forked from ansible-lockdown/RHEL9-CIS
43 lines
1.5 KiB
YAML
43 lines
1.5 KiB
YAML
---
|
|
|
|
- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
|
|
when: rhel9cis_rule_4_2_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- manual
|
|
- audit
|
|
- rule_4.2.1
|
|
- NIST800-55_CA-9
|
|
block:
|
|
- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
|
|
ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_services_and_ports
|
|
|
|
- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "The items below are the services and ports that are accepted, please correct as needed"
|
|
- "{{ discovered_services_and_ports.stdout_lines }}"
|
|
|
|
- name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld"
|
|
when: rhel9cis_rule_4_2_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- nftables
|
|
- rule_4.2.2
|
|
- NIST800-55_CA-9
|
|
ansible.posix.firewalld:
|
|
rich_rule: "{{ item }}"
|
|
zone: "{{ rhel9cis_default_zone }}"
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
loop:
|
|
- rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop
|
|
- rule family="ipv6" source address="::1" destination not address="::1" drop
|