swissmakers_gmbh/RHEL10-CIS
12
0
Fork 0
mirror of https://github.com/ansible-lockdown/RHEL10-CIS.git synced 2026-05-09 04:19:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Logic updates to 2.1.x

Browse Source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
2026-04-08 12:50:09 +01:00
parent 188040f1e3
commit 2d4abf7d72
2 changed files with 39 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Changelog.md
+1
View File
@@ -13,6 +13,7 @@
- #79 root password check
- bootloader update rule 1.4.1 thanks to @skullbringer in the discord community
- 7.1.12 and 7.1.13 - fixed logic and ordering
- 2.1.x improved logic for stopped/disable/masked
# 1.0.1 - March 26 updates
- Common file updates
tasks/section_2/cis_2.1.x.yml
+38 -36
View File
@@ -26,6 +26,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: autofs.service
enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
@@ -56,8 +58,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('avahi-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- avahi-daemon.socket
@@ -89,8 +91,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- cockpit.service
@@ -122,8 +124,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- kea-dhcp-ddns.service
@@ -156,8 +158,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: named.service
enabled: false
state: stopped
enabled: "{{ ('bind' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('bind' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.6 | PATCH | Ensure dnsmasq services are not in use"
@@ -186,8 +188,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: dnsmasq.service
enabled: false
state: stopped
enabled: "{{ ('dnsmasq' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('dnsmasq' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
@@ -217,8 +219,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: vsftpd.service
enabled: false
state: stopped
enabled: "{{ ('vsftpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('vsftpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
@@ -251,8 +253,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "dovecot.socket"
@@ -287,8 +289,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: nfs-server.service
enabled: false
state: stopped
enabled: "{{ ('nfs-utils' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('nfs-utils' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.10 | PATCH | Ensure print server services are not in use"
@@ -316,8 +318,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "cups.socket"
@@ -348,8 +350,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "rpcbind.socket"
@@ -382,8 +384,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "rsyncd.socket"
@@ -416,8 +418,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: smb.service
enabled: false
state: stopped
enabled: "{{ ('samba' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('samba' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.14 | PATCH | Ensure snmp services are not in use"
@@ -448,8 +450,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: snmpd.service
enabled: false
state: stopped
enabled: "{{ ('net-snmp' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('net-snmp' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
@@ -481,8 +483,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: telnet.socket
enabled: false
state: stopped
enabled: "{{ ('telnet-server' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('telnet-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
@@ -513,8 +515,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: "{{ item }}"
enabled: false
state: stopped
enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
loop:
- "tftp.socket"
@@ -547,8 +549,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: squid.service
enabled: false
state: stopped
enabled: "{{ ('squid' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('squid' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
@@ -587,8 +589,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: httpd.service
enabled: false
state: stopped
enabled: "{{ ('httpd' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('httpd' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service"
@@ -599,8 +601,8 @@
notify: Systemd daemon reload
ansible.builtin.systemd:
name: nginx.service
enabled: false
state: stopped
enabled: "{{ ('nginx' in ansible_facts.packages) | ternary(false, omit) }}"
state: "{{ ('nginx' in ansible_facts.packages) | ternary('stopped', omit) }}"
masked: true
- name: "2.1.19 | PATCH | Ensure GNOME Display Manager is removed"