--- - name: "4.4.1.1 | PATCH | Ensure iptables packages are installed" when: - ubtu24cis_rule_4_4_1_1 - ubtu24cis_firewall_package == "iptables" tags: - level1-server - level1-workstation - patch - rule_4.4.1.1 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - iptables ansible.builtin.package: name: ['iptables', 'iptables-persistent'] state: present - name: "4.4.1.2 | PATCH | Ensure nftables is not installed with iptables" when: - ubtu24cis_rule_4_4_1_2 - ubtu24cis_firewall_package == "iptables" tags: - level1-server - level1-workstation - patch - rule_4.4.1.2 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - iptables ansible.builtin.package: name: nftables state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "4.4.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" when: - ubtu24cis_rule_4_4_1_3 - ubtu24cis_firewall_package == "iptables" tags: - level1-server - level1-workstation - patch - rule_4.4.1.3 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - iptables ansible.builtin.package: name: ufw state: absent - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy" when: - ubtu24cis_rule_4_4_1_1 - ubtu24cis_ipv4_required - not system_is_ec2 tags: - level1-server - level1-workstation - patch - rule_4.4.1.1 - iptables block: - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: 22 jump: ACCEPT ctstate: 'NEW,ESTABLISHED' notify: Iptables persistent - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" ansible.builtin.iptables: chain: OUTPUT protocol: tcp source_port: 22 jump: ACCEPT ctstate: 'NEW,ESTABLISHED' notify: Iptables persistent - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" ansible.builtin.iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT notify: Iptables persistent - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" ansible.builtin.iptables: policy: DROP chain: "{{ item }}" notify: Iptables persistent with_items: - INPUT - FORWARD - OUTPUT - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured" when: - ubtu24cis_rule_4_4_1_2 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.1.2 - iptables block: - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT notify: Iptables persistent - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT notify: Iptables persistent - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT source: 127.0.0.0/8 jump: DROP notify: Iptables persistent - name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured" when: - ubtu24cis_rule_4_4_1_3 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.1.3 - iptables ansible.builtin.iptables: action: append chain: '{{ item.chain }}' protocol: '{{ item.protocol }}' match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT notify: Iptables persistent with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" when: - ubtu24cis_rule_4_4_1_4 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - audit - rule_4.4.1.4 - iptables vars: warn_control_id: '4.4.1.4' block: - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" ansible.builtin.command: ss -4tuln changed_when: false failed_when: false check_mode: false register: discovered_open_ports - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" ansible.builtin.command: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: discovered_current_rules - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: msg: - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml # --------------- # --------------- # This is not a control however using the iptables module only writes to memery # if a reboot occurs that means changes can revert. This task will make the # above iptables settings permanent # --------------- # --------------- # - name: "Make IPTables persistent | Not a control" # block: # - name: "Make IPTables persistent | Install iptables-persistent" # ansible.builtin.package: # name: iptables-persistent # state: present # - name: "Make IPTables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" # changed_when: discovered_iptables_save.rc == 0 # failed_when: discovered_iptables_save.rc > 0 # register: discovered_iptables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_save_iptables_cis_rules # - ubtu24cis_rule_4_4_1_1 or # ubtu24cis_rule_4_4_1_2 or # ubtu24cis_rule_4_4_1_3 or # ubtu24cis_rule_4_4_1_4 - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy" when: - ubtu24cis_rule_4_4_1_1 - ubtu24cis_ipv6_required tags: - level1-server - level1-workstation - patch - rule_4.4.1.1 - ip6tables block: - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" ansible.builtin.iptables: chain: OUTPUT protocol: tcp source_port: 22 jump: ACCEPT ctstate: 'NEW,ESTABLISHED' ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" ansible.builtin.iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" ansible.builtin.iptables: policy: DROP chain: "{{ item }}" ip_version: ipv6 notify: Ip6tables persistent loop: - INPUT - FORWARD - OUTPUT - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured" when: - ubtu24cis_rule_4_4_1_2 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv6_required - not ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.1.2 - ip6tables block: - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" ansible.builtin.iptables: action: append chain: INPUT source: ::1 jump: DROP ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured" when: - ubtu24cis_rule_4_4_1_3 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv6_required - not ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.1.3 - ip6tables ansible.builtin.iptables: action: append chain: '{{ item.chain }}' protocol: '{{ item.protocol }}' match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent loop: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" when: - ubtu24cis_rule_4_4_1_4 - ubtu24cis_firewall_package == "iptables" - ubtu24cis_ipv6_required - not ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - audit - rule_4.4.1.4 - ip6tables vars: warn_control_id: '4.4.1.4' block: - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" ansible.builtin.command: ss -6tuln changed_when: false failed_when: false check_mode: false register: discovered_open_ports - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" ansible.builtin.command: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: discovered_current_rules - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: msg: - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml # --------------- # --------------- # This is not a control however using the ip6tables module only writes to memery # if a reboot occurs that means changes can revert. This task will make the # above ip6tables settings permanent # --------------- # --------------- # via handler # - name: "Make IP6Tables persistent | Not a control" # block: # - name: "Make IP6Tables persistent | Install iptables-persistent" # ansible.builtin.package: # name: iptables-persistent # state: present # when: "'iptables-persistent' not in ansible_facts.packages" # - name: "Make IP6Tables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" # changed_when: discovered_ip6tables_save.rc == 0 # failed_when: discovered_ip6tables_save.rc > 0 # register: discovered_ip6tables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_ipv6_required # - not ubtu24cis_ipv4_required # - ubtu24cis_save_iptables_cis_rules # - ubtu24cis_rule_4_4_1_1 or # ubtu24cis_rule_4_4_1_2 or # ubtu24cis_rule_4_4_1_3 or # ubtu24cis_rule_4_4_1_4