sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge branch 'lint_dec24' into alignment

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 13:36:08 +00:00
commit 82f7b53a67
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
49 changed files with 375 additions and 606 deletions
Download patch file Download diff file Expand all files Collapse all files

79
tasks/section_2/cis_2.1.x.yml
View file

@ -33,9 +33,7 @@
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
when:
- rhel9cis_rule_2_1_2
- "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
when: rhel9cis_rule_2_1_2
tags:
- level1-server
- level2-workstation
@ -70,9 +68,7 @@
- avahi-daemon.service
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
when:
- "'dhcp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_3
when: rhel9cis_rule_2_1_3
tags:
- level1-server
- level1-workstation
@ -105,9 +101,7 @@
- dhcpd6.service
- name: "2.1.4 | PATCH | Ensure dns server services are not in use"
when:
- "'bind' in ansible_facts.packages"
- rhel9cis_rule_2_1_4
when: rhel9cis_rule_2_1_4
tags:
- level1-server
- level1-workstation
@ -137,9 +131,7 @@
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
when:
- "'dnsmasq' in ansible_facts.packages"
- rhel9cis_rule_2_1_5
when: rhel9cis_rule_2_1_5
tags:
- level1-server
- level1-workstation
@ -169,9 +161,7 @@
masked: true
- name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
when:
- "'samba' in ansible_facts.packages"
- rhel9cis_rule_2_1_6
when: rhel9cis_rule_2_1_6
tags:
- level1-server
- level1-workstation
@ -202,9 +192,7 @@
masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
when:
- "'ftp' in ansible_facts.packages"
- rhel9cis_rule_2_1_7
when: rhel9cis_rule_2_1_7
tags:
- level1-server
- level1-workstation
@ -235,9 +223,7 @@
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
when:
- "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
- rhel9cis_rule_2_1_8
when: rhel9cis_rule_2_1_8
tags:
- level1-server
- level1-workstation
@ -275,9 +261,7 @@
- "cyrus-imapd.service"
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
when:
- "'nfs-utils' in ansible_facts.packages"
- rhel9cis_rule_2_1_9
when: rhel9cis_rule_2_1_9
tags:
- level1-server
- level1-workstation
@ -309,9 +293,7 @@
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
when:
- "'ypserv' in ansible_facts.packages"
- rhel9cis_rule_2_1_10
when: rhel9cis_rule_2_1_10
tags:
- level1-server
- level1-workstation
@ -341,9 +323,7 @@
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
when:
- "'cups' in ansible_facts.packages"
- rhel9cis_rule_2_1_11
when: rhel9cis_rule_2_1_11
tags:
- level1-server
- automated
@ -375,9 +355,7 @@
- "cups.service"
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
when:
- "'rpcbind' in ansible_facts.packages"
- rhel9cis_rule_2_1_12
when: rhel9cis_rule_2_1_12
tags:
- level1-server
- level1-workstation
@ -411,9 +389,7 @@
- rpcbind.socket
- name: "2.1.13 | PATCH | Ensure rsync services are not in use"
when:
- "'rsync-daemon' in ansible_facts.packages"
- rhel9cis_rule_2_1_13
when: rhel9cis_rule_2_1_13
tags:
- level1-server
- level1-workstation
@ -447,9 +423,7 @@
- 'rsyncd.service'
- name: "2.1.14 | PATCH | Ensure snmp services are not in use"
when:
- "'net-snmp' in ansible_facts.packages"
- rhel9cis_rule_2_1_14
when: rhel9cis_rule_2_1_14
tags:
- level1-server
- level1-workstation
@ -479,9 +453,7 @@
masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
when:
- "'telnet-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_15
when: rhel9cis_rule_2_1_15
tags:
- level1-server
- level1-workstation
@ -512,9 +484,7 @@
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
when:
- "'tftp-server' in ansible_facts.packages"
- rhel9cis_rule_2_1_16
when: rhel9cis_rule_2_1_16
tags:
- level1-server
- level1-workstation
@ -547,9 +517,7 @@
- 'tftp.service'
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
when:
- "'squid' in ansible_facts.packages"
- rhel9cis_rule_2_117
when: rhel9cis_rule_2_1_17
tags:
- level1-server
- level1-workstation
@ -580,8 +548,7 @@
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
when:
- rhel9cis_rule_2_1_18
when: rhel9cis_rule_2_1_18
tags:
- level1-server
- level1-workstation
@ -597,7 +564,6 @@
when:
- not rhel9cis_httpd_server
- not rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
ansible.builtin.package:
name: httpd
state: absent
@ -606,7 +572,6 @@
when:
- not rhel9cis_nginx_server
- not rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
ansible.builtin.package:
name: nginx
state: absent
@ -615,7 +580,6 @@
when:
- not rhel9cis_httpd_server
- rhel9cis_httpd_mask
- "'httpd' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: httpd.service
@ -627,7 +591,6 @@
when:
- not rhel9cis_nginx_server
- rhel9cis_nginx_mask
- "'nginx' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: ngnix.service
@ -636,9 +599,7 @@
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
when:
- "'xinetd' in ansible_facts.packages"
- rhel9cis_rule_2_1_19
when: rhel9cis_rule_2_1_19
tags:
- level1-server
- level1-workstation
@ -670,7 +631,6 @@
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
when:
- not rhel9cis_xwindow_server
- "'xorg-x11-server-common' in ansible_facts.packages"
- rhel9cis_rule_2_1_20
tags:
- level1-server
@ -704,8 +664,7 @@
line: "inet_interfaces = loopback-only"
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
when:
- rhel9cis_rule_2_1_22
when: rhel9cis_rule_2_1_22
tags:
- level1-server
- level1-workstation