ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

added option for sysctl or kernel for disabling IPv6

Browse source 
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
This commit is contained in:
George Nalen 2025-12-22 16:35:08 -05:00
parent 62989d258b
commit beb3bfdc94
No known key found for this signature in database
GPG key ID: CA43827BF7C4DEBA
2 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tasks/section_3/cis_3.1.x.yml
View file

@ -16,14 +16,29 @@
- rule_3.1.1
- NIST800-53R5_CM-7
block:
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
- name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Set vars for sysctl template"
when: "'sysctl' in rhel9cis_ipv6_disable_method"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv6_route: true
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable via sysctl template"
when: "'sysctl' in rhel9cis_ipv6_disable_method"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Find IPv6 status"
when: "'kernel' in rhel9cis_ipv6_disable_method"
ansible.builtin.command: grubby --info=ALL
changed_when: false
failed_when: false
register: discovered_rhel9cis_3_1_1_ipv6_status
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
when:
- "'kernel' in rhel9cis_ipv6_disable_method"
- "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
when: