/baseline/roles/suse/15/tasks/section_03.yml
YAML | 168 lines | 158 code | 10 blank | 0 comment | 0 complexity | deb93433a44bdd4c9751bfc16fa47dee MD5 | raw file
- ---
- - name: 3.1.1 Ensure IPv6 is disabled (Not Scored)
- lineinfile:
- path: /etc/default/grub
- regexp: '^GRUB_CMDLINE_LINUX="(.*)"'
- line: 'GRUB_CMDLINE_LINUX="\1 ipv6.disable=1"'
- backup: yes
- backrefs: yes
- when:
- - use_ipv6 == "no"
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- notify: update grub
- tags:
- - section03-1
- - section03
- - level1
- - section3.1.1
- - name: 3.1.2 Ensure wireless interfaces are disabled (Not Scored)
- debug:
- msg: "Ensure wireless interfaces are disabled if not needed."
- tags:
- - section03-1
- - section03-2
- - section03
- - level1
- - level2
- - section3.1.2
- - name: |
- 3.2.1 Ensure IP forwarding is disabled (Scored)
- 3.2.2 Ensure packet redirect sending is disabled (Scored)
- 3.3.1 Ensure source routed packets are not accepted (Scored)
- 3.3.2 Ensure ICMP redirects are not accepted (Scored)
- 3.3.3 Ensure secure ICMP redirects are not accepted (Scored)
- 3.3.4 Ensure suspicious packets are logged (Scored)
- 3.3.5 Ensure broadcast ICMP requests are ignored (Scored)
- 3.3.6 Ensure bogus ICMP responses are ignored (Scored)
- 3.3.7 Ensure Reverse Path Filtering is enabled (Scored)
- 3.3.8 Ensure TCP SYN Cookies is enabled (Scored)
- copy:
- src: files/etc/sysctl.d/60-cis_sysctl_ipv4.conf
- dest: /etc/sysctl.d/60-cis_sysctl_ipv4.conf
- owner: root
- group: root
- mode: '0644'
- when:
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- tags:
- - section03-1
- - section03
- - level1
- - section3.2.1
- - section3.2.2
- - section3.3.1
- - section3.3.2
- - section3.3.3
- - section3.3.4
- - section3.3.5
- - section3.3.6
- - section3.3.7
- - section3.3.8
- - name: 3.3.9 Ensure IPv6 router advertisements are not accepted (Not Scored)
- copy:
- src: files/etc/sysctl.d/60-cis_sysctl_ipv6.conf
- dest: /etc/sysctl.d/60-cis_sysctl_ipv6.conf
- owner: root
- group: root
- mode: '0644'
- when:
- - use_ipv6 == "yes"
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- tags:
- - section03-1
- - section03
- - level1
- - section3.3.9
- - name: |
- 3.4.1 Ensure DCCP is disabled (Not Scored)
- 3.4.2 Ensure SCTP is disabled (Not Scored)
- copy:
- src: files/etc/modprobe.d/nasa_cis_np.conf
- dest: /etc/modprobe.d/nasa_cis_np.conf
- owner: root
- group: root
- mode: '0644'
- when:
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- tags:
- - section03-1
- - section03
- - level1
- - section3.4.1
- - section3.4.2
- - name: 3.5.1.1 Ensure firewalld is installed (Scored)
- zypper:
- name: firewalld
- state: present
- when:
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- tags:
- - section03-1
- - section03
- - level1
- - section3.5.1.1
- - name: |
- 3.5.1.2 Ensure iptables-services package is not installed (Scored)
- 3.5.1.3 Ensure nftables is not installed or stopped and masked (Scored)
- zypper:
- name: iptables-services
- nftables
- state: absent
- tags:
- - section03-1
- - section03
- - level1
- - section3.5.1.2
- - name: 3.5.1.4 Ensure firewalld service is enabled and running (Scored)
- systemd:
- name: firewalld
- enabled: yes
- when:
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- tags:
- - section03-1
- - section03
- - level1
- - section3.5.1.4
- - name: 3.5.1.5 Ensure default deny firewall policy (Scored)
- command: firewall-cmd --set-default=drop
- args:
- warn: no
- when:
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- tags:
- - section03-1
- - section03
- - level1
- - section3.5.1.5
- - name: 3.5.1.6 Ensure firewall rules exist for all open ports (Scored)
- firewalld:
- zone: drop
- service: ssh
- permanent: true
- state: enabled
- when:
- - ansible_virtualization_type != "docker"
- - ansible_virtualization_type != "kvm"
- tags:
- - section03-1
- - section03
- - level1
- - section3.5.1.6