UBUNTU24-CIS/tasks/section_4/cis_4.2.x.yml

---

- name: "4.2.1 | PATCH | Ensure ufw is installed"
  when:
    - ubtu24cis_rule_4_2_1
    - "'ufw' not in ansible_facts.packages"
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_4.2.1
    - NIST800-53R5_SC-7
    - apt
    - ufw
  ansible.builtin.package:
    name: ufw
    state: present

- name: "4.2.2 | PATCH | Ensure iptables-persistent is not installed with ufw"
  when:
    - ubtu24cis_rule_4_2_2
    - "'iptables-persistent' in ansible_facts.packages"
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_4.2.2
    - NIST800-53R5_SC-7
    - ufw
  ansible.builtin.package:
    name: iptables-persistent
    state: absent

# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling
- name: "4.2.3 | PATCH | Ensure ufw service is enabled"
  when: ubtu24cis_rule_4_2_3
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_4.2.3
    - NIST800-53R5_SC-7
    - ufw
  block:
    - name: "4.2.3 | PATCH | Ensure ufw service is enabled | ssh port enabled"
      community.general.ufw:
        rule: allow
        name: OpenSSH
        state: enabled
      notify: Reload ufw

    - name: "4.2.3 | PATCH | Ensure ufw service is enabled | service"
      ansible.builtin.systemd:
        name: ufw
        enabled: true
        force: true
        state: started

- name: "4.2.4 | PATCH | Ensure ufw loopback traffic is configured"
  when: ubtu24cis_rule_4_2_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_4.2.4
    - NIST800-53R5_SC-7
    - ufw
  block:
    - name: "4.2.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow in ufw rules"
      community.general.ufw:
        rule: allow
        direction: in
        interface: lo
      notify: Reload ufw

    - name: "4.2.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules"
      community.general.ufw:
        rule: allow
        direction: out
        interface: lo
      notify: Reload ufw

    - name: "4.2.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv4"
      community.general.ufw:
        rule: deny
        direction: in
        from_ip: 127.0.0.0/8
      notify: Reload ufw

    - name: "4.2.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv6"
      when: ubtu24cis_ipv6_required
      community.general.ufw:
        rule: deny
        direction: in
        from_ip: '::1'
      notify: Reload ufw

- name: "4.2.5 | PATCH | Ensure ufw outbound connections are configured"
  when: ubtu24cis_rule_4_2_5
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_4.2.5
    - NIST800-53R5_SC-7
    - ufw
  block:
    - name: "4.2.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports"
      when: ubtu24cis_ufw_allow_out_ports != "all"
      community.general.ufw:
        rule: allow
        direction: out
        to_port: '{{ item }}'
      with_items:
        - "{{ ubtu24cis_ufw_allow_out_ports }}"
      notify: Reload ufw

    - name: "4.2.5 | PATCH | Ensure ufw outbound connections are configured | Allow all"
      when: "'all' in ubtu24cis_ufw_allow_out_ports"
      community.general.ufw:
        rule: allow
        direction: out
      notify: Reload ufw

- name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports"
  when: ubtu24cis_rule_4_2_6
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.2.6
    - NIST800-53R5_SC-7
    - ufw
  vars:
    warn_control_id: '4.2.6'
  block:
    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports"
      ansible.builtin.command: ss -4tuln
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_ufw_open_listen_ports

    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules"
      ansible.builtin.command: ufw status
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_ufw_firewall_rules

    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings"
      ansible.builtin.debug:
        msg:
          - "Warning!! Below are the listening ports and firewall rules"
          - "Please create firewall rule for any open ports if not already done"
          - "*****---Open Listen Ports---*****"
          - "{{ discovered_ufw_open_listen_ports.stdout_lines }}"
          - "*****---Firewall Rules---*****"
          - "{{ discovered_ufw_firewall_rules.stdout_lines }}"

    - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.2.7 | PATCH | Ensure ufw default deny firewall policy"
  when: ubtu24cis_rule_4_2_7
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_4.2.7
    - NIST800-53R5_SC-7
    - ufw
  community.general.ufw:
    default: deny
    direction: "{{ item }}"
  loop:
    - incoming
    - outgoing
    - routed
  notify: Reload ufw