--- - name: "3.4.1.1 | PATCH | Ensure firewalld is installed" package: name: - firewalld - iptables state: present when: - rhel9cis_rule_3_4_1_1 tags: - level1-server - level1-workstation - automated - patch - firewalld - rule_3.4.1.1 - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld" block: - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" systemd: name: "{{ item }}" masked: true with_items: - iptables - ip6tables when: item in ansible_facts.packages - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " package: name: iptables-services state: absent when: when: - rhel9cis_rule_3_4_1_2 - "'iptables-services' in ansible_facts.packages" tags: - level1-server - level1-workstation - automated - patch - firewalld - rule_3.4.1.2 - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" block: - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service" systemd: name: nftables state: stopped masked: yes when: - rhel9cis_firewalld_nftables_state == "masked" - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed" package: name: nftables state: absent when: - rhel9cis_firewalld_nftables_state == "absent" when: - rhel9cis_rule_3_4_1_3 tags: - level1-server - level1-workstation - automated - patch - firewalld - rule_3_4_1_3 - name: "3.4.1.4 | PATCH | Ensure firewalld service is enabled and running" systemd: name: firewalld state: started enabled: yes when: - rhel9cis_rule_3_4_1_4 tags: - level1-server - level1-workstation - automated - patch - firewalld - rule_3_4_1_4 - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - rhel9cis_rule_3_4_1_5 tags: - level1-server - level1-workstation - automated - patch - firewalld - rule_3.4.1.5 - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone" block: - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" changed_when: false failed_when: false check_mode: no register: rhel9cis_3_4_1_6_interfacepolicy - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" debug: msg: - "The items below are the policies tied to the interfaces, please correct as needed" - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" when: - rhel9cis_rule_3_4_1_6 tags: - level1-server - level1-workstation - manual - audit - rule_3.4.1.6 - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports" block: - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" changed_when: false failed_when: false check_mode: no register: rhel9cis_3_4_1_7_servicesport - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" debug: msg: - "The items below are the services and ports that are accepted, please correct as needed" - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" when: - rhel9cis_rule_3_4_1_7 tags: - level1-server - level1-workstation - manual - audit - rule_3.4.1.7