colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_4/cis_4.4.2.x.yml

189 lines
6.1 KiB
YAML
Raw Permalink Blame History

---
- name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy"
when:
- ubtu24cis_rule_4_4_2_1
- ubtu24cis_ipv4_required
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.2.1
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- iptables
block:
- name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in"
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
notify: Iptables persistent
- name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out"
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
source_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'
notify: Iptables persistent
- name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic"
ansible.builtin.iptables:
chain: INPUT
ctstate: 'ESTABLISHED'
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.2.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
ansible.builtin.iptables:
policy: DROP
chain: "{{ item }}"
notify: Iptables persistent
loop:
- INPUT
- FORWARD
- OUTPUT
- name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured"
when:
- ubtu24cis_rule_4_4_2_2
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.2.2
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- iptables
block:
- name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT
notify: Iptables persistent
- name: "4.4.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
ansible.builtin.iptables:
action: append
chain: INPUT
source: 127.0.0.0/8
jump: DROP
notify: Iptables persistent
- name: "4.4.2.3 | PATCH | Ensure iptables outbound and established connections are configured"
when:
- ubtu24cis_rule_4_4_2_3
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- patch
- rule_4.4.2.3
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- iptables
ansible.builtin.iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
notify: Iptables persistent
with_items:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports"
when:
- ubtu24cis_rule_4_4_2_4
- ubtu24cis_firewall_package == "iptables"
- ubtu24cis_ipv4_required
tags:
- level1-server
- level1-workstation
- audit
- rule_4.4.2.4
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- iptables
vars:
warn_control_id: '4.4.2.4'
block:
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.command: ss -4tuln
changed_when: false
failed_when: false
check_mode: false
register: discovered_open_ports
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.command: iptables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: discovered_current_rules
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
msg:
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
# ---------------
# ---------------
# This is not a control however using the iptables module only writes to memory
# if a reboot occurs that means changes can revert. This task will make the
# above iptables settings permanent
# ---------------
# ---------------
# - name: "Make IPTables persistent | Not a control"
# block:
# - name: "Make IPTables persistent | Install iptables-persistent"
# ansible.builtin.package:
# name: iptables-persistent
# state: present
# - name: "Make IPTables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
# changed_when: discovered_iptables_save.rc == 0
# failed_when: discovered_iptables_save.rc > 0
# register: discovered_iptables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_save_iptables_cis_rules
# - ubtu24cis_rule_4_4_2_1 or
# ubtu24cis_rule_4_4_2_2 or
# ubtu24cis_rule_4_4_2_3 or
# ubtu24cis_rule_4_4_2_4
Reference in New Issue View Git Blame Copy Permalink