From 02c843f11067e516476bbab77c40eddeedfc3385 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 20 Jun 2022 17:05:59 +0100
Subject: [PATCH] sysctl improvements, become usage

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 handlers/main.yml | 56 +++++++++++++++--------------------------------
 1 file changed, 18 insertions(+), 38 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 08c8026..7ff5ea2 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,6 +1,11 @@
 ---
 # handlers file for RHEL9-CIS
 
+- name: reload sysctl
+  shell: sysctl --system
+  args:
+      warn: false
+
 - name: sysctl flush ipv4 route table
   become: true
   sysctl:
@@ -8,7 +13,9 @@
       value: '1'
       sysctl_set: true
   ignore_errors: true
-  when: ansible_virtualization_type != "docker"
+  when: 
+      - flush_ipv4_route
+      - not system_is_container
   tags:
       - skip_ansible_lint
 
@@ -18,35 +25,9 @@
       name: net.ipv6.route.flush
       value: '1'
       sysctl_set: true
-  when: ansible_virtualization_type != "docker"
-
-- name: update sysctl
-  template:
-      src: "etc/sysctl.d/{{ item }}.j2"
-      dest: "/etc/sysctl.d/{{ item }}"
-      owner: root
-      group: root
-      mode: 0600
-  notify: reload sysctl
-  with_items:
-      - 60-kernel_sysctl.conf
-      - 60-disable_ipv6.conf
-      - 60-netipv4_sysctl.conf
-      - 60-netipv6_sysctl.conf
-  when:
-      - ansible_virtualization_type != "docker"
-      - "'procps-ng' in ansible_facts.packages"
-
-- name: reload sysctl
-  sysctl:
-      name: net.ipv4.route.flush
-      value: '1'
-      state: present
-      reload: true
-      ignoreerrors: true
-  when:
-      - ansible_virtualization_type != "docker"
-      - "'systemd' in ansible_facts.packages"
+  when: 
+      - flush_ipv6_route
+      - not system_is_container
 
 - name: systemd restart tmp.mount
   become: true
@@ -72,25 +53,21 @@
       warn: false
 
 - name: restart firewalld
-  become: true
   service:
       name: firewalld
       state: restarted
 
 - name: restart sshd
-  become: true
   service:
       name: sshd
       state: restarted
 
 - name: restart postfix
-  become: true
   service:
       name: postfix
       state: restarted
 
 - name: reload dconf
-  become: true
   shell: dconf update
   args:
       warn: false
@@ -102,15 +79,18 @@
       owner: root
       group: root
       mode: 0600
+  register: auditd_template_update
   notify: restart auditd
 
 - name: restart auditd
-  shell: /sbin/service auditd restart
-  changed_when: false
-  check_mode: false
-  failed_when: false
+  shell: service auditd restart
   args:
       warn: false
+  when:
+      - audit_rules_updated.changed or
+        rule_4_1_2_1.changed or
+        rule_4_1_2_2.changed or
+        rule_4_1_2_3.changed
   tags:
       - skip_ansible_lint