imapd' in ansible_facts.packages"
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_2_2_11
|
- rhel9cis_rule_2_2_9
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- dovecot
|
- dovecot
|
||||||
- imap
|
- imap
|
||||||
- pop3
|
- pop3
|
||||||
- rule_2.2.11
|
- rule_2.2.9
|
||||||
|
|
||||||
- name: "2.2.12 | PATCH | Ensure Samba is not enabled"
|
- name: "2.2.10 | PATCH | Ensure Samba is not enabled"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: samba
|
name: samba
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_samba_server
|
- not rhel9cis_samba_server
|
||||||
- "'samba' in ansible_facts.packages"
|
- "'samba' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_12
|
- rhel9cis_rule_2_2_10
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- samba
|
- samba
|
||||||
- rule_2.2.12
|
- rule_2.2.10
|
||||||
|
|
||||||
- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed"
|
- name: "2.2.11 | PATCH | Ensure HTTP Proxy Server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: squid
|
name: squid
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_squid_server
|
- not rhel9cis_squid_server
|
||||||
- "'squid' in ansible_facts.packages"
|
- "'squid' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_6
|
- rhel9cis_rule_2_2_11
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- squid
|
- squid
|
||||||
- rule_2.2.13
|
- rule_2.2.11
|
||||||
|
|
||||||
- name: "2.2.14 | PATCH | Ensure net-snmp is not installed"
|
- name: "2.2.12 | PATCH | Ensure net-snmp is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: net-snmp
|
name: net-snmp
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_snmp_server
|
- not rhel9cis_snmp_server
|
||||||
- "'net-snmp' in ansible_facts.packages"
|
- "'net-snmp' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_14
|
- rhel9cis_rule_2_2_12
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- snmp
|
- snmp
|
||||||
- rule_2.2.14
|
- rule_2.2.12
|
||||||
|
|
||||||
- name: "2.2.15 | PATCH | Ensure NIS Server is not installed"
|
- name: "2.2.13 | PATCH | Ensure telnet-server is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: ypserv
|
|
||||||
state: absent
|
|
||||||
when:
|
|
||||||
- not rhel9cis_nis_server
|
|
||||||
- "'ypserv' in ansible_facts.packages"
|
|
||||||
- rhel9cis_rule_2_2_17
|
|
||||||
tags:
|
|
||||||
- level1-server
|
|
||||||
- level1-workstation
|
|
||||||
- automated
|
|
||||||
- patch
|
|
||||||
- nis
|
|
||||||
- rule_2.2.17
|
|
||||||
|
|
||||||
- name: "2.2.16 | PATCH | Ensure telnet-server is not installed"
|
|
||||||
package:
|
|
||||||
name: telnet-server
|
name: telnet-server
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_telnet_server
|
- not rhel9cis_telnet_server
|
||||||
- "'telnet-server' in ansible_facts.packages"
|
- "'telnet-server' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_16
|
- rhel9cis_rule_2_2_13
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- telnet
|
- telnet
|
||||||
- rule_2.2.16
|
- rule_2.2.13
|
||||||
|
|
||||||
- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode"
|
- name: "2.2.14 | PATCH | Ensure dnsmasq is not installed"
|
||||||
lineinfile:
|
ansible.builtin.package:
|
||||||
|
name: dnsmasq
|
||||||
|
state: absent
|
||||||
|
notify: restart postfix
|
||||||
|
when:
|
||||||
|
- not rhel9cis_is_mail_server
|
||||||
|
- "'dnsmasq' in ansible_facts.packages"
|
||||||
|
- rhel9cis_rule_2_2_14
|
||||||
|
tags:
|
||||||
|
- level1-server
|
||||||
|
- level1-workstation
|
||||||
|
- patch
|
||||||
|
- dnsmasq
|
||||||
|
- rule_2.2.14
|
||||||
|
|
||||||
|
- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode"
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/postfix/main.cf
|
path: /etc/postfix/main.cf
|
||||||
regexp: "^(#)?inet_interfaces"
|
regexp: "^(#)?inet_interfaces"
|
||||||
line: "inet_interfaces = loopback-only"
|
line: "inet_interfaces = loopback-only"
|
||||||
|
|
@ -292,29 +249,28 @@
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_is_mail_server
|
- not rhel9cis_is_mail_server
|
||||||
- "'postfix' in ansible_facts.packages"
|
- "'postfix' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_17
|
- rhel9cis_rule_2_2_15
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- postfix
|
- postfix
|
||||||
- rule_2.2.17
|
- rule_2.2.15
|
||||||
|
|
||||||
# The name title of the service says mask the service, but the fix allows for both options
|
# The name title of the service says mask the service, but the fix allows for both options
|
||||||
# Options available in default/main if to remove the package default is false just mask the server service
|
# Options available in default/main if to remove the package default is false just mask the server service
|
||||||
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked"
|
- name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked"
|
||||||
block:
|
block:
|
||||||
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package"
|
- name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: nfs-utils
|
name: nfs-utils
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_use_nfs_server
|
- not rhel9cis_use_nfs_server
|
||||||
- not rhel9cis_use_nfs_service
|
- not rhel9cis_use_nfs_service
|
||||||
|
|
||||||
- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service"
|
- name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service"
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: nfs-server
|
name: nfs-server
|
||||||
masked: true
|
masked: true
|
||||||
state: stopped
|
state: stopped
|
||||||
|
|
@ -323,30 +279,29 @@
|
||||||
- rhel9cis_use_nfs_service
|
- rhel9cis_use_nfs_service
|
||||||
when:
|
when:
|
||||||
- "'nfs-utils' in ansible_facts.packages"
|
- "'nfs-utils' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_18
|
- rhel9cis_rule_2_2_16
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- nfs
|
- nfs
|
||||||
- services
|
- services
|
||||||
- rule_2.2.18
|
- rule_2.2.16
|
||||||
|
|
||||||
# The name title of the service says mask the service, but the fix allows for both options
|
# The name title of the service says mask the service, but the fix allows for both options
|
||||||
# Options available in default/main if to remove the package default is false just mask the server service
|
# Options available in default/main if to remove the package default is false just mask the server service
|
||||||
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked"
|
- name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked"
|
||||||
block:
|
block:
|
||||||
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package"
|
- name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: rpcbind
|
name: rpcbind
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_use_rpc_server
|
- not rhel9cis_use_rpc_server
|
||||||
- not rhel9cis_use_rpc_service
|
- not rhel9cis_use_rpc_service
|
||||||
|
|
||||||
- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service"
|
- name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service"
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: rpcbind.socket
|
name: rpcbind.socket
|
||||||
masked: true
|
masked: true
|
||||||
state: stopped
|
state: stopped
|
||||||
|
|
@ -355,29 +310,28 @@
|
||||||
- not rhel9cis_use_rpc_service
|
- not rhel9cis_use_rpc_service
|
||||||
when:
|
when:
|
||||||
- "'rpcbind' in ansible_facts.packages"
|
- "'rpcbind' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_19
|
- rhel9cis_rule_2_2_17
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- rpc
|
- rpc
|
||||||
- rule_2.2.19
|
- rule_2.2.17
|
||||||
|
|
||||||
# The name title of the service says mask the service, but the fix allows for both options
|
# The name title of the service says mask the service, but the fix allows for both options
|
||||||
# Options available in default/main if to remove the package default is false just mask the server service
|
# Options available in default/main if to remove the package default is false just mask the server service
|
||||||
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled "
|
- name: "2.2.18 | PATCH | Ensure rsync service is not enabled "
|
||||||
block:
|
block:
|
||||||
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package"
|
- name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsync service is masked | remove package"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: rsync
|
name: rsync-daemon
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_use_rsync_server
|
- not rhel9cis_use_rsync_server
|
||||||
- not rhel9cis_use_rsync_service
|
- not rhel9cis_use_rsync_service
|
||||||
|
|
||||||
- name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service"
|
- name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service"
|
||||||
systemd:
|
ansible.builtin.systemd:
|
||||||
name: rsyncd
|
name: rsyncd
|
||||||
masked: true
|
masked: true
|
||||||
state: stopped
|
state: stopped
|
||||||
|
|
@ -386,11 +340,10 @@
|
||||||
- not rhel9cis_use_rsync_service
|
- not rhel9cis_use_rsync_service
|
||||||
when:
|
when:
|
||||||
- "'rsync' in ansible_facts.packages"
|
- "'rsync' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_2_20
|
- rhel9cis_rule_2_2_18
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
|
||||||
- patch
|
- patch
|
||||||
- rsync
|
- rsync
|
||||||
- rule_2.2.20
|
- rule_2.2.18
|
||||||
|
|
|
||||||
|
|
@ -1,97 +1,65 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "2.3.1 | PATCH | Ensure NIS Client is not installed"
|
- name: "2.3.1 | PATCH | Ensure telnet client is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: ypbind
|
name: telnet
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_ypbind_required
|
- not rhel9cis_telnet_required
|
||||||
- "'ypbind' in ansible_facts.packages"
|
- "'telnet' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_3_1
|
- rhel9cis_rule_2_3_1
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
- automated
|
||||||
- patch
|
- patch
|
||||||
- nis
|
- telnet
|
||||||
- rule_2.3.1
|
- rule_2.3.1
|
||||||
|
|
||||||
- name: "2.3.2 | PATCH | Ensure rsh client is not installed"
|
- name: "2.3.2 | PATCH | Ensure LDAP client is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: rsh
|
|
||||||
state: absent
|
|
||||||
when:
|
|
||||||
- not rhel9cis_rsh_required
|
|
||||||
- "'rsh' in ansible_facts.packages"
|
|
||||||
- rhel9cis_rule_2_3_2
|
|
||||||
tags:
|
|
||||||
- level1-server
|
|
||||||
- level2-server
|
|
||||||
- automated
|
|
||||||
- patch
|
|
||||||
- rsh
|
|
||||||
- rule_2.3.2
|
|
||||||
|
|
||||||
- name: "2.3.3 | PATCH | Ensure talk client is not installed"
|
|
||||||
package:
|
|
||||||
name: talk
|
|
||||||
state: absent
|
|
||||||
when:
|
|
||||||
- not rhel9cis_talk_required
|
|
||||||
- "'talk' in ansible_facts.packages"
|
|
||||||
- rhel9cis_rule_2_3_3
|
|
||||||
tags:
|
|
||||||
- level1-server
|
|
||||||
- level1-workstation
|
|
||||||
- automated
|
|
||||||
- patch
|
|
||||||
- talk
|
|
||||||
- rule_2.3.3
|
|
||||||
|
|
||||||
- name: "2.3.4 | PATCH | Ensure telnet client is not installed"
|
|
||||||
package:
|
|
||||||
name: telnet
|
|
||||||
state: absent
|
|
||||||
when:
|
|
||||||
- not rhel9cis_telnet_required
|
|
||||||
- "'telnet' in ansible_facts.packages"
|
|
||||||
- rhel9cis_rule_2_3_4
|
|
||||||
tags:
|
|
||||||
- level1-server
|
|
||||||
- level1-workstation
|
|
||||||
- automated
|
|
||||||
- patch
|
|
||||||
- telnet
|
|
||||||
- rule_2.3.4
|
|
||||||
|
|
||||||
- name: "2.3.5 | PATCH | Ensure LDAP client is not installed"
|
|
||||||
package:
|
|
||||||
name: openldap-clients
|
name: openldap-clients
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_openldap_clients_required
|
- not rhel9cis_openldap_clients_required
|
||||||
- "'openldap-clients' in ansible_facts.packages"
|
- "'openldap-clients' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_3_5
|
- rhel9cis_rule_2_3_2
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
- automated
|
||||||
- patch
|
- patch
|
||||||
- ldap
|
- ldap
|
||||||
- rule_2.3.5
|
- rule_2.3.2
|
||||||
|
|
||||||
- name: "2.3.6 | PATCH | Ensure TFTP client is not installed"
|
- name: "2.3.3 | PATCH | Ensure TFTP client is not installed"
|
||||||
package:
|
ansible.builtin.package:
|
||||||
name: tftp
|
name: tftp
|
||||||
state: absent
|
state: absent
|
||||||
when:
|
when:
|
||||||
- not rhel9cis_tftp_client
|
- not rhel9cis_tftp_client
|
||||||
- "'tftp' in ansible_facts.packages"
|
- "'tftp' in ansible_facts.packages"
|
||||||
- rhel9cis_rule_2_3_6
|
- rhel9cis_rule_2_3_3
|
||||||
tags:
|
tags:
|
||||||
- level1-server
|
- level1-server
|
||||||
- level1-workstation
|
- level1-workstation
|
||||||
- automated
|
- automated
|
||||||
- patch
|
- patch
|
||||||
- tftp
|
- tftp
|
||||||
- rule_2.3.6
|
- rule_2.3.3
|
||||||
|
|
||||||
|
- name: "2.3.4 | PATCH | Ensure FTP client is not installed"
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: ftp
|
||||||
|
state: absent
|
||||||
|
when:
|
||||||
|
- not rhel9cis_tftp_client
|
||||||
|
- "'ftp' in ansible_facts.packages"
|
||||||
|
- rhel9cis_rule_2_3_4
|
||||||
|
tags:
|
||||||
|
- level1-server
|
||||||
|
- level1-workstation
|
||||||
|
- automated
|
||||||
|
- patch
|
||||||
|
- ftp
|
||||||
|
- rule_2.3.4
|
||||||
|
|
|
||||||
|
|
@ -1,23 +1,31 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked"
|
- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked"
|
||||||
block:
|
block:
|
||||||
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services"
|
- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of services"
|
||||||
shell: systemctl list-units --type=service
|
ansible.builtin.shell: systemctl list-units --type=service
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
check_mode: false
|
check_mode: false
|
||||||
register: rhel9cis_2_4_services
|
register: rhel9cis_2_4_services
|
||||||
|
|
||||||
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services"
|
- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets"
|
||||||
debug:
|
ansible.builtin.shell: systemctl list-units --type=sockets
|
||||||
|
changed_when: false
|
||||||
|
failed_when: false
|
||||||
|
check_mode: false
|
||||||
|
register: rhel9cis_2_4_sockets
|
||||||
|
|
||||||
|
- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Display list of services"
|
||||||
|
ansible.builtin.debug:
|
||||||
msg:
|
msg:
|
||||||
- "Warning!! Below are the list of services, both active and inactive"
|
- "Warning!! Below are the list of services and sockets, both active and inactive"
|
||||||
- "Please review to make sure all are essential"
|
- "Please review to make sure all are essential"
|
||||||
- "{{ rhel9cis_2_4_services.stdout_lines }}"
|
- "{{ rhel9cis_2_4_services.stdout_lines }}"
|
||||||
|
- "{{ rhel9cis_2_4_sockets.stdout_lines }}"
|
||||||
|
|
||||||
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count"
|
- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count"
|
||||||
set_fact:
|
ansible.builtin.set_fact:
|
||||||
control_number: "{{ control_number }} + ['rule_2.4']"
|
control_number: "{{ control_number }} + ['rule_2.4']"
|
||||||
warn_count: "{{ warn_count | int + 1 }}"
|
warn_count: "{{ warn_count | int + 1 }}"
|
||||||
when:
|
when:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue