ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #54 from ansible-lockdown/benchmark_v2.0.0

Browse source 
Benchmark v2.0.0 Sync
This commit is contained in:
Frederick Witty 2025-12-24 10:11:45 -05:00 committed by GitHub
commit 67b411400e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 27 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Changelog.md
View file

@ -1,5 +1,8 @@
# Changes to rhel9CIS # Changes to rhel9CIS
# Based on CIS v2.0.0
Added better sysctl logic to disable IPv6
Added option to disable IPv6 via sysctl (original method) or via the kernel
# Based on CIS v2.0.0 # Based on CIS v2.0.0
pre-commit udpates pre-commit udpates

4
defaults/main.yml
View file

@ -731,6 +731,10 @@ rhel9cis_bluetooth_mask: false
# This variable governs whether ipv6 is enabled or disabled. # This variable governs whether ipv6 is enabled or disabled.
rhel9cis_ipv6_required: true rhel9cis_ipv6_required: true
# 3.1.1 Disable IPv6
# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
rhel9cis_ipv6_disable_method: "sysctl"
## 3.1.2 wireless network requirements ## 3.1.2 wireless network requirements
# if wireless adapter found allow network manager to be installed # if wireless adapter found allow network manager to be installed
rhel9cis_install_network_manager: false rhel9cis_install_network_manager: false

19
tasks/section_3/cis_3.1.x.yml
View file

@ -16,15 +16,30 @@
- rule_3.1.1 - rule_3.1.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
block: block:
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
when: "'sysctl' in rhel9cis_ipv6_disable_method"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
when: "'sysctl' in rhel9cis_ipv6_disable_method"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
- name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
when: "'kernel' in rhel9cis_ipv6_disable_method"
ansible.builtin.command: grubby --info=ALL
changed_when: false
failed_when: false
register: discovered_rhel9cis_3_1_1_ipv6_status
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
when:
- "'kernel' in rhel9cis_ipv6_disable_method"
- "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
when: when:
- rhel9cis_rule_3_1_2 - rhel9cis_rule_3_1_2

3
templates/etc/sysctl.d/60-disable_ipv6.conf.j2
View file

@ -4,4 +4,7 @@
{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
{% for interface in ansible_interfaces %}
net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
{% endfor %}
{% endif %} {% endif %}