--- - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy" block: - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" iptables: chain: INPUT protocol: tcp destination_port: "22" jump: ACCEPT - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" iptables: policy: DROP chain: "{{ item }}" with_items: - INPUT - FORWARD - OUTPUT when: - rhel9cis_rule_3_4_4_1_1 - rhel9cis_firewall == "iptables" tags: - level1-server - level1-workstation - patch - rule_3.4.4.1.1 - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured" block: - name: "3.4.4.1.2 | L1 | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" iptables: action: append chain: INPUT source: 127.0.0.0/8 jump: DROP when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_1_2 tags: - level1-server - level1-workstation - patch - rule_3.4.4.1.2 - name: "3.4.4.1.3 | L1 | PATCH | Ensure iptables outbound and established connections are configured" iptables: action: append chain: '{{ item.chain }}' protocol: '{{ item.protocol }}' match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_1_3 tags: - level1-server - level1-workstation - patch - rule_3.4.4.1.3 - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports" block: - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports" shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' changed_when: false failed_when: false register: rhel9cis_3_4_4_1_4_otcp - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports" shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' changed_when: false failed_when: false register: rhel9cis_3_4_4_1_4_oudp - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open tcp ports" iptables: action: append chain: INPUT protocol: tcp destination_port: "{{ item }}" match: state ctstate: NEW jump: ACCEPT with_items: - "{{ rhel9cis_3_4_4_1_4_otcp.stdout_lines }}" when: rhel9cis_3_4_4_1_4_otcp.stdout is defined - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open udp ports" iptables: action: append chain: INPUT protocol: udp destination_port: "{{ item }}" match: state ctstate: NEW jump: ACCEPT with_items: - "{{ rhel9cis_3_4_4_1_4_oudp.stdout_lines }}" when: rhel9cis_3_4_4_1_4_otcp.stdout is defined when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_1_4 tags: - level1-server - level1-workstation - patch - rule_3.4.4.1.4 - name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled" service: name: iptables enabled: yes state: started when: - rhel9cis_firewall == "iptables" - rhel9cis_rule_3_4_4_1_5 tags: - level1-server - level1-workstation - patch - rule_3.4.4.1.5