forked from ansible-lockdown/RHEL9-CIS
removed iptables - not valid in rh9
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
82d1d18504
commit
b8bb7912a1
6 changed files with 2 additions and 426 deletions
|
|
@ -205,21 +205,7 @@ rhel9cis_rule_3_4_2_8: true
|
|||
rhel9cis_rule_3_4_2_9: true
|
||||
rhel9cis_rule_3_4_2_10: true
|
||||
rhel9cis_rule_3_4_2_11: true
|
||||
rhel9cis_rule_3_4_3_1_1: true
|
||||
rhel9cis_rule_3_4_3_1_2: true
|
||||
rhel9cis_rule_3_4_3_1_3: true
|
||||
rhel9cis_rule_3_4_3_2_1: true
|
||||
rhel9cis_rule_3_4_3_2_2: true
|
||||
rhel9cis_rule_3_4_3_2_3: true
|
||||
rhel9cis_rule_3_4_3_2_4: true
|
||||
rhel9cis_rule_3_4_3_2_5: true
|
||||
rhel9cis_rule_3_4_3_2_6: true
|
||||
rhel9cis_rule_3_4_3_3_1: true
|
||||
rhel9cis_rule_3_4_3_3_2: true
|
||||
rhel9cis_rule_3_4_3_3_3: true
|
||||
rhel9cis_rule_3_4_3_3_4: true
|
||||
rhel9cis_rule_3_4_3_3_5: true
|
||||
rhel9cis_rule_3_4_3_3_6: true
|
||||
|
||||
|
||||
# Section 4 rules
|
||||
rhel9cis_rule_4_1_1_1: true
|
||||
|
|
@ -490,8 +476,6 @@ rhel9cis_nft_tables_autonewtable: true
|
|||
rhel9cis_nft_tables_tablename: filter
|
||||
rhel9cis_nft_tables_autochaincreate: true
|
||||
|
||||
#### iptables
|
||||
rhel9cis_iptables_firewalld_state: masked
|
||||
|
||||
# Warning Banner Content (issue, issue.net, motd)
|
||||
rhel9cis_warning_banner: |
|
||||
|
|
|
|||
|
|
@ -1,59 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed"
|
||||
package:
|
||||
name:
|
||||
- iptables
|
||||
- iptables-services
|
||||
state: present
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_1_1
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.1.1
|
||||
|
||||
- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables"
|
||||
package:
|
||||
name: nftables
|
||||
state: absent
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_1_2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.1.2
|
||||
|
||||
# The control allows the service it be masked or not installed
|
||||
# We have chosen not installed
|
||||
- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables"
|
||||
block:
|
||||
- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
|
||||
systemd:
|
||||
name: firewalld
|
||||
masked: true
|
||||
state: stopped
|
||||
when:
|
||||
- rhel9cis_iptables_firewalld_state == "masked"
|
||||
|
||||
- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
|
||||
package:
|
||||
name: firewalld
|
||||
state: absent
|
||||
when:
|
||||
- rhel9cis_iptables_firewalld_state == "absent"
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_1_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.1.3
|
||||
|
|
@ -1,163 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured"
|
||||
block:
|
||||
- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT"
|
||||
iptables:
|
||||
action: append
|
||||
chain: INPUT
|
||||
in_interface: lo
|
||||
jump: ACCEPT
|
||||
|
||||
- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT"
|
||||
iptables:
|
||||
action: append
|
||||
chain: OUTPUT
|
||||
out_interface: lo
|
||||
jump: ACCEPT
|
||||
|
||||
- name: "3.4.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
|
||||
iptables:
|
||||
action: append
|
||||
chain: INPUT
|
||||
source: 127.0.0.0/8
|
||||
jump: DROP
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_2_1
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.2.1
|
||||
|
||||
- name: "3.4.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured"
|
||||
iptables:
|
||||
action: append
|
||||
chain: '{{ item.chain }}'
|
||||
protocol: '{{ item.protocol }}'
|
||||
match: state
|
||||
ctstate: '{{ item.ctstate }}'
|
||||
jump: ACCEPT
|
||||
with_items:
|
||||
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
|
||||
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
|
||||
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
|
||||
- { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }
|
||||
- { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
|
||||
- { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_2_2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- manual
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.2.2
|
||||
|
||||
- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports"
|
||||
block:
|
||||
- name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get list of TCP open ports"
|
||||
shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: rhel9cis_3_4_3_2_3_otcp
|
||||
|
||||
- name: "3.4.3.2.3 | AUDIT | Ensure iptables rules exist for all open ports | Get the list of udp open ports"
|
||||
shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: rhel9cis_3_4_3_2_3_oudp
|
||||
|
||||
- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open tcp ports"
|
||||
iptables:
|
||||
action: append
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: "{{ item }}"
|
||||
match: state
|
||||
ctstate: NEW
|
||||
jump: ACCEPT
|
||||
with_items:
|
||||
- "{{ rhel9cis_3_4_3_2_3_otcp.stdout_lines }}"
|
||||
when: rhel9cis_3_4_3_2_3_otcp.stdout is defined
|
||||
|
||||
- name: "3.4.3.2.3 | PATCH | Ensure iptables rules exist for all open ports | Adjust open udp ports"
|
||||
iptables:
|
||||
action: append
|
||||
chain: INPUT
|
||||
protocol: udp
|
||||
destination_port: "{{ item }}"
|
||||
match: state
|
||||
ctstate: NEW
|
||||
jump: ACCEPT
|
||||
with_items:
|
||||
- "{{ rhel9cis_3_4_3_2_3_oudp.stdout_lines }}"
|
||||
when: rhel9cis_3_4_3_2_3_otcp.stdout is defined
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_2_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.2.3
|
||||
|
||||
- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy"
|
||||
block:
|
||||
- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed"
|
||||
iptables:
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: "22"
|
||||
jump: ACCEPT
|
||||
|
||||
- name: "3.4.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
|
||||
iptables:
|
||||
policy: DROP
|
||||
chain: "{{ item }}"
|
||||
with_items:
|
||||
- INPUT
|
||||
- FORWARD
|
||||
- OUTPUT
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_2_4
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.2.4
|
||||
|
||||
- name: "3.4.3.2.5 | PATCH | Ensure iptables rules are saved"
|
||||
iptables_state:
|
||||
state: saved
|
||||
path: /etc/sysconfig/iptables
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_2_5
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.2.5
|
||||
|
||||
- name: "3.4.3.2.6 | PATCH | Ensure iptables service is enabled and active"
|
||||
service:
|
||||
name: iptables
|
||||
enabled: yes
|
||||
state: started
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_2_6
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- iptables
|
||||
- rule_3.4.3.2.6
|
||||
|
|
@ -1,152 +0,0 @@
|
|||
---
|
||||
|
||||
- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured"
|
||||
block:
|
||||
- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT"
|
||||
iptables:
|
||||
action: append
|
||||
chain: INPUT
|
||||
in_interface: lo
|
||||
jump: ACCEPT
|
||||
ip_version: ipv6
|
||||
|
||||
- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT"
|
||||
iptables:
|
||||
action: append
|
||||
chain: OUTPUT
|
||||
out_interface: lo
|
||||
jump: ACCEPT
|
||||
ip_version: ipv6
|
||||
|
||||
- name: "3.4.3.3.1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8"
|
||||
iptables:
|
||||
action: append
|
||||
chain: INPUT
|
||||
source: ::1
|
||||
jump: DROP
|
||||
ip_version: ipv6
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_3_1
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- ip6tables
|
||||
- rule_3.4.3.3.1
|
||||
|
||||
- name: "3.4.3.3.2 | PATCH | Ensure ip6tables outbound and established connections are configured"
|
||||
iptables:
|
||||
action: append
|
||||
chain: '{{ item.chain }}'
|
||||
protocol: '{{ item.protocol }}'
|
||||
match: state
|
||||
ctstate: '{{ item.ctstate }}'
|
||||
jump: ACCEPT
|
||||
ip_version: ipv6
|
||||
with_items:
|
||||
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
|
||||
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
|
||||
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
|
||||
- { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED }
|
||||
- { chain: INPUT, protocol: udp, ctstate: ESTABLISHED }
|
||||
- { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED }
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_3_2
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- manual
|
||||
- patch
|
||||
- ip6tables
|
||||
- rule_3.4.3.3.2
|
||||
|
||||
- name: "3.4.3.3.3 | PATCH | Ensure ip6tables firewall rules exist for all open ports"
|
||||
block:
|
||||
- name: "3.4.3.3.3 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports"
|
||||
shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: rhel9cis_3_4_3_3_3_otcp
|
||||
|
||||
- name: "3.4.3.3.3 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports"
|
||||
iptables:
|
||||
action: append
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: "{{ item }}"
|
||||
match: state
|
||||
ctstate: NEW
|
||||
jump: ACCEPT
|
||||
ip_version: ipv6
|
||||
with_items:
|
||||
- "{{ rhel9cis_3_4_3_3_3_otcp.stdout_lines }}"
|
||||
when: rhel9cis_3_4_3_3_3_otcp.stdout is defined
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_3_3
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- ip6tables
|
||||
- rule_3.4.3.3.3
|
||||
|
||||
- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy"
|
||||
block:
|
||||
- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed"
|
||||
iptables:
|
||||
chain: INPUT
|
||||
protocol: tcp
|
||||
destination_port: "22"
|
||||
jump: ACCEPT
|
||||
ip_version: ipv6
|
||||
|
||||
- name: "3.4.3.3.4 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
|
||||
iptables:
|
||||
policy: DROP
|
||||
chain: "{{ item }}"
|
||||
ip_version: ipv6
|
||||
with_items:
|
||||
- INPUT
|
||||
- FORWARD
|
||||
- OUTPUT
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_3_4
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- ip6tables
|
||||
- rule_3.4.3.3.4
|
||||
|
||||
- name: "3.4.3.3.5 | PATCH | Ensure ip6tables rules are saved"
|
||||
iptables_state:
|
||||
state: saved
|
||||
path: /etc/sysconfig/ip6tables
|
||||
ip_version: ipv6
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_3_5
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- ip6tables
|
||||
- rule_3.4.3.3.5
|
||||
|
||||
- name: "3.4.3.3.6 | PATCH | Ensure ip6tables service is enabled and active"
|
||||
service:
|
||||
name: ip6tables
|
||||
enabled: yes
|
||||
state: started
|
||||
when:
|
||||
- rhel9cis_rule_3_4_3_3_6
|
||||
tags:
|
||||
- level1-server
|
||||
- level1-workstation
|
||||
- automated
|
||||
- patch
|
||||
- ip6tables
|
||||
- rule_3.4.3.3.6
|
||||
|
|
@ -19,17 +19,3 @@
|
|||
when:
|
||||
- rhel9cis_firewall == "nftables"
|
||||
|
||||
- name: "SECTION | 3.4.3.1.x | Configure iptables"
|
||||
include_tasks: cis_3.4.3.1.x.yml
|
||||
when:
|
||||
- rhel9cis_firewall == "iptables"
|
||||
|
||||
- name: "SECTION | 3.4.3.2.x | Configure iptables IPv4"
|
||||
include_tasks: cis_3.4.3.2.x.yml
|
||||
when:
|
||||
- rhel9cis_firewall == "iptables"
|
||||
|
||||
- name: "SECTION | 3.4.3.3.x | Configure iptables IPv6"
|
||||
include_tasks: cis_3.4.3.3.x.yml
|
||||
when:
|
||||
- ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required )
|
||||
|
|
|
|||
|
|
@ -200,25 +200,6 @@ rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }}
|
|||
rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }}
|
||||
rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }}
|
||||
rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }}
|
||||
# 3.4.3.1 Configure iptables
|
||||
rhel9cis_rule_3_4_3_1_1: {{ rhel9cis_rule_3_4_3_1_1 }}
|
||||
rhel9cis_rule_3_4_3_1_2: {{ rhel9cis_rule_3_4_3_1_2 }}
|
||||
rhel9cis_rule_3_4_3_1_3: {{ rhel9cis_rule_3_4_3_1_3 }}
|
||||
# 3.4.3.2 iptables ipv4
|
||||
rhel9cis_rule_3_4_3_2_1: {{ rhel9cis_rule_3_4_3_2_1 }}
|
||||
rhel9cis_rule_3_4_3_2_2: {{ rhel9cis_rule_3_4_3_2_2 }}
|
||||
rhel9cis_rule_3_4_3_2_3: {{ rhel9cis_rule_3_4_3_2_3 }}
|
||||
rhel9cis_rule_3_4_3_2_4: {{ rhel9cis_rule_3_4_3_2_4 }}
|
||||
rhel9cis_rule_3_4_3_2_5: {{ rhel9cis_rule_3_4_3_2_5 }}
|
||||
rhel9cis_rule_3_4_3_2_6: {{ rhel9cis_rule_3_4_3_2_6 }}
|
||||
# 3.4.3.2 iptables ipv6
|
||||
rhel9cis_rule_3_4_3_3_1: {{ rhel9cis_rule_3_4_3_3_1 }}
|
||||
rhel9cis_rule_3_4_3_3_2: {{ rhel9cis_rule_3_4_3_3_2 }}
|
||||
rhel9cis_rule_3_4_3_3_3: {{ rhel9cis_rule_3_4_3_3_3 }}
|
||||
rhel9cis_rule_3_4_3_3_4: {{ rhel9cis_rule_3_4_3_3_4 }}
|
||||
rhel9cis_rule_3_4_3_3_5: {{ rhel9cis_rule_3_4_3_3_5 }}
|
||||
rhel9cis_rule_3_4_3_3_6: {{ rhel9cis_rule_3_4_3_3_6 }}
|
||||
|
||||
|
||||
# Section 4 rules
|
||||
# 4.1 Configure System Accounting
|
||||
|
|
@ -459,8 +440,7 @@ rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }}
|
|||
rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }}
|
||||
rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }}
|
||||
rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
|
||||
#### iptables
|
||||
rhel9cis_iptables_firewalld_state: {{ rhel9cis_iptables_firewalld_state }}
|
||||
|
||||
|
||||
# Section 4
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue