updated netwokr sysctl rules

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_3/cis_3.3.x.yml

@@ -0,0 +1,155 @@
+---
+
+- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted"
+  block:
+      - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted"
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+        notify: 
+            - update sysctl
+            - sysctl flush ipv4 route table
+
+      - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted"
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+        notify:
+            - sysctl flush ipv6 route table
+            - update sysctl
+        when: rhel9cis_ipv6_required
+  when:
+      - rhel9cis_rule_3_2_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.1
+
+- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted"
+  block:
+      - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted"
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+        notify: 
+            - update sysctl
+            - sysctl flush ipv4 route table
+
+      - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted"
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+        notify:
+            - sysctl flush ipv6 route table
+            - update sysctl
+        when: rhel9cis_ipv6_required
+  when:
+      - rhel9cis_rule_3_2_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.2
+
+- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted"
+  debug:
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+  notify: update sysctl
+  when:
+      - rhel9cis_rule_3_2_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.3
+
+- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged"
+  debug:
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+  notify: update sysctl
+  when:
+      - rhel9cis_rule_3_2_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.4
+
+- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored"
+  debug:
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+  notify: update sysctl
+  when:
+      - rhel9cis_rule_3_2_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.5
+
+- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored"
+  debug:
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+  notify: update sysctl
+  when:
+      - rhel9cis_rule_3_2_6
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.6
+
+- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled"
+  debug:
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+  notify: update sysctl
+  when:
+      - rhel9cis_rule_3_2_7
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.7
+
+- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled"
+  debug:
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+  notify: update sysctl
+  when:
+      - rhel9cis_rule_3_2_8
+  tags:
+      - level1-server
+      - level1-workstation
+      - sysctl
+      - patch
+      - rule_3.2.8
+
+- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted"
+  block:
+      - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted"
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+        notify: 
+            - update sysctl
+            - sysctl flush ipv4 route table
+
+      - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted"
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+        notify:
+            - sysctl flush ipv6 route table
+            - update sysctl
+        when: rhel9cis_ipv6_required
+  when:
+      - rhel9cis_ipv6_required
+      - rhel9cis_rule_3_2_9
+  tags:
+      - level2-server
+      - level2-workstation
+      - sysctl
+      - patch
+      - rule_3.2.9

templates/etc/99-sysctl.conf.j2

@@ -12,64 +12,64 @@ kernel.randomize_va_space = 2
 {% endif %}
 
 # Network sysctl
-{% if rhel9cis_rule_3_1_1 %}
-# CIS 3.1.1
-net.ipv4.ip_forward = 0
-{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
-net.ipv6.conf.all.forwarding = 0
-{% endif %}
-{% endif %}
-{% if rhel9cis_rule_3_1_2 %}
-# CIS 3.1.2
-net.ipv4.conf.all.send_redirects = 0
-net.ipv4.conf.default.send_redirects = 0
-{% endif %}
 {% if rhel9cis_rule_3_2_1 %}
 # CIS 3.2.1
-net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.ip_forward = 0
-net.ipv4.conf.default.accept_source_route = 0
 {% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %}
-net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.all.forwarding = 0
-net.ipv6.conf.default.accept_source_route = 0
 {% endif %}
 {% endif %}
 {% if rhel9cis_rule_3_2_2 %}
 # CIS 3.2.2
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+{% endif %}
+{% if rhel9cis_rule_3_3_1 %}
+# CIS 3.3.1
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+{% if rhel9cis_rule_3_3_1 and rhel9cis_ipv6_required %}
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+{% endif %}
+{% endif %}
+{% if rhel9cis_rule_3_3_2 %}
+# CIS 3.3.2
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
-{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %}
+{% if rhel9cis_rule_3_3_2 and rhel9cis_ipv6_required %}
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 {% endif %}
 {% endif %}
-{% if rhel9cis_rule_3_2_3 %}
+{% if rhel9cis_rule_3_3_3 %}
-# CIS 3.2.3
+# CIS 3.3.3
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 {% endif %}
-{% if rhel9cis_rule_3_2_4 %}
+{% if rhel9cis_rule_3_3_4 %}
-# CIS 3.2.4
+# CIS 3.3.4
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 {% endif %}
-{% if rhel9cis_rule_3_2_5 %}
+{% if rhel9cis_rule_3_3_5 %}
-# CIS 3.2.5
+# CIS 3.3.5
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 {% endif %}
-{% if rhel9cis_rule_3_2_6 %}
+{% if rhel9cis_rule_3_3_6 %}
-# CIS 3.2.6
+# CIS 3.3.6
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 {% endif %}
-{% if rhel9cis_rule_3_2_7 %}
+{% if rhel9cis_rule_3_3_7 %}
-# CIS 3.2.7
+# CIS 3.3.7
 net.ipv4.conf.default.rp_filter = 1
 {% endif %}
-{% if rhel9cis_rule_3_2_8 %}
+{% if rhel9cis_rule_3_3_8 %}
-# CIS 3.2.8
+# CIS 3.3.8
 net.ipv4.tcp_syncookies = 1
 {% endif %}
-{% if rhel9cis_rule_3_2_9 %}
+{% if rhel9cis_rule_3_3_9 %}
-# CIS 3.2.9
+# CIS 3.3.9
 net.ipv6.conf.all.accept_ra = 0
 net.ipv6.conf.default.accept_ra = 0
 {% endif %}