colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_2/cis_2.1.x.yml

750 lines
22 KiB
YAML
Raw Blame History

---
- name: "2.1.1 | PATCH | Ensure autofs services are not in use"
when:
- ubtu24cis_rule_2_1_1
- "'autofs' in ansible_facts.packages"
tags:
- level1-server
- level2-workstation
- patch
- rule_2.1.1
- NIST800-53R5_SI-3
- NIST800-53R5_MP-7
block:
- name: "2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package"
when:
- not ubtu24cis_autofs_services
- not ubtu24cis_autofs_mask
ansible.builtin.package:
name: autofs
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.1 | PATCH | Ensure autofs services are not in use | Mask service"
when:
- not ubtu24cis_autofs_services
- ubtu24cis_autofs_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: autofs
enabled: false
state: stopped
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
when: ubtu24cis_rule_2_1_2
tags:
- level1-server
- level2-workstation
- patch
- avahi
- rule_2.1.2
- NIST800-53R5_SI-4
block:
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package"
when:
- not ubtu24cis_avahi_server
- not ubtu24cis_avahi_mask
- "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages"
ansible.builtin.package:
name:
- avahi-autoipd
- avahi
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service"
when:
- not ubtu24cis_avahi_server
- ubtu24cis_avahi_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
masked: true
loop:
- avahi-daemon.socket
- avahi-daemon.service
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
when: ubtu24cis_rule_2_1_3
tags:
- level1-server
- level1-workstation
- patch
- dhcp
- rule_2.1.3
- NIST800-53R5_CM-7
block:
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package"
when:
- not ubtu24cis_dhcp_server
- not ubtu24cis_dhcp_mask
- "'isc-dhcp-server' in ansible_facts.packages"
ansible.builtin.package:
name: isc-dhcp-server
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Mask service"
when:
- not ubtu24cis_dhcp_server
- ubtu24cis_dhcp_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
masked: true
loop:
- isc-dhcp-server.service
- isc-dhcp-server6.service
- name: "2.1.4 | PATCH | Ensure dns server services are not in use"
when: ubtu24cis_rule_2_1_4
tags:
- level1-server
- level1-workstation
- patch
- dns
- rule_2.1.4
- NIST800-53R5_CM-7
block:
- name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package"
when:
- "'bind9' in ansible_facts.packages"
- not ubtu24cis_dns_server
- not ubtu24cis_dns_mask
ansible.builtin.package:
name: bind9
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.4 | PATCH | Ensure dns server services are not in use | Mask service"
when:
- not ubtu24cis_dns_server
- ubtu24cis_dns_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: named.service
enabled: false
state: stopped
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
when: ubtu24cis_rule_2_1_5
tags:
- level1-server
- level1-workstation
- patch
- dns
- rule_2.1.5
- NIST800-53R5_CM-7
block:
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package"
when:
- "'dnsmasq' in ansible_facts.packages"
- not ubtu24cis_dnsmasq_server
- not ubtu24cis_dnsmasq_mask
ansible.builtin.package:
name: dnsmasq
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service"
when:
- not ubtu24cis_dnsmasq_server
- ubtu24cis_dnsmasq_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: dnsmasq.service
enabled: false
state: stopped
masked: true
- name: "2.1.6 | PATCH | Ensure ftp server services are not in use"
when: ubtu24cis_rule_2_1_6
tags:
- level1-server
- level1-workstation
- automation
- patch
- ftp
- rule_2.1.6
- NIST800-53R5_CM-7
block:
- name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package"
when:
- "'vsftp' in ansible_facts.packages"
- not ubtu24cis_ftp_server
- not ubtu24cis_ftp_mask
ansible.builtin.package:
name: vsftpd
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Mask service"
when:
- not ubtu24cis_ftp_server
- ubtu24cis_ftp_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: vsftpd.service
enabled: false
state: stopped
masked: true
- name: "2.1.7 | PATCH | Ensure ldap server services are not in use"
when: ubtu24cis_rule_2_1_7
tags:
- level1-server
- level1-workstation
- patch
- ldap
- rule_2.1.7
- NIST800-53R5_CM-7
block:
- name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Remove package"
when:
- "'slapd' in ansible_facts.packages"
- not ubtu24cis_ldap_server
- not ubtu24cis_ldap_mask
ansible.builtin.package:
name: slapd
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Mask service"
when:
- not ubtu24cis_ldap_server
- ubtu24cis_ldap_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: slapd.service
enabled: false
state: stopped
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
when: ubtu24cis_rule_2_1_8
tags:
- level1-server
- level1-workstation
- patch
- dovecot
- imap
- pop3
- rule_2.1.8
- NIST800-53R5_CM-7
block:
- name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package"
when:
- "'dovecot-pop3d' in ansible_facts.packages or 'dovecot-imapd' in ansible_facts.packages"
- not ubtu24cis_message_server
- not ubtu24cis_message_mask
ansible.builtin.package:
name:
- dovecot-pop3d
- dovecot-imapd
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service"
when:
- not ubtu24cis_message_server
- ubtu24cis_message_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
masked: true
loop:
- "dovecot.socket"
- "dovecot.service"
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
when: ubtu24cis_rule_2_1_9
tags:
- level1-server
- level1-workstation
- patch
- nfs
- services
- rule_2.1.9
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
block:
- name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package"
when:
- "'nfs-kernel-server' in ansible_facts.packages"
- not ubtu24cis_nfs_server
- not ubtu24cis_nfs_mask
ansible.builtin.package:
name: nfs-kernel-server
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.9 | PATCH | Ensure network file system services are not in use | Mask service"
when:
- not ubtu24cis_nfs_server
- ubtu24cis_nfs_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: nfs-server.service
enabled: false
state: stopped
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
when: ubtu24cis_rule_2_1_10
tags:
- level1-server
- level1-workstation
- patch
- nis
- rule_2.1.10
- NIST800-53R5_CM-7
notify: Systemd_daemon_reload
block:
- name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package"
when:
- "'ypserv' in ansible_facts.packages"
- not ubtu24cis_nis_server
- not ubtu24cis_nis_mask
ansible.builtin.package:
name: ypserv
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.10 | PATCH | Ensure nis server services are not in use | Mask service"
when:
- not ubtu24cis_nis_server
- ubtu24cis_nis_mask
ansible.builtin.systemd:
name: ypserv.service
enabled: false
state: stopped
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
when: ubtu24cis_rule_2_1_11
tags:
- level1-server
- patch
- cups
- rule_2.1.11
- NIST800-53R5_CM-7
block:
- name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package"
when:
- "'cups' in ansible_facts.packages"
- not ubtu24cis_print_server
- not ubtu24cis_print_mask
ansible.builtin.package:
name: cups
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.11 | PATCH | Ensure print server services are not in use | Mask service"
when:
- not ubtu24cis_print_server
- ubtu24cis_print_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
masked: true
loop:
- "cups.socket"
- "cups.service"
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
when: ubtu24cis_rule_2_1_12
tags:
- level1-server
- level1-workstation
- patch
- rpc
- rule_2.1.12
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
block:
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package"
when:
- "'rpcbind' in ansible_facts.packages"
- not ubtu24cis_rpc_server
- not ubtu24cis_rpc_mask
ansible.builtin.package:
name: rpcbind
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Mask service"
when:
- not ubtu24cis_rpc_server
- ubtu24cis_rpc_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
masked: true
loop:
- rpcbind.service
- rpcbind.socket
- name: "2.1.13 | PATCH | Ensure rsync services are not in use"
when: ubtu24cis_rule_2_1_13
tags:
- level1-server
- level1-workstation
- patch
- rsync
- rule_2.1.13
- NIST800-53R5_CM-7
block:
- name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package"
when:
- "'rsync' in ansible_facts.packages"
- not ubtu24cis_rsync_server
- not ubtu24cis_rsync_mask
ansible.builtin.package:
name: rsync
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.13 | PATCH | Ensure rsync services are not in use | Mask service"
when:
- not ubtu24cis_rsync_server
- ubtu24cis_rsync_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: rsyncd.service
enabled: false
state: stopped
masked: true
- name: "2.1.14 | PATCH | Ensure samba file server services are not in use"
when: ubtu24cis_rule_2_1_14
tags:
- level1-server
- level1-workstation
- patch
- samba
- rule_2.1.14
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
block:
- name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Remove package"
when:
- "'samba' in ansible_facts.packages"
- not ubtu24cis_samba_server
- not ubtu24cis_samba_mask
ansible.builtin.package:
name: samba
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Mask service"
when:
- not ubtu24cis_samba_server
- ubtu24cis_samba_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: smbd.service
enabled: false
state: stopped
masked: true
- name: "2.1.15 | PATCH | Ensure snmp services are not in use"
when: ubtu24cis_rule_2_1_15
tags:
- level1-server
- level1-workstation
- automation
- patch
- samba
- rule_2.1.15
- NIST800-53R5_CM-7
block:
- name: "2.1.15 | PATCH | Ensure snmp services are not in use | Remove package"
when:
- "'snmpd' in ansible_facts.packages"
- not ubtu24cis_snmp_server
- not ubtu24cis_snmp_mask
ansible.builtin.package:
name: snmpd
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.15 | PATCH | Ensure snmp services are not in use | Mask service"
when:
- not ubtu24cis_snmp_server
- ubtu24cis_snmp_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: snmpd.service
enabled: false
state: stopped
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
when: ubtu24cis_rule_2_1_16
tags:
- level1-server
- level1-workstation
- patch
- tftp
- rule_2.1.16
- NIST800-53R5_CM-7
block:
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package"
when:
- "'tftpd-hpa' in ansible_facts.packages"
- not ubtu24cis_tftp_server
- not ubtu24cis_tftp_mask
ansible.builtin.package:
name: tftpd-hpa
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Mask service"
when:
- not ubtu24cis_tftp_server
- ubtu24cis_tftp_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: tftpd-hpa.service
enabled: false
state: stopped
masked: true
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
when: ubtu24cis_rule_2_1_17
tags:
- level1-server
- level1-workstation
- patch
- squid
- rule_2.1.17
- NIST800-53R5_CM-7
block:
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package"
when:
- "'squid' in ansible_facts.packages"
- not ubtu24cis_squid_server
- not ubtu24cis_squid_mask
ansible.builtin.package:
name: squid
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Mask service"
when:
- not ubtu24cis_squid_server
- ubtu24cis_squid_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: squid.service
enabled: false
state: stopped
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
when: ubtu24cis_rule_2_1_18
tags:
- level1-server
- level1-workstation
- patch
- httpd
- nginx
- webserver
- rule_2.1.18
- NIST800-53R5_CM-7
block:
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server"
when:
- not ubtu24cis_apache2_server
- not ubtu24cis_apache2_mask
- "'apache2' in ansible_facts.packages"
ansible.builtin.package:
name: apache2
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server"
when:
- not ubtu24cis_nginx_server
- not ubtu24cis_nginx_mask
- "'nginx' in ansible_facts.packages"
ansible.builtin.package:
name: nginx
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service"
when:
- not ubtu24cis_apache2_server
- ubtu24cis_apache2_mask
- "'apache2' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
masked: true
loop:
- apache2.service
- apache2.socket
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
when:
- not ubtu24cis_nginx_server
- ubtu24cis_nginx_mask
- "'nginx' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: ngnix.service
enabled: false
state: stopped
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
when: ubtu24cis_rule_2_1_19
tags:
- level1-server
- level1-workstation
- patch
- xinetd
- rule_2.1.19
- NIST800-53R5_CM-7
block:
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package"
when:
- "'xinetd' in ansible_facts.packages"
- not ubtu24cis_xinetd_server
- not ubtu24cis_xinetd_mask
ansible.builtin.package:
name: xinetd
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service"
when:
- not ubtu24cis_xinetd_server
- ubtu24cis_xinetd_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: xinetd.service
enabled: false
state: stopped
masked: true
- name: "2.1.20 | PATCH | Ensure X window server services are not in use"
when:
- not ubtu24cis_xwindow_server
- "'xorg-x11-server-common' in ansible_facts.packages"
- ubtu24cis_rule_2_1_20
tags:
- level2-server
- patch
- xwindow
- rule_2.1.20
- NIST800-53R5_CM-11
ansible.builtin.package:
name: xorg-x11-server-common
state: absent
purge: "{{ ubtu24cis_purge_apt }}"
- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode"
when:
- not ubtu24cis_is_mail_server
- ubtu24cis_rule_2_1_21
tags:
- level1-server
- level1-workstation
- patch
- postfix
- rule_2.1.21
- NIST800-53R5_CM-7
vars:
warn_control_id: '2.2.21'
block:
- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed"
when: "'exim4' in ansible_facts.packages"
ansible.builtin.lineinfile:
path: /etc/exim4/update-exim4.conf.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
loop:
- { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" }
- { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" }
- { regexp: '^dc_readhost', line: "dc_readhost=''" }
- { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" }
- { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" }
- { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" }
- { regexp: '^dc_smarthost', line: "dc_smarthost=''" }
- { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" }
- { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" }
- { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" }
- { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" }
notify: Restart exim4
- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed"
when: "'postfix' in ansible_facts.packages"
notify: Restart postfix
ansible.builtin.lineinfile:
path: /etc/postfix/main.cf
regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*'
line: 'inet_interfaces = loopback-only'
- name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents"
when:
- "'exim4' not in ansible_facts.packages"
- "'postfix' not in ansible_facts.packages"
ansible.builtin.debug:
msg:
- "Warning!! You are not using either exim4 or postfix, please ensure mail services set for local only mode"
- "Please review your vendors documentation to configure local-only mode"
- name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | warn_count"
when:
- "'exim4' not in ansible_facts.packages"
- "'postfix' not in ansible_facts.packages"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
when: ubtu24cis_rule_2_1_22
tags:
- level1-server
- level1-workstation
- audit
- services
- rule_2.1.22
- NIST800-53R5_CM-7
vars:
warn_control_id: '2.1.22'
block:
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module
changed_when: false
failed_when: discovered_listening_services.rc not in [ 0, 1 ]
check_mode: false
register: discovered_listening_services
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services"
ansible.builtin.debug:
msg:
- "Warning!! Below are the list of services, both active and inactive"
- "Please review to make sure all are essential"
- "{{ discovered_listening_services.stdout_lines }}"
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count"
ansible.builtin.import_tasks:
file: warning_facts.yml
Reference in New Issue View Git Blame Copy Permalink