RHEL9-CIS/tasks/section_3/cis_3.1.x.yml

---

# The CIS Control wants IPv6 disabled if not in use.
# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified"
  when:
    - not rhel9cis_ipv6_required
    - rhel9cis_rule_3_1_1
  tags:
    - level1-server
    - level1-workstation
    - manual
    - patch
    - ipv6
    - networking
    - rule_3.1.1
    - NIST800-53R5_CM-7
  block:
    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true

    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"

    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
      when: "'kernel' in rhel9cis_ipv6_disable_method"
      ansible.builtin.command: grubby --info=ALL
      changed_when: false
      failed_when: false
      register: discovered_rhel9cis_3_1_1_ipv6_status

    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
      when:
        - "'kernel' in rhel9cis_ipv6_disable_method"
        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"

- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  when:
    - rhel9cis_rule_3_1_2
    - discover_wireless_adapters.rc == 0
  tags:
    - level1-server
    - patch
    - rule_3.1.2
    - wireless
    - NIST800-53R5_CM-7
  vars:
    warn_control_id: '3.1.2'
  block:
    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
      when: "rhel9cis_network_manager_package_name in ansible_facts.packages"
      ansible.builtin.command: nmcli radio wifi
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_wifi_status

    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed"
      when:
        - "rhel9cis_network_manager_package_name in ansible_facts.packages"
        - "'enabled' in discovered_wifi_status.stdout"
      ansible.builtin.command: nmcli radio all off
      changed_when: discovered_nmcli_radio_off.rc == 0
      register: discovered_nmcli_radio_off

    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed"
      when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
      ansible.builtin.debug:
        msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed"

    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count"
      when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"
  when: rhel9cis_rule_3_1_3
  tags:
    - level1-server
    - level2-workstation
    - patch
    - bluetooth
    - rule_3.1.3
    - NIST800-53R5_CM-7
  block:
    - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg"
      when:
        - not rhel9cis_bluetooth_service
        - not rhel9cis_bluetooth_mask
      ansible.builtin.package:
        name: bluez
        state: absent

    - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | mask"
      when:
        - not rhel9cis_bluetooth_service
        - rhel9cis_bluetooth_mask
      notify: Systemd daemon reload
      ansible.builtin.systemd:
        name: bluetooth.service
        enabled: false
        state: stopped
        masked: true