colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_4/cis_4.3.x.yml

248 lines
7.8 KiB
YAML
Raw Permalink Blame History

---
# ---------------
# ---------------
# NFTables is unsupported with this role. However I have the actions commented out as a guide
# ---------------
# ---------------
- name: "4.3.1 | AUDIT | Ensure nftables is installed"
when:
- ubtu24cis_rule_4_3_1
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.1
- NIST800-53R5_CA-9
- nftables
vars:
warn_control_id: '4.3.1'
block:
- name: "4.3.1 | AUDIT | Ensure nftables is installed | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
- name: "4.3.1 | AUDIT | Ensure nftables is installed | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.2 | AUDIT | Ensure ufw is not in use with nftables"
when:
- ubtu24cis_rule_4_3_2
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.2
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.2'
block:
- name: "4.3.2 | AUDIT | Ensure ufw is not in use with nftables | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
# ansible.builtin.package:
# name: ufw
# state: absent
- name: "4.3.2 | AUDIT | Ensure ufw is not in use with nftables | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.3 | AUDIT | Ensure iptables are flushed with nftables"
when:
- ubtu24cis_rule_4_3_3
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.3
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.3'
block:
- name: "4.3.3 | AUDIT | Ensure iptables are flushed with nftables | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
# ansible.builtin.iptables:
# flush: yes
- name: "4.3.3 | AUDIT | Ensure iptables are flushed with nftables | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.4 | AUDIT | Ensure a nftables table exists"
when:
- ubtu24cis_rule_4_3_4
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- patch
- rule_4.3.4
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.4'
block:
- name: "4.3.4 | AUDIT | Ensure a nftables table exists"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning"
# ansible.builtin.shell: "nft create table {{ ubtu24cis_nftables_table_name }}"
# changed_when: discovered_new_nftable.rc == 0
# failed_when: false
# check_mode: false
# register: discovered_new_nftable
- name: "4.3.4 | AUDIT | Ensure a nftables table exists | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.5 | AUDIT | Ensure nftables base chains exist"
when:
- ubtu24cis_rule_4_3_5
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.5
- NIST800-53R5_NA
- nftables
vars:
warn_control_id: '4.3.5'
block:
- name: "4.3.5 | AUDIT | Ensure nftables base chains exist"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning"
- name: "4.3.5 | AUDIT | Ensure nftables base chains exist | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.6 | AUDIT | Ensure nftables loopback traffic is configured"
when:
- ubtu24cis_rule_4_3_6
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.6
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.6'
block:
- name: "4.3.6 | AUDIT | Ensure nftables loopback traffic is configured | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
- name: "4.3.6 | AUDIT | Ensure nftables loopback traffic is configured | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.7 | AUDIT | Ensure nftables outbound and established connections are configured"
when:
- ubtu24cis_rule_4_3_7
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.7
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.7'
block:
- name: "4.3.7 | AUDIT | Ensure nftables outbound and established connections are configured | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
- name: "4.3.7 | AUDIT | Ensure nftables outbound and established connections are configured | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.8 | AUDIT | Ensure nftables default deny firewall policy"
when:
- ubtu24cis_rule_4_3_8
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.8
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.8'
block:
- name: "4.3.8 | AUDIT | Ensure nftables default deny firewall policy | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
- name: "4.3.8 | AUDIT | Ensure nftables default deny firewall policy | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.9 | AUDIT | Ensure nftables service is enabled"
when:
- ubtu24cis_rule_4_3_9
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.9
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.9'
block:
- name: "4.3.9 | AUDIT | Ensure nftables service is enabled | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
# ansible.builtin.service:
# name: nftables
# state: started
# enabled: yes
- name: "4.3.9 | AUDIT | Ensure nftables service is enabled | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.3.10 | AUDIT | Ensure nftables rules are permanent"
when:
- ubtu24cis_rule_4_3_10
- ubtu24cis_firewall_package == "nftables"
tags:
- level1-server
- level1-workstation
- audit
- rule_4.3.10
- NIST800-53R5_CA-9
- NIST800-53R5_SC-7
- nftables
vars:
warn_control_id: '4.3.10'
block:
- name: "4.3.10 | AUDIT | Ensure nftables rules are permanent | Message out warning"
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
- name: "4.3.10 | AUDIT | Ensure nftables rules are permanent | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
Reference in New Issue View Git Blame Copy Permalink