sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

boolean variable true/false

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-01-13 16:51:17 +00:00
parent 727095ca35
commit 54f4e0b4b8
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
26 changed files with 92 additions and 90 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/section_3/cis_3.3.x.yml
View file

@ -5,7 +5,7 @@
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install dccp(\\s|$)"
line: "install dccp /bin/true"
create: yes
create: true
mode: 0600
when:
- rhel9cis_rule_3_3_1
@ -20,7 +20,7 @@
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install sctp(\\s|$)"
line: "install sctp /bin/true"
create: yes
create: true
mode: 0600
when:
- rhel9cis_rule_3_3_2
@ -35,7 +35,7 @@
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install rds(\\s|$)"
line: "install rds /bin/true"
create: yes
create: true
mode: 0600
when:
- rhel9cis_rule_3_3_3
@ -50,7 +50,7 @@
dest: /etc/modprobe.d/CIS.conf
regexp: "^(#)?install tipc(\\s|$)"
line: "install tipc /bin/true"
create: yes
create: true
mode: 0600
when:
- rhel9cis_rule_3_3_4

9
tasks/section_3/cis_3.4.2.x.yml
View file

@ -4,7 +4,7 @@
service:
name: firewalld
state: started
enabled: yes
enabled: true
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_1
@ -19,9 +19,9 @@
name: iptables
enabled: false
masked: true
ignore_errors: true
when:
- rhel9cis_firewall == "firewalld"
- "'iptables' in ansible_facts.packages"
- rhel9cis_rule_3_4_2_2
tags:
- skip_ansible_lint
@ -37,6 +37,7 @@
masked: true
when:
- rhel9cis_firewall == "firewalld"
- "'nftables' in ansible_facts.packages"
- rhel9cis_rule_3_4_2_3
tags:
- level1-server
@ -65,7 +66,7 @@
warn: false
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_3_4_2_5_interfacepolicy
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy"
@ -90,7 +91,7 @@
warn: false
changed_when: false
failed_when: false
check_mode: no
check_mode: false
register: rhel9cis_3_4_2_6_servicesport
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"

6
tasks/section_3/cis_3.4.3.x.yml
View file

@ -44,7 +44,7 @@
shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
args:
warn: false
failed_when: no
failed_when: false
when: rhel9cis_nft_tables_autonewtable
when:
- rhel9cis_firewall == "nftables"
@ -96,7 +96,7 @@
shell: "{{ item }}"
args:
warn: false
failed_when: no
failed_when: false
with_items:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; }
@ -294,7 +294,7 @@
- name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled"
service:
name: nftables
enabled: yes
enabled: true
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_3_7

2
tasks/section_3/cis_3.4.4.1.x.yml
View file

@ -136,7 +136,7 @@
- name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled"
service:
name: iptables
enabled: yes
enabled: true
state: started
when:
- rhel9cis_firewall == "iptables"

2
tasks/section_3/cis_3.4.4.2.x.yml
View file

@ -124,7 +124,7 @@
- name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled"
service:
name: ip6tables
enabled: yes
enabled: true
state: started
when:
- rhel9cis_firewall == "iptables"

2
tasks/section_3/cis_3.6.yml
View file

@ -5,7 +5,7 @@
dest: /etc/default/grub
regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?<!ipv6.disable=1)(?:")'
replace: '\1"\2 ipv6.disable=1"'
follow: yes
follow: true
notify: grub2cfg
when:
- not rhel9cis_ipv6_required