ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #422 from ansible-lockdown/issue_416_fix
Some checks are pending
Export Public Repo Badges / export-badges (push) Waiting to run
Details

Browse source 
Issue 416 fix
This commit is contained in:
George Nalen 2025-12-23 11:10:13 -05:00 committed by GitHub
commit 8c2597e61b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 22 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
defaults/main.yml
View file

@ -802,6 +802,8 @@ rhel9cis_tftp_client: false
## Control 3.1.1 - Ensure IPv6 status is identified ## Control 3.1.1 - Ensure IPv6 status is identified
# This variable governs whether ipv6 is enabled or disabled. # This variable governs whether ipv6 is enabled or disabled.
rhel9cis_ipv6_required: true rhel9cis_ipv6_required: true
# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
rhel9cis_ipv6_disable_method: "sysctl"
## Control 3.1.2 - Ensure wireless interfaces are disabled ## Control 3.1.2 - Ensure wireless interfaces are disabled
# if wireless adapter found allow network manager to be installed # if wireless adapter found allow network manager to be installed

19
tasks/section_3/cis_3.1.x.yml
View file

@ -16,15 +16,30 @@
- rule_3.1.1 - rule_3.1.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
block: block:
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
when: "'sysctl' in rhel9cis_ipv6_disable_method"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_sysctl_update: true rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true rhel9cis_flush_ipv6_route: true
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
when: "'sysctl' in rhel9cis_ipv6_disable_method"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
- name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
when: "'kernel' in rhel9cis_ipv6_disable_method"
ansible.builtin.command: grubby --info=ALL
changed_when: false
failed_when: false
register: discovered_rhel9cis_3_1_1_ipv6_status
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
when:
- "'kernel' in rhel9cis_ipv6_disable_method"
- "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
when: when:
- rhel9cis_rule_3_1_2 - rhel9cis_rule_3_1_2

3
templates/etc/sysctl.d/60-disable_ipv6.conf.j2
View file

@ -4,4 +4,7 @@
{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
{% for interface in ansible_interfaces %}
net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
{% endfor %}
{% endif %} {% endif %}