added warning count

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-07-20 17:13:33 +01:00 · 2022-07-20 17:13:33 +01:00 · 6b6a4a32c8
commit 6b6a4a32c8
parent c494559882
17 changed files with 219 additions and 71 deletions
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@ -5,6 +5,7 @@
      name: nftables
      state: present
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_1
  tags:
      - level1-server
@ -17,22 +18,11 @@
 # The control allows the service it be masked or not installed
 # We have chosen not installed
 - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables"
-  block:
-      - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service"
-        systemd:
-            name: firewalld
-            masked: true
-            state: stopped
-        when:
-            - rhel9cis_nftables_firewalld_state == "masked"
-
-      - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed"
-        package:
-            name: firewalld
-            state: absent
-        when:
-            - rhel9cis_nftables_firewalld_state == "absent"
+  package:
+      name: firewalld
+      state: absent
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_2
  tags:
      - level1-server
@ -59,6 +49,7 @@
            name: iptables-service
            state: absent
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_3
  tags:
      - level1-server
@ -105,17 +96,26 @@
      - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables"
        debug:
            msg:
-                - "Warning! You currently have no nft tables, please review your setup"
+                - "Warning!! You currently have no nft tables, please review your setup"
                - 'Use the command "nft create table inet <table name>" to create a new table'
        when:
            - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0
            - not rhel9cis_nft_tables_autonewtable

+      - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
+        set_fact:
+            control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]"
+            warn_count: "{{ warn_count|int + 1 }}"
+        when:
+            - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0
+            - not rhel9cis_nft_tables_autonewtable
+
      - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed"
        command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
        failed_when: no
        when: rhel9cis_nft_tables_autonewtable
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_5
  tags:
      - level1-server
@ -167,11 +167,12 @@
            - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
        when: rhel9cis_nft_tables_autochaincreate
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_6
  tags:
      - level1-server
      - level1-workstation
-      - automated
+      - automate
      - patch
      - nftables
      - rule_3.4.2.6
@ -208,6 +209,7 @@
        command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
        when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout'
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_7
  tags:
      - level1-server
@ -255,6 +257,7 @@
        command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
        when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout'
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_8
  tags:
      - level1-server
@ -306,6 +309,7 @@
        command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
        when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout'
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_9
  tags:
      - level1-server
@ -320,6 +324,7 @@
      name: nftables
      enabled: yes
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_10
  tags:
      - level1-server
@ -332,9 +337,11 @@
 - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent"
  lineinfile:
      path: /etc/sysconfig/nftables.conf
+      state: present
      insertafter: EOF
      line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}"
  when:
+      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_11
  tags:
      - level1-server