--- - name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - ubtu24cis_rule_2_1_1 - "'autofs' in ansible_facts.packages" tags: - level1-server - level2-workstation - patch - rule_2.1.1 - NIST800-53R5_SI-3 - NIST800-53R5_MP-7 block: - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package" when: - not ubtu24cis_autofs_services - not ubtu24cis_autofs_mask ansible.builtin.package: name: autofs state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Mask service" when: - not ubtu24cis_autofs_services - ubtu24cis_autofs_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: autofs enabled: false state: stopped masked: true - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" when: ubtu24cis_rule_2_1_2 tags: - level1-server - level2-workstation - patch - avahi - rule_2.1.2 - NIST800-53R5_SI-4 block: - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package" when: - not ubtu24cis_avahi_server - not ubtu24cis_avahi_mask - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" ansible.builtin.package: name: - avahi-autoipd - avahi state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service" when: - not ubtu24cis_avahi_server - ubtu24cis_avahi_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - avahi-daemon.socket - avahi-daemon.service - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" when: ubtu24cis_rule_2_1_3 tags: - level1-server - level1-workstation - patch - dhcp - rule_2.1.3 - NIST800-53R5_CM-7 block: - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package" when: - not ubtu24cis_dhcp_server - not ubtu24cis_dhcp_mask - "'isc-dhcp-server' in ansible_facts.packages" ansible.builtin.package: name: isc-dhcp-server state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Mask service" when: - not ubtu24cis_dhcp_server - ubtu24cis_dhcp_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - isc-dhcp-server.service - isc-dhcp-server6.service - name: "2.1.4 | PATCH | Ensure dns server services are not in use" when: ubtu24cis_rule_2_1_4 tags: - level1-server - level1-workstation - patch - dns - rule_2.1.4 - NIST800-53R5_CM-7 block: - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package" when: - "'bind9' in ansible_facts.packages" - not ubtu24cis_dns_server - not ubtu24cis_dns_mask ansible.builtin.package: name: bind9 state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Mask service" when: - not ubtu24cis_dns_server - ubtu24cis_dns_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: named.service enabled: false state: stopped masked: true - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" when: ubtu24cis_rule_2_1_5 tags: - level1-server - level1-workstation - patch - dns - rule_2.1.5 - NIST800-53R5_CM-7 block: - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" when: - "'dnsmasq' in ansible_facts.packages" - not ubtu24cis_dnsmasq_server - not ubtu24cis_dnsmasq_mask ansible.builtin.package: name: dnsmasq state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" when: - not ubtu24cis_dnsmasq_server - ubtu24cis_dnsmasq_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: dnsmasq.service enabled: false state: stopped masked: true - name: "2.1.6 | PATCH | Ensure ftp server services are not in use" when: ubtu24cis_rule_2_1_6 tags: - level1-server - level1-workstation - automation - patch - ftp - rule_2.1.6 - NIST800-53R5_CM-7 block: - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package" when: - "'vsftp' in ansible_facts.packages" - not ubtu24cis_ftp_server - not ubtu24cis_ftp_mask ansible.builtin.package: name: vsftpd state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Mask service" when: - not ubtu24cis_ftp_server - ubtu24cis_ftp_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: vsftpd.service enabled: false state: stopped masked: true - name: "2.1.7 | PATCH | Ensure ldap server services are not in use" when: ubtu24cis_rule_2_1_7 tags: - level1-server - level1-workstation - patch - ldap - rule_2.1.7 - NIST800-53R5_CM-7 block: - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Remove package" when: - "'slapd' in ansible_facts.packages" - not ubtu24cis_ldap_server - not ubtu24cis_ldap_mask ansible.builtin.package: name: slapd state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Mask service" when: - not ubtu24cis_ldap_server - ubtu24cis_ldap_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: slapd.service enabled: false state: stopped masked: true - name: "2.1.8 | PATCH | Ensure message access server services are not in use" when: ubtu24cis_rule_2_1_8 tags: - level1-server - level1-workstation - patch - dovecot - imap - pop3 - rule_2.1.8 - NIST800-53R5_CM-7 block: - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package" when: - "'dovecot-pop3d' in ansible_facts.packages or 'dovecot-imapd' in ansible_facts.packages" - not ubtu24cis_message_server - not ubtu24cis_message_mask ansible.builtin.package: name: - dovecot-pop3d - dovecot-imapd state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service" when: - not ubtu24cis_message_server - ubtu24cis_message_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - "dovecot.socket" - "dovecot.service" - name: "2.1.9 | PATCH | Ensure network file system services are not in use" when: ubtu24cis_rule_2_1_9 tags: - level1-server - level1-workstation - patch - nfs - services - rule_2.1.9 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 block: - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package" when: - "'nfs-kernel-server' in ansible_facts.packages" - not ubtu24cis_nfs_server - not ubtu24cis_nfs_mask ansible.builtin.package: name: nfs-kernel-server state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Mask service" when: - not ubtu24cis_nfs_server - ubtu24cis_nfs_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: nfs-server.service enabled: false state: stopped masked: true - name: "2.1.10 | PATCH | Ensure nis server services are not in use" when: ubtu24cis_rule_2_1_10 tags: - level1-server - level1-workstation - patch - nis - rule_2.1.10 - NIST800-53R5_CM-7 notify: Systemd_daemon_reload block: - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" when: - "'ypserv' in ansible_facts.packages" - not ubtu24cis_nis_server - not ubtu24cis_nis_mask ansible.builtin.package: name: ypserv state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Mask service" when: - not ubtu24cis_nis_server - ubtu24cis_nis_mask ansible.builtin.systemd: name: ypserv.service enabled: false state: stopped masked: true - name: "2.1.11 | PATCH | Ensure print server services are not in use" when: ubtu24cis_rule_2_1_11 tags: - level1-server - patch - cups - rule_2.1.11 - NIST800-53R5_CM-7 block: - name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package" when: - "'cups' in ansible_facts.packages" - not ubtu24cis_print_server - not ubtu24cis_print_mask ansible.builtin.package: name: cups state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.11 | PATCH | Ensure print server services are not in use | Mask service" when: - not ubtu24cis_print_server - ubtu24cis_print_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - "cups.socket" - "cups.service" - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" when: ubtu24cis_rule_2_1_12 tags: - level1-server - level1-workstation - patch - rpc - rule_2.1.12 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 block: - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package" when: - "'rpcbind' in ansible_facts.packages" - not ubtu24cis_rpc_server - not ubtu24cis_rpc_mask ansible.builtin.package: name: rpcbind state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Mask service" when: - not ubtu24cis_rpc_server - ubtu24cis_rpc_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - rpcbind.service - rpcbind.socket - name: "2.1.13 | PATCH | Ensure rsync services are not in use" when: ubtu24cis_rule_2_1_13 tags: - level1-server - level1-workstation - patch - rsync - rule_2.1.13 - NIST800-53R5_CM-7 block: - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package" when: - "'rsync' in ansible_facts.packages" - not ubtu24cis_rsync_server - not ubtu24cis_rsync_mask ansible.builtin.package: name: rsync state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Mask service" when: - not ubtu24cis_rsync_server - ubtu24cis_rsync_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: rsyncd.service enabled: false state: stopped masked: true - name: "2.1.14 | PATCH | Ensure samba file server services are not in use" when: ubtu24cis_rule_2_1_14 tags: - level1-server - level1-workstation - patch - samba - rule_2.1.14 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 block: - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Remove package" when: - "'samba' in ansible_facts.packages" - not ubtu24cis_samba_server - not ubtu24cis_samba_mask ansible.builtin.package: name: samba state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Mask service" when: - not ubtu24cis_samba_server - ubtu24cis_samba_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: smbd.service enabled: false state: stopped masked: true - name: "2.1.15 | PATCH | Ensure snmp services are not in use" when: ubtu24cis_rule_2_1_15 tags: - level1-server - level1-workstation - automation - patch - samba - rule_2.1.15 - NIST800-53R5_CM-7 block: - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Remove package" when: - "'snmpd' in ansible_facts.packages" - not ubtu24cis_snmp_server - not ubtu24cis_snmp_mask ansible.builtin.package: name: snmpd state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Mask service" when: - not ubtu24cis_snmp_server - ubtu24cis_snmp_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: snmpd.service enabled: false state: stopped masked: true - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" when: ubtu24cis_rule_2_1_16 tags: - level1-server - level1-workstation - patch - tftp - rule_2.1.16 - NIST800-53R5_CM-7 block: - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package" when: - "'tftpd-hpa' in ansible_facts.packages" - not ubtu24cis_tftp_server - not ubtu24cis_tftp_mask ansible.builtin.package: name: tftpd-hpa state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Mask service" when: - not ubtu24cis_tftp_server - ubtu24cis_tftp_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: tftpd-hpa.service enabled: false state: stopped masked: true - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" when: ubtu24cis_rule_2_1_17 tags: - level1-server - level1-workstation - patch - squid - rule_2.1.17 - NIST800-53R5_CM-7 block: - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package" when: - "'squid' in ansible_facts.packages" - not ubtu24cis_squid_server - not ubtu24cis_squid_mask ansible.builtin.package: name: squid state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Mask service" when: - not ubtu24cis_squid_server - ubtu24cis_squid_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: squid.service enabled: false state: stopped masked: true - name: "2.1.18 | PATCH | Ensure web server services are not in use" when: ubtu24cis_rule_2_1_18 tags: - level1-server - level1-workstation - patch - httpd - nginx - webserver - rule_2.1.18 - NIST800-53R5_CM-7 block: - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server" when: - not ubtu24cis_apache2_server - not ubtu24cis_apache2_mask - "'apache2' in ansible_facts.packages" ansible.builtin.package: name: apache2 state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server" when: - not ubtu24cis_nginx_server - not ubtu24cis_nginx_mask - "'nginx' in ansible_facts.packages" ansible.builtin.package: name: nginx state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service" when: - not ubtu24cis_apache2_server - ubtu24cis_apache2_mask - "'apache2' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false state: stopped masked: true loop: - apache2.service - apache2.socket - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" when: - not ubtu24cis_nginx_server - ubtu24cis_nginx_mask - "'nginx' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: ngnix.service enabled: false state: stopped masked: true - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" when: ubtu24cis_rule_2_1_19 tags: - level1-server - level1-workstation - patch - xinetd - rule_2.1.19 - NIST800-53R5_CM-7 block: - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package" when: - "'xinetd' in ansible_facts.packages" - not ubtu24cis_xinetd_server - not ubtu24cis_xinetd_mask ansible.builtin.package: name: xinetd state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service" when: - not ubtu24cis_xinetd_server - ubtu24cis_xinetd_mask notify: Systemd_daemon_reload ansible.builtin.systemd: name: xinetd.service enabled: false state: stopped masked: true - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: - not ubtu24cis_xwindow_server - "'xorg-x11-server-common' in ansible_facts.packages" - ubtu24cis_rule_2_1_20 tags: - level2-server - patch - xwindow - rule_2.1.20 - NIST800-53R5_CM-11 ansible.builtin.package: name: xorg-x11-server-common state: absent purge: "{{ ubtu24cis_purge_apt }}" - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" when: - not ubtu24cis_is_mail_server - ubtu24cis_rule_2_1_21 tags: - level1-server - level1-workstation - patch - postfix - rule_2.1.21 - NIST800-53R5_CM-7 vars: warn_control_id: '2.2.21' block: - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" ansible.builtin.lineinfile: path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" loop: - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } - { regexp: '^dc_readhost', line: "dc_readhost=''" } - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } notify: Restart exim4 - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed" when: "'postfix' in ansible_facts.packages" notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*' line: 'inet_interfaces = loopback-only' - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents" when: - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" ansible.builtin.debug: msg: - "Warning!! You are not using either exim4 or postfix, please ensure mail services set for local only mode" - "Please review your vendors documentation to configure local-only mode" - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | warn_count" when: - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" ansible.builtin.import_tasks: file: warning_facts.yml - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" when: ubtu24cis_rule_2_1_22 tags: - level1-server - level1-workstation - audit - services - rule_2.1.22 - NIST800-53R5_CM-7 vars: warn_control_id: '2.1.22' block: - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module changed_when: false failed_when: discovered_listening_services.rc not in [ 0, 1 ] check_mode: false register: discovered_listening_services - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" ansible.builtin.debug: msg: - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - "{{ discovered_listening_services.stdout_lines }}" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" ansible.builtin.import_tasks: file: warning_facts.yml