--- - name: "4.4.3.1 | PATCH | Ensure ip6tables default deny firewall policy" when: ubtu24cis_rule_4_4_3_1 tags: - level1-server - level1-workstationå - patch - rule_4.4.3.1 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - ip6tables block: - name: "4.4.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" ansible.builtin.iptables: chain: OUTPUT protocol: tcp source_port: 22 jump: ACCEPT ctstate: 'NEW,ESTABLISHED' ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" ansible.builtin.iptables: chain: INPUT ctstate: 'ESTABLISHED' jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" ansible.builtin.iptables: policy: DROP chain: "{{ item }}" ip_version: ipv6 notify: Ip6tables persistent loop: - INPUT - FORWARD - OUTPUT - name: "4.4.3.2 | PATCH | Ensure ip6tables loopback traffic is configured" when: - ubtu24cis_rule_4_4_3_2 - not ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.3.2 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - ip6tables block: - name: "4.4.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: INPUT in_interface: lo jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" ansible.builtin.iptables: action: append chain: OUTPUT out_interface: lo jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" ansible.builtin.iptables: action: append chain: INPUT source: ::1 jump: DROP ip_version: ipv6 notify: Ip6tables persistent - name: "4.4.3.3 | PATCH | Ensure ip6tables outbound and established connections are configured" when: - ubtu24cis_rule_4_4_3_3 - not ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - patch - rule_4.4.3.3 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - ip6tables ansible.builtin.iptables: action: append chain: '{{ item.chain }}' protocol: '{{ item.protocol }}' match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 notify: Ip6tables persistent loop: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" when: - ubtu24cis_rule_4_4_3_4 - not ubtu24cis_ipv4_required tags: - level1-server - level1-workstation - audit - rule_4.4.3.4 - NIST800-53R5_CA-9 - NIST800-53R5_SC-7 - ip6tables vars: warn_control_id: '4.4.3.4' block: - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" ansible.builtin.command: ss -6tuln changed_when: false failed_when: false check_mode: false register: discovered_open_ports - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" ansible.builtin.command: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false register: discovered_current_rules - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: msg: - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml # --------------- # --------------- # This is not a control however using the ip6tables module only writes to memory # if a reboot occurs that means changes can revert. This task will make the # above ip6tables settings permanent # --------------- # --------------- # via handler # - name: "Make IP6Tables persistent | Not a control" # block: # - name: "Make IP6Tables persistent | Install iptables-persistent" # ansible.builtin.package: # name: iptables-persistent # state: present # when: "'iptables-persistent' not in ansible_facts.packages" # - name: "Make IP6Tables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" # changed_when: discovered_ip6tables_save.rc == 0 # failed_when: discovered_ip6tables_save.rc > 0 # register: discovered_ip6tables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_ipv6_required # - not ubtu24cis_ipv4_required # - ubtu24cis_save_iptables_cis_rules # - ubtu24cis_rule_4_4_1_1 or # ubtu24cis_rule_4_4_1_2 or # ubtu24cis_rule_4_4_1_3 or # ubtu24cis_rule_4_4_1_4