colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_3/cis_3.3.x.yml

348 lines
8.7 KiB
YAML
Raw Permalink Blame History

---
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled"
when:
- ubtu24cis_rule_3_3_1
- not ubtu24cis_is_router
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.1
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- ip_forwarding
- sysctl
block:
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv4 settings"
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
notify:
- Flush ipv4 route table
- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6 settings"
when: ubtu24cis_ipv6_disable == 'sysctl'
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
notify:
- Flush ipv6 route table
- name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled"
when:
- ubtu24cis_rule_3_3_2
- not ubtu24cis_is_router
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.2
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- packet_redirect
- sysctl
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
loop:
- net.ipv4.conf.all.send_redirects
- net.ipv4.conf.default.send_redirects
notify: Flush ipv4 route table
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
when: ubtu24cis_rule_3_3_3
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.3
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- icmp
- sysctl
ansible.posix.sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '1'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
notify: Flush ipv4 route table
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
when: ubtu24cis_rule_3_3_4
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.4
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- icmp
- sysctl
ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: '1'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
notify: Flush ipv4 route table
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
when: ubtu24cis_rule_3_3_5
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.5
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- icmp
- sysctl
block:
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings"
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
loop:
- net.ipv4.conf.all.accept_redirects
- net.ipv4.conf.default.accept_redirects
notify: Flush ipv4 route table
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings"
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
when: ubtu24cis_ipv6_disable == 'sysctl'
loop:
- net.ipv6.conf.all.accept_redirects
- net.ipv6.conf.default.accept_redirects
notify: Flush ipv6 route table
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
when: ubtu24cis_rule_3_3_6
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.6
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- icmp
- sysctl
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
loop:
- net.ipv4.conf.all.secure_redirects
- net.ipv4.conf.default.secure_redirects
notify: Flush ipv4 route table
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
when: ubtu24cis_rule_3_3_7
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.7
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- reverse_path_filtering
- sysctl
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
loop:
- net.ipv4.conf.all.rp_filter
- net.ipv4.conf.default.rp_filter
notify: Flush ipv4 route table
- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted"
when:
- ubtu24cis_rule_3_3_8
- not ubtu24cis_is_router
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.8
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- routed_packets
- sysctl
block:
- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4 settings"
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
loop:
- net.ipv4.conf.all.accept_source_route
- net.ipv4.conf.default.accept_source_route
notify: Flush ipv4 route table
- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6 settings"
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
when: ubtu24cis_ipv6_disable == 'sysctl'
loop:
- net.ipv6.conf.all.accept_source_route
- net.ipv6.conf.default.accept_source_route
notify: Flush ipv6 route table
- name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
when:
- ubtu24cis_rule_3_3_9
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.9
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- suspicious_packets
- sysctl
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
loop:
- net.ipv4.conf.all.log_martians
- net.ipv4.conf.default.log_martians
notify: Flush ipv4 route table
- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled"
when:
- ubtu24cis_rule_3_3_10
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.10
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- tcp_syn_cookies
- sysctl
ansible.posix.sysctl:
name: net.ipv4.tcp_syncookies
value: '1'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
notify: Flush ipv4 route table
- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted"
when:
- ubtu24cis_rule_3_3_11
- ubtu24cis_ipv6_required
tags:
- level1-server
- level1-workstation
- patch
- rule_3.3.11
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- ipv6
- router_advertisements
- sysctl
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
sysctl_file: "{{ ubtu24cis_sysctl_network_conf }}"
state: present
reload: true
ignoreerrors: true
loop:
- net.ipv6.conf.all.accept_ra
- net.ipv6.conf.default.accept_ra
notify: Flush ipv6 route table
Reference in New Issue View Git Blame Copy Permalink