From 53561fbf0805b7dcee8e6389a8c3573c8849db08 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 8 Apr 2026 13:51:01 +0100
Subject: [PATCH] Improved mask logic and package names

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_2/cis_2.1.x.yml     | 24 ++++++++++++------------
 tasks/section_3/cis_3.1.x.yml     |  4 ++--
 tasks/section_6/cis_6.2.2.1.x.yml |  4 ++--
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml
index 3db8f6d..548ec2b 100644
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@@ -93,8 +93,8 @@
       notify: Systemd daemon reload
       ansible.builtin.systemd:
         name: "{{ item }}"
-        enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
-        state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
+        enabled: "{{ ('dhcp-server' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('dhcp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
       loop:
         - dhcpd.service
@@ -252,8 +252,8 @@
       notify: Systemd daemon reload
       ansible.builtin.systemd:
         name: "{{ item }}"
-        enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
-        state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
+        enabled: "{{ ('dovecot' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('dovecot' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
       loop:
         - "dovecot.socket"
@@ -347,8 +347,8 @@
       notify: Systemd daemon reload
       ansible.builtin.systemd:
         name: "{{ item }}"
-        enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
-        state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
+        enabled: "{{ ('cups' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('cups' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
       loop:
         - "cups.socket"
@@ -381,8 +381,8 @@
       notify: Systemd daemon reload
       ansible.builtin.systemd:
         name: "{{ item }}"
-        enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
-        state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
+        enabled: "{{ ('rpcbind' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('rpcbind' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
       loop:
         - rpcbind.service
@@ -415,8 +415,8 @@
       notify: Systemd daemon reload
       ansible.builtin.systemd:
         name: "{{ item }}"
-        enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
-        state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
+        enabled: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('rsync-daemon' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
       loop:
         - 'rsyncd.socket'
@@ -509,8 +509,8 @@
       notify: Systemd daemon reload
       ansible.builtin.systemd:
         name: "{{ item }}"
-        enabled: "{{ (item in ansible_facts.packages) | ternary(false, omit) }}"
-        state: "{{ (item in ansible_facts.packages) | ternary('stopped', omit) }}"
+        enabled: "{{ ('tftp-server' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('tftp-server' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
       loop:
         - 'tftp.socket'
diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
index b6bff9d..3f4b2df 100644
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@@ -105,6 +105,6 @@
       notify: Systemd daemon reload
       ansible.builtin.systemd:
         name: bluetooth.service
-        enabled: false
-        state: stopped
+        enabled: "{{ ('bluez' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('bluez' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
diff --git a/tasks/section_6/cis_6.2.2.1.x.yml b/tasks/section_6/cis_6.2.2.1.x.yml
index aa2415d..dfb8350 100644
--- a/tasks/section_6/cis_6.2.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.2.1.x.yml
@@ -72,8 +72,8 @@
     - NIST800-53R5_AU-12
   ansible.builtin.systemd:
     name: "{{ item }}"
-    state: stopped
-    enabled: false
+    state: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary('stopped', omit) }}"
+    enabled: "{{ ('systemd-journal-remote' in ansible_facts.packages) | ternary(false, omit) }}"
     masked: true
   loop:
     - systemd-journal-remote.socket