- name: "SCORED | 3.1.1 | PATCH | Ensure IP forwarding is disabled" sysctl: name: net.ipv4.ip_forward value: '0' state: present reload: yes ignoreerrors: yes notify: - sysctl flush ipv4 route table when: - not rhel7cis_is_router - rhel7cis_rule_3_1_1|bool tags: - level1 - sysctl - patch - rule_3.1.1 - name: "SCORED | 3.1.2 | PATCH | Ensure packet redirect sending is disabled" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv4.conf.all.send_redirects, value: 0 } - { name: net.ipv4.conf.default.send_redirects, value: 0 } notify: - sysctl flush ipv4 route table when: - not rhel7cis_is_router - rhel7cis_rule_3_1_2|bool tags: - level1 - sysctl - patch - rule_3.1.2 - name: "SCORED | 3.2.1 | PATCH | Ensure source routed packets are not accepted" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv4.conf.all.accept_source_route, value: 0 } - { name: net.ipv4.conf.default.accept_source_route, value: 0 } notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_1|bool tags: - level1 - sysctl - patch - rule_3.2.1 - name: "SCORED | 3.2.2 | PATCH | Ensure ICMP redirects are not accepted" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv4.conf.all.accept_redirects, value: 0 } - { name: net.ipv4.conf.default.accept_redirects, value: 0 } notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_2|bool tags: - level1 - sysctl - patch - rule_3.2.2 - name: "SCORED | 3.2.3 | PATCH | Ensure secure ICMP redirects are not accepted" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv4.conf.all.secure_redirects, value: 0 } - { name: net.ipv4.conf.default.secure_redirects, value: 0 } notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_3|bool tags: - level1 - sysctl - patch - rule_3.2.3 - name: "SCORED | 3.2.4 | PATCH | Ensure suspicious packets are logged" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv4.conf.all.log_martians, value: 1 } - { name: net.ipv4.conf.default.log_martians, value: 1 } notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_4|bool tags: - level1 - sysctl - patch - rule_3.2.4 - name: "SCORED | 3.2.5 | PATCH | Ensure broadcast ICMP requests are ignored" sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '1' state: present reload: yes ignoreerrors: yes notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_5|bool tags: - level1 - sysctl - patch - rule_3.2.5 - name: "SCORED | 3.2.6 | PATCH | Ensure bogus ICMP responses are ignored" sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '1' state: present reload: yes ignoreerrors: yes notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_6|bool tags: - level1 - sysctl - patch - rule_3.2.6 - name: "SCORED | 3.2.7 | PATCH | Ensure Reverse Path Filtering is enabled" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv4.conf.all.rp_filter, value: 1 } - { name: net.ipv4.conf.default.rp_filter, value: 1 } notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_7|bool tags: - level1 - sysctl - patch - rule_3.2.7 - name: "SCORED | 3.2.8 | PATCH | Ensure TCP SYN Cookies is enabled" sysctl: name: net.ipv4.tcp_syncookies value: 1 state: present reload: yes ignoreerrors: yes notify: - sysctl flush ipv4 route table when: - rhel7cis_rule_3_2_8|bool tags: - level1 - sysctl - patch - rule_3.2.8 - name: "SCORED | 3.3.1 | PATCH | Ensure IPv6 router advertisements are not accepted" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv6.conf.all.accept_ra, value: 0 } - { name: net.ipv6.conf.default.accept_ra, value: 0 } notify: - sysctl flush ipv6 route table when: - rhel7cis_ipv6_required | bool - rhel7cis_rule_3_3_1|bool tags: - level1 - sysctl - patch - rule_3.3.1 - name: "SCORED | 3.3.2 | PATCH | Ensure IPv6 redirects are not accepted" sysctl: name: '{{ item.name }}' value: '{{ item.value }}' sysctl_set: yes state: present reload: yes ignoreerrors: yes with_items: - { name: net.ipv6.conf.all.accept_redirects, value: 0 } - { name: net.ipv6.conf.default.accept_redirects, value: 0 } notify: - sysctl flush ipv6 route table when: - rhel7cis_ipv6_required | bool - rhel7cis_rule_3_3_2|bool tags: - level1 - sysctl - patch - rule_3.3.2 - name: "NOTSCORED | 3.3.3 | PATCH | Ensure IPv6 is disabled" lineinfile: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=.*(?!.*ipv6\.disable=1)\"[^\"]+)(\".*)' line: '\1 ipv6.disable=1\2' backrefs: yes notify: - grub2cfg when: - not rhel7cis_ipv6_required - rhel7cis_rule_3_3_3|bool tags: - level1 - patch - rule_3.3.3 - name: "SCORED | 3.4.1 | PATCH | Ensure TCP Wrappers is installed" yum: name: tcp_wrappers state: present when: - rhel7cis_rule_3_4_1|bool tags: - level1 - patch - rule_3.4.1 - name: "SCORED | 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured" template: src: hosts.allow.j2 dest: /etc/hosts.allow owner: root group: root mode: 0644 when: - rhel7cis_rule_3_4_2|bool tags: - level1 - patch - rule_3.4.2 - name: "SCORED | 3.4.3 | PATCH | Ensure /etc/hosts.deny is configured" lineinfile: dest: /etc/hosts.deny regexp: "^(#)?ALL" line: "ALL: ALL" when: - rhel7cis_rule_3_4_3|bool tags: - level1 - patch - rule_3.4.3 - name: "SCORED | 3.4.4 | PATCH | Ensure permissions on /etc/hosts.allow are configured" file: dest: /etc/hosts.allow owner: root group: root mode: 0644 when: - rhel7cis_rule_3_4_4|bool tags: - level1 - patch - rule_3.4.4 - name: "SCORED | 3.4.5 | PATCH | Ensure permissions on /etc/hosts.deny are 644" file: dest: /etc/hosts.deny owner: root group: root mode: 0644 when: - rhel7cis_rule_3_4_5|bool tags: - level1 - patch - rule_3.4.5 - name: "NOTSCORED | 3.5.1 | PATCH | Ensure DCCP is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install dccp(\\s|$)" line: "install dccp /bin/true" create: yes when: - rhel7cis_rule_3_5_1|bool tags: - level1 - patch - rule_3.5.1 - name: "NOTSCORED | 3.5.2 | PATCH | Ensure SCTP is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install sctp(\\s|$)" line: "install sctp /bin/true" create: yes when: - rhel7cis_rule_3_5_2|bool tags: - level1 - patch - rule_3.5.2 - name: "NOTSCORED | 3.5.3 | PATCH | Ensure RDS is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install rds(\\s|$)" line: "install rds /bin/true" create: yes when: - rhel7cis_rule_3_5_3|bool tags: - level1 - patch - rule_3.5.3 - name: "NOTSCORED | 3.5.4 | PATCH | Ensure TIPC is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install tipc(\\s|$)" line: "install tipc /bin/true" create: yes when: - rhel7cis_rule_3_5_4|bool tags: - level1 - patch - rule_3.5.4 # - name: "SCORED | 3.6 | PATCH | Ensure firewalld is installed and started | CUSTOM" # yum: # name: firewalld # state: present # when: rhel7cis_firewall == "firewalld" # notify: restart firewalld # tags: # - level1 # - patch # - rule_3.6 # - name: "SCORED | 3.6 | PATCH | Ensure firewalld is installed and started | CUSTOM" # service: # name: firewalld # state: started # enabled: yes # when: rhel7cis_firewall == "firewalld" # tags: # - level1 # - patch # - rule_3.6 # - name: "SCORED | 3.6.1 | PATCH | Ensure iptables is installed" # yum: # name: iptables # state: present # when: # - rhel7cis_firewall == "iptables" # - rhel7cis_rule_3_6_1|bool # tags: # - level1 # - patch # - rule_3.6.1 # # - name: "SCORED | 3.6.1 | PATCH | Ensure iptables is installed and started" # service: # name: iptables # state: started # enabled: yes # when: # - rhel7cis_firewall == "iptables" # - rhel7cis_rule_3_6_1|bool # tags: # - level1 # - patch # - rule_3.6.1 # - name: "SCORED | 3.6.2 | PATCH | Ensure default deny firewall policy" # lineinfile: # dest: /etc/firewalld/firewalld.conf # regexp: "^DefaultZone" # line: "DefaultZone=drop" # when: # - rhel7cis_firewall == "firewalld" # - rhel7cis_rule_3_6_2|bool # tags: # - level1 # - patch # - rule_3.6.2 # - name: "SCORED | 3.6.2 | PATCH | Ensure default deny firewall policy" # firewalld: # state: enabled # zone: drop # permanent: true # when: # - rhel7cis_firewall == "firewalld" # - rhel7cis_rule_3_6_2|bool # - ansible_connection != 'docker' # tags: # - level1 # - patch # - rule_3.6.2 # - name: "SCORED | 3.6.2 | PATCH | Ensure default deny firewall policy" # command: /bin/true # changed_when: no # when: # - rhel7cis_firewall == "iptables" # - rhel7cis_rule_3_6_2|bool # tags: # - level1 # - patch # - rule_3.6.2 # - notimplemented # # - name: "SCORED | 3.6.3 | PATCH | Ensure loopback traffic is configured" # command: /bin/true # changed_when: no # when: # - rhel7cis_firewall == "iptables" # - rhel7cis_rule_3_6_3|bool # tags: # - level1 # - patch # - rule_3.6.3 # - notimplemented # - name: "NOTSCORED | 3.6.4 | PATCH | Ensure outbound and established connections are configured" # command: /bin/true # changed_when: no # when: # - rhel7cis_firewall == "iptables" # - rhel7cis_rule_3_6_4|bool # tags: # - level1 # - patch # - rule_3.6.4 # - notimplemented # - name: "SCORED | 3.6.5 | PATCH | Ensure firewall rules exist for all open ports" # firewalld: # service: "{{ item }}" # state: enabled # zone: drop # permanent: true # immediate: true # notify: restart firewalld # with_items: "{{ rhel7cis_firewall_services }}" # when: # - rhel7cis_firewall == "firewalld" # - rhel7cis_rule_3_6_5|bool # - ansible_connection != 'docker' # tags: # - level1 # - patch # - rule_3.6.5 # - name: "SCORED | 3.6.5 | PATCH | Ensure firewall rules exist for all open ports" # command: /bin/true # changed_when: no # when: # - rhel7cis_firewall == "iptables" # - rhel7cis_rule_3_6_5|bool # tags: # - level1 # - patch # - rule_3.6.5 # - notimplemented # # - name: "NOTSCORED | 3.7 | PATCH | Ensure wireless interfaces are disabled" # command: /bin/true # changed_when: no # tags: # - level1 # - level2 # - patch # - rule_3.7