--- - name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed" ansible.builtin.package: name: xorg-x11-server-common state: absent when: - rhel9cis_rule_2_2_1 - "'xorg-x11-server-common' in ansible_facts.packages" - not rhel9cis_gui tags: - level1-server - patch - x11 - rule_2.2.1 - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed" ansible.builtin.package: name: - avahi-autoipd - avahi state: absent when: - rhel9cis_rule_2_2_2 - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server - level2-workstation - patch - avahi - rule_2.2.2 - name: "2.2.3 | PATCH | Ensure CUPS is not installed" ansible.builtin.package: name: cups state: absent when: - not rhel9cis_cups_server - "'cups' in ansible_facts.packages" - rhel9cis_rule_2_2_3 tags: - level1-server - patch - cups - rule_2.2.3 - name: "2.2.4 | PATCH | Ensure DHCP Server is not installed" ansible.builtin.package: name: dhcp-server state: absent when: - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" - rhel9cis_rule_2_2_4 tags: - level1-server - level1-workstation - patch - dhcp - rule_2.2.4 - name: "2.2.5 | PATCH | Ensure DNS Server is not installed" ansible.builtin.package: name: bind state: absent when: - not rhel9cis_dns_server - "'bind' in ansible_facts.packages" - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation - patch - dns - rule_2.2.5 - name: "2.2.6 | PATCH | Ensure VSFTP Server is not installed" ansible.builtin.package: name: vsftpd state: absent when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation - patch - vsftpd - rule_2.2.6 - name: "2.2.7 | PACH | Ensure TFTP Server is not installed" ansible.builtin.package: name: tftp-server state: absent when: - not rhel9cis_tftp_server - "'tftp-server' in ansible_facts.packages" - rhel9cis_rule_2_2_7 tags: - level1-server - level1-workstation - patch - tftp - rule_2.2.7 - name: "2.2.8 | PATCH | Ensure a web server is not installed" block: - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove httpd server" ansible.builtin.package: name: httpd state: absent when: - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove nginx server" ansible.builtin.package: name: nginx state: absent when: - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - rhel9cis_rule_2_2_8 tags: - level1-server - level1-workstation - patch - httpd - nginx - webserver - rule_2.2.8 - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" block: - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" ansible.builtin.package: name: - dovecot state: absent when: - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" ansible.builtin.package: name: - cyrus-imapd state: absent when: - not rhel9cis_imap_server - "'cyrus-imapd' in ansible_facts.packages" when: - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation - patch - dovecot - imap - pop3 - rule_2.2.9 - name: "2.2.10 | PATCH | Ensure Samba is not enabled" ansible.builtin.package: name: samba state: absent when: - not rhel9cis_samba_server - "'samba' in ansible_facts.packages" - rhel9cis_rule_2_2_10 tags: - level1-server - level1-workstation - patch - samba - rule_2.2.10 - name: "2.2.11 | PATCH | Ensure HTTP Proxy Server is not installed" ansible.builtin.package: name: squid state: absent when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" - rhel9cis_rule_2_2_11 tags: - level1-server - level1-workstation - patch - squid - rule_2.2.11 - name: "2.2.12 | PATCH | Ensure net-snmp is not installed" ansible.builtin.package: name: net-snmp state: absent when: - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" - rhel9cis_rule_2_2_12 tags: - level1-server - level1-workstation - patch - snmp - rule_2.2.12 - name: "2.2.13 | PATCH | Ensure telnet-server is not installed" ansible.builtin.package: name: telnet-server state: absent when: - not rhel9cis_telnet_server - "'telnet-server' in ansible_facts.packages" - rhel9cis_rule_2_2_13 tags: - level1-server - level1-workstation - patch - telnet - rule_2.2.13 - name: "2.2.14 | PATCH | Ensure dnsmasq is not installed" ansible.builtin.package: name: dnsmasq state: absent when: - not rhel9cis_dnsmasq_server - "'dnsmasq' in ansible_facts.packages" - rhel9cis_rule_2_2_14 tags: - level1-server - level1-workstation - patch - dnsmasq - rule_2.2.14 - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" notify: Restart postfix when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - rhel9cis_rule_2_2_15 tags: - level1-server - level1-workstation - patch - postfix - rule_2.2.15 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" block: - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" ansible.builtin.package: name: nfs-utils state: absent when: - not rhel9cis_use_nfs_server - not rhel9cis_use_nfs_service - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" ansible.builtin.systemd: name: nfs-server masked: true state: stopped when: - not rhel9cis_use_nfs_server - rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_16 tags: - level1-server - level1-workstation - patch - nfs - services - rule_2.2.16 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" block: - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" ansible.builtin.package: name: rpcbind state: absent when: - not rhel9cis_use_rpc_server - not rhel9cis_use_rpc_service - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" ansible.builtin.systemd: name: rpcbind.socket masked: true state: stopped when: - rhel9cis_use_rpc_server - not rhel9cis_use_rpc_service when: - "'rpcbind' in ansible_facts.packages" - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation - patch - rpc - rule_2.2.17 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service - name: "2.2.18 | PATCH | Ensure rsync service is not enabled " block: - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsync service is masked | remove package" ansible.builtin.package: name: rsync-daemon state: absent when: - not rhel9cis_use_rsync_server - not rhel9cis_use_rsync_service - name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service" ansible.builtin.systemd: name: rsyncd masked: true state: stopped when: - rhel9cis_use_rsync_server - not rhel9cis_use_rsync_service when: - "'rsync' in ansible_facts.packages" - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation - patch - rsync - rule_2.2.18