colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_4/cis_4.4.1.x.yml

413 lines
13 KiB
YAML
Raw Permalink Blame History

---
- name: "4.4.1.1 | PATCH | Ensure iptables packages are installed"
when:
- ubtu24cis_rule_4_4_1_1
- ubtu24cis_firewall_package == "iptables"
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.1
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- iptables
ansible.builtin.package:
name: ['iptables', 'iptables-persistent']
state: present
- name: "4.4.1.2 | PATCH | Ensure nftables is not installed with iptables"
when:
- ubtu24cis_rule_4_4_1_2
- ubtu24cis_firewall_package == "iptables"
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.2
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- iptables
ansible.builtin.package:
name: nftables
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "4.4.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables"
when:
- ubtu24cis_rule_4_4_1_3
- ubtu24cis_firewall_package == "iptables"
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.3
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- iptables
ansible.builtin.package:
name: ufw
state: absent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy"
when:
- ubtu24cis_rule_4_4_1_1
- ubtu24cis_ipv4_required
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.1
- iptables
block:
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in"
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
notify: Iptables persistent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
source_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
notify: Iptables persistent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic"
ansible.builtin.iptables:
chain: INPUT
ctstate: 'ESTABLISHED'
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
ansible.builtin.iptables:
policy: DROP
chain: "{{ item }}"
notify: Iptables persistent
with_items:
- INPUT
- FORWARD
- OUTPUT
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured"
when:
- ubtu24cis_rule_4_4_1_2
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.2
- iptables
block:
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
source: 127.0.0.0/8
jump: DROP
notify: Iptables persistent
- name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured"
when:
- ubtu24cis_rule_4_4_1_3
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.3
- iptables
ansible.builtin.iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
notify: Iptables persistent
with_items:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports"
when:
- ubtu24cis_rule_4_4_1_4
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- audit
- rule_4.4.1.4
- iptables
vars:
warn_control_id: '4.4.1.4'
block:
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.command: ss -4tuln
changed_when: false
failed_when: false
check_mode: false
register: discovered_open_ports
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.command: iptables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: discovered_current_rules
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
msg:
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
# ---------------
# ---------------
# This is not a control however using the iptables module only writes to memery
# if a reboot occurs that means changes can revert. This task will make the
# above iptables settings permanent
# ---------------
# ---------------
# - name: "Make IPTables persistent | Not a control"
# block:
# - name: "Make IPTables persistent | Install iptables-persistent"
# ansible.builtin.package:
# name: iptables-persistent
# state: present
# - name: "Make IPTables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
# changed_when: discovered_iptables_save.rc == 0
# failed_when: discovered_iptables_save.rc > 0
# register: discovered_iptables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_save_iptables_cis_rules
# - ubtu24cis_rule_4_4_1_1 or
# ubtu24cis_rule_4_4_1_2 or
# ubtu24cis_rule_4_4_1_3 or
# ubtu24cis_rule_4_4_1_4
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy"
when:
- ubtu24cis_rule_4_4_1_1
- ubtu24cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.1
- ip6tables
block:
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
source_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic"
ansible.builtin.iptables:
chain: INPUT
ctstate: 'ESTABLISHED'
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
ansible.builtin.iptables:
policy: DROP
chain: "{{ item }}"
ip_version: ipv6
notify: Ip6tables persistent
loop:
- INPUT
- FORWARD
- OUTPUT
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured"
when:
- ubtu24cis_rule_4_4_1_2
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv6_required
- not ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.2
- ip6tables
block:
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop"
ansible.builtin.iptables:
action: append
chain: INPUT
source: ::1
jump: DROP
ip_version: ipv6
notify: Ip6tables persistent
- name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured"
when:
- ubtu24cis_rule_4_4_1_3
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv6_required
- not ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.1.3
- ip6tables
ansible.builtin.iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
ip_version: ipv6
notify: Ip6tables persistent
loop:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports"
when:
- ubtu24cis_rule_4_4_1_4
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv6_required
- not ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- audit
- rule_4.4.1.4
- ip6tables
vars:
warn_control_id: '4.4.1.4'
block:
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.command: ss -6tuln
changed_when: false
failed_when: false
check_mode: false
register: discovered_open_ports
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.command: ip6tables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: discovered_current_rules
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
msg:
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
# ---------------
# ---------------
# This is not a control however using the ip6tables module only writes to memery
# if a reboot occurs that means changes can revert. This task will make the
# above ip6tables settings permanent
# ---------------
# ---------------
# via handler
# - name: "Make IP6Tables persistent | Not a control"
# block:
# - name: "Make IP6Tables persistent | Install iptables-persistent"
# ansible.builtin.package:
# name: iptables-persistent
# state: present
# when: "'iptables-persistent' not in ansible_facts.packages"
# - name: "Make IP6Tables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
# changed_when: discovered_ip6tables_save.rc == 0
# failed_when: discovered_ip6tables_save.rc > 0
# register: discovered_ip6tables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_ipv6_required
# - not ubtu24cis_ipv4_required
# - ubtu24cis_save_iptables_cis_rules
# - ubtu24cis_rule_4_4_1_1 or
# ubtu24cis_rule_4_4_1_2 or
# ubtu24cis_rule_4_4_1_3 or
# ubtu24cis_rule_4_4_1_4
Reference in New Issue View Git Blame Copy Permalink