From 62989d258b5af00fd190299d002b95635e9b8284 Mon Sep 17 00:00:00 2001
From: George Nalen <gjnalen@gmail.com>
Date: Fri, 19 Dec 2025 16:31:37 -0500
Subject: [PATCH 1/5] added fix to issue #416

Signed-off-by: George Nalen <gjnalen@gmail.com>
---
 templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
index bdded40..b4b5318 100644
--- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
+++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
@@ -4,4 +4,7 @@
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
+{% for interface in ansible_interfaces %}
+net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
+{% endfor %}
 {% endif %}

From beb3bfdc94ea94903bb82a3cba0d89d84c7ce60f Mon Sep 17 00:00:00 2001
From: George Nalen <georgen@mindpointgroup.com>
Date: Mon, 22 Dec 2025 16:35:08 -0500
Subject: [PATCH 2/5] added option for sysctl or kernel for disabling IPv6

Signed-off-by: George Nalen <georgen@mindpointgroup.com>
---
 defaults/main.yml             |  2 ++
 tasks/section_3/cis_3.1.x.yml | 19 +++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index fbe81eb..2ad3eb2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -802,6 +802,8 @@ rhel9cis_tftp_client: false
 ## Control 3.1.1 - Ensure IPv6 status is identified
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
+# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
+rhel9cis_ipv6_disable: "sysctl"
 
 ## Control 3.1.2 - Ensure wireless interfaces are disabled
 # if wireless adapter found allow network manager to be installed
diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
index a20c0e9..6cd73f3 100644
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@@ -16,14 +16,29 @@
     - rule_3.1.1
     - NIST800-53R5_CM-7
   block:
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Set vars for sysctl template"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.set_fact:
         rhel9cis_sysctl_update: true
         rhel9cis_flush_ipv6_route: true
 
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable via sysctl template"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.debug:
         msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
+    
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Find IPv6 status"
+      when: "'kernel' in rhel9cis_ipv6_disable_method"
+      ansible.builtin.command: grubby --info=ALL
+      changed_when: false
+      failed_when: false
+      register: discovered_rhel9cis_3_1_1_ipv6_status
+
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
+      when:
+        - "'kernel' in rhel9cis_ipv6_disable_method"
+        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
+      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
 
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
   when:

From 2b7c8293b83667c853b44df0bd2bf38217695401 Mon Sep 17 00:00:00 2001
From: George Nalen <georgen@mindpointgroup.com>
Date: Mon, 22 Dec 2025 16:56:24 -0500
Subject: [PATCH 3/5] fixed linting issue

Signed-off-by: George Nalen <georgen@mindpointgroup.com>
---
 tasks/section_3/cis_3.1.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
index 6cd73f3..0c9c374 100644
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@@ -26,7 +26,7 @@
       when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.debug:
         msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
-    
+
     - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Find IPv6 status"
       when: "'kernel' in rhel9cis_ipv6_disable_method"
       ansible.builtin.command: grubby --info=ALL

From d9927f005bc09bd172c94d51096cfe2a68e386af Mon Sep 17 00:00:00 2001
From: George Nalen <georgen@mindpointgroup.com>
Date: Tue, 23 Dec 2025 08:42:28 -0500
Subject: [PATCH 4/5] fixed typo in disable method var

Signed-off-by: George Nalen <georgen@mindpointgroup.com>
---
 defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 2ad3eb2..f620a72 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -803,7 +803,7 @@ rhel9cis_tftp_client: false
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
 # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
-rhel9cis_ipv6_disable: "sysctl"
+rhel9cis_ipv6_disable_method: "sysctl"
 
 ## Control 3.1.2 - Ensure wireless interfaces are disabled
 # if wireless adapter found allow network manager to be installed

From 29a48f7f4cc0c794760a0f1b4a8da2c92ac7d35d Mon Sep 17 00:00:00 2001
From: George Nalen <georgen@mindpointgroup.com>
Date: Tue, 23 Dec 2025 09:04:42 -0500
Subject: [PATCH 5/5] updated name info for tasks related to 3.1.1

Signed-off-by: George Nalen <georgen@mindpointgroup.com>
---
 tasks/section_3/cis_3.1.x.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
index 0c9c374..ff9ec46 100644
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@@ -16,18 +16,18 @@
     - rule_3.1.1
     - NIST800-53R5_CM-7
   block:
-    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Set vars for sysctl template"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
       when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.set_fact:
         rhel9cis_sysctl_update: true
         rhel9cis_flush_ipv6_route: true
 
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable via sysctl template"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
       when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.debug:
         msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
 
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Find IPv6 status"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
       when: "'kernel' in rhel9cis_ipv6_disable_method"
       ansible.builtin.command: grubby --info=ALL
       changed_when: false