Skip to content

Commit

Permalink
Merge pull request #288 from ansible-lockdown/outstanding
Browse files Browse the repository at this point in the history
Outstanding issues and improvements
  • Loading branch information
uk-bolly authored Feb 14, 2022
2 parents 75c60b2 + 08bbe75 commit 9ac5790
Show file tree
Hide file tree
Showing 12 changed files with 430 additions and 16 deletions.
6 changes: 6 additions & 0 deletions collections/requirements.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---

collections:
- name: community.general
- community.crypto
- ansible.posix
6 changes: 6 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,12 @@ rhel7cis_nft_tables_autoChainCreate: false
# create a table called
rhel7cis_nft_tables_tableName: filter

# 3.5.3.x.x iptables
rhel7cis_save_iptables_cis_rules: true
rhel7cis_save_ip6tables_cis_rules: true
# rhel7cis_firewall: iptables
rhel7cis_iptables_boot_config: /etc/sysconfig/iptables
rhel7cis_ip6tables_boot_config: /etc/sysconfig/ip6tables

# Warning Banner Content (issue, issue.net, motd)
rhel7cis_warning_banner: |
Expand Down
4 changes: 4 additions & 0 deletions meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,8 @@ galaxy_info:
- security
- cis
- hardening
collections:
- community.general
- community.crypto
- ansible.posix
dependencies: []
2 changes: 2 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -127,3 +127,5 @@
msg: "{{ audit_results.split('\n') }}"
when:
- run_audit
tags:
- run_audit
4 changes: 2 additions & 2 deletions tasks/section_2/cis_2.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,13 +70,13 @@

- name: "2.3.5 | L1 | PATCH | Ensure LDAP client is not installed"
package:
name: openldap-client
name: openldap-clients
state: absent
vars:
ansible_python_interpreter: /bin/python
when:
- not rhel7cis_openldap_clients_required
- "'openldap-client' in ansible_facts.packages"
- "'openldap-clients' in ansible_facts.packages"
- rhel7cis_rule_2_3_5
tags:
- level1
Expand Down
9 changes: 5 additions & 4 deletions tasks/section_3/cis_3.5.3.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,13 @@
vars:
ansible_python_interpreter: /bin/python
when:
- "'iptables' not in ansible_facts.packages"
- "'iptables' not in ansible_facts.packages or
'iptables-services' not in ansible_facts.packages"
- rhel7cis_rule_3_5_3_1_1
tags:
- level1
- patch
- rule_3.5.3.1
- rule_3.5.3.1.1

- name: "3.5.3.1.2 | L1 | PATCH | Ensure nftables is not installed with iptables"
package:
Expand All @@ -29,7 +30,7 @@
tags:
- level1
- patch
- rule_3.5.3.2
- rule_3.5.3.1.2

- name: "3.5.3.1.3 | L1 | PATCH | Ensure firewalld is either not installed or masked with iptables"
package:
Expand All @@ -43,4 +44,4 @@
tags:
- level1
- patch
- rule_3.5.3.3
- rule_3.5.3.1.3
173 changes: 173 additions & 0 deletions tasks/section_3/cis_3.5.3.2.x.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
---

- name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured"
block:
- name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT"
iptables:
action: append
chain: INPUT
in_interface: lo
jump: ACCEPT

- name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
iptables:
action: append
chain: OUTPUT
out_interface: lo
jump: ACCEPT

- name: "3.5.3.2.1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
iptables:
action: append
chain: INPUT
source: 127.0.0.0/8
jump: DROP
when:
- rhel7cis_rule_3_5_3_2_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_3.5.3.2.1
- iptables

- name: "MANUAL | 3.5.3.2.2 | PATCH | Ensure iptables outbound and established connections are configured"
iptables:
action: append
chain: '{{ item.chain }}'
protocol: '{{ item.protocol }}'
match: state
ctstate: '{{ item.ctstate }}'
jump: ACCEPT
with_items:
- { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
- { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
- { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
- { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
when:
- rhel7cis_rule_3_5_3_2_2
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_3.5.3.2.2
- iptables

- name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports"
block:
- name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
command: ss -4tuln
changed_when: false
failed_when: false
check_mode: false
register: rhel7cis_3_5_3_2_3_open_ports

- name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
command: iptables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: rhel7cis_3_5_3_2_3_current_rules

- name: "3.5.3.2.3 | AUDIT | Ensure iptables firewall rules exist for all open ports | Alert about settings"
debug:
msg:
- "ALERT!!!!Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ rhel7cis_3_5_3_2_3_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ rhel7cis_3_5_3_2_3_current_rules.stdout_lines }}"
when:
- rhel7cis_rule_3_5_3_2_3
tags:
- level1-server
- level1-workstation
- automated
- audit
- rule_3.5.3.2.3
- iptables

- name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy"
block:
- name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in"
iptables:
chain: INPUT
protocol: tcp
destination_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'

- name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out"
iptables:
chain: OUTPUT
protocol: tcp
source_port: 22
jump: ACCEPT
ctstate: 'NEW,ESTABLISHED'

- name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic"
iptables:
chain: INPUT
ctstate: 'ESTABLISHED'
jump: ACCEPT

- name: "3.5.3.2.4 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
iptables:
policy: DROP
chain: "{{ item }}"
with_items:
- INPUT
- FORWARD
- OUTPUT
when:
- rhel7cis_rule_3_5_3_2_4
- not system_is_ec2
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_3.5.3.2.4
- iptables

- name: "3.5.3.2.5 | Ensure iptables rules are saved "
block:
- name: "3.5.3.2.5 | Ensure iptables rules are saved "
shell: service iptables save
changed_when: rhel7cis_iptables_save.rc == 0
failed_when: rhel7cis_iptables_save.rc != 0
register: rhel7cis_iptables_save
when:
- rhel7cis_save_iptables_cis_rules
- rhel7cis_rule_3_5_3_2_1 or
rhel7cis_rule_3_5_3_2_2 or
rhel7cis_rule_3_5_3_2_3 or
rhel7cis_rule_3_5_3_2_4 or
rhel7cis_rule_3_5_3_2_5
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_3.5.3.2.5
- iptables

- name: "3.5.3.2.6 | Ensure iptables is enabled and running"
service:
name: iptables
state: started
enabled: true
when:
- rhel7cis_rule_3_5_3_2_6
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_3.5.3.2.6
- iptables
Loading

0 comments on commit 9ac5790

Please sign in to comment.