sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Updated 4.3.2

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-09-09 12:10:38 +01:00
parent 7c4c3f9e4d
commit ab3c9cc8aa
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/section_4/cis_4.3.x.yml
View file

@ -66,15 +66,19 @@
failed_when: false
register: discovered_nftables_inconnectionrule
- name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
- name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false
failed_when: false
register: discovered_nftables_outconnectionrule
- name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Create table is doesn't exist"
when: rhel9cis_nft_tables_autonewtable
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
- name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'