lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2024-07-24 14:00:00 +01:00 · 2024-07-24 14:00:00 +01:00 · f1c4d96412
commit f1c4d96412
parent aa0f4d0f6d
18 changed files with 578 additions and 835 deletions
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@ -297,14 +297,14 @@
      failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
      register: discovered_fs_modules_loaded
-    - name:  "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Output Warning"
+    - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Output Warning"
      when: discovered_fs_modules_loaded.stdout | length > 0
      ansible.builtin.debug:
        msg: |
          "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task
          {{ discovered_fs_modules_loaded.stdout_lines}}"
-    - name:  "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
+    - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
      when: discovered_fs_modules_loaded.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml
--- a/tasks/section_1/cis_1.1.2.1.x.yml
+++ b/tasks/section_1/cis_1.1.2.1.x.yml
@ -86,4 +86,3 @@
    group: root
    mode: '0644'
  notify: Systemd restart tmp.mount
--- a/tasks/section_1/cis_1.1.2.3.x.yml
+++ b/tasks/section_1/cis_1.1.2.3.x.yml
@ -12,8 +12,8 @@
    - rule_1_1_2.3.1
    - NIST800-53R5_CM-7
  vars:
-      warn_control_id: '1.1.2.3.1'
+    warn_control_id: '1.1.2.3.1'
-      required_mount: '/home'
+    required_mount: '/home'
  block:
    - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent"
      ansible.builtin.debug:
@ -40,7 +40,7 @@
    - NIST800-53R5_CM-7
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
-  ansible.builtin.mount:
+  ansible.posix.mount:
    name: /home
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
--- a/tasks/section_1/cis_1.1.2.4.x.yml
+++ b/tasks/section_1/cis_1.1.2.4.x.yml
@ -25,8 +25,8 @@
 # skips if mount is absent
 - name: |
-    "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition"
+    "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition
-    "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
+     1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
  when:
    - item.mount == "/var"
    - rhel9cis_rule_1_1_2_4_2 or
@ -40,7 +40,7 @@
    - rule_1_1_2.4.3
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
-  ansible.builtin.mount:
+  ansible.posix.mount:
    name: /var
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
--- a/tasks/section_1/cis_1.1.2.5.x.yml
+++ b/tasks/section_1/cis_1.1.2.5.x.yml
@ -26,9 +26,9 @@
 # skips if mount is absent
 - name: |
-    "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition"
+    "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition
-    "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
+     1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition
-    "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
+     1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
  when:
    - item.mount == "/var/tmp"
    - rhel9cis_rule_1_1_2_5_2 or
@ -44,7 +44,7 @@
    - rule_1_1_2.5.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
-  ansible.builtin.mount:
+  ansible.posix.mount:
    name: /var/tmp
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
--- a/tasks/section_1/cis_1.1.2.6.x.yml
+++ b/tasks/section_1/cis_1.1.2.6.x.yml
@ -12,8 +12,8 @@
    - rule_1_1_2.6.1
    - NIST800-53R5_CM-7
  vars:
-      warn_control_id: '1.1.2.6.1'
+    warn_control_id: '1.1.2.6.1'
-      required_mount: '/var/log'
+    required_mount: '/var/log'
  block:
    - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
      ansible.builtin.debug:
@ -24,9 +24,9 @@
        file: warning_facts.yml
 - name: |
-    "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition"
+    "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition
-    "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition"
+     1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition
-    "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
+     1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
  when:
    - item.mount == "/var/log"
    - rhel9cis_rule_1_1_2_6_2 or
@ -42,7 +42,7 @@
    - rule_1_1_2.6.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
-  ansible.builtin.mount:
+  ansible.posix.mount:
    name: /var/log
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
--- a/tasks/section_1/cis_1.1.2.7.x.yml
+++ b/tasks/section_1/cis_1.1.2.7.x.yml
@ -24,19 +24,9 @@
        file: warning_facts.yml
 - name: |
-    "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition"
+    "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition
-    "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition"
+     1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition
-    "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
+     1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
  ansible.builtin.mount:
    name: /var/log/audit
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
    opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %}
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
  notify: Change_requires_reboot
  when:
    - item.mount == "/var/log/audit"
    - rhel9cis_rule_1_1_2_7_2 or
@ -52,3 +42,13 @@
    - rule_1_1_2.7.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.posix.mount:
    name: /var/log/audit
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
    opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %}
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
  notify: Change_requires_reboot
--- a/tasks/section_1/cis_1.3.x.yml_AIDE
+++ b/tasks/section_1/cis_1.3.x.yml_AIDE
@ -1,78 +0,0 @@
 ---
 - name: "1.3.1 | PATCH | Ensure AIDE is installed"
  block:
      - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE"
        ansible.builtin.package:
            name: aide
            state: present
      - name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
        ansible.builtin.shell: /usr/sbin/aide --init
        args:
            creates: /var/lib/aide/aide.db.new.gz
        when: not ansible_check_mode
      - name: "1.3.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing"
        ansible.builtin.wait_for:
            path: /var/lib/aide/aide.db.new.gz
      - name: "1.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB"
        ansible.builtin.copy:
            src: /var/lib/aide/aide.db.new.gz
            dest: /var/lib/aide/aide.db.gz
            remote_src: true
  when:
      - rhel9cis_config_aide
      - rhel9cis_rule_1_3_1
  tags:
      - level1-server
      - level1-workstation
      - aide
      - patch
      - rule_1.3.1
 - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
  ansible.builtin.cron:
      name: Run AIDE integrity check
      cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}"
      user: "{{ rhel9cis_aide_cron['cron_user'] }}"
      minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}"
      hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}"
      day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}"
      month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}"
      weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}"
      job: "{{ rhel9cis_aide_cron['aide_job'] }}"
  when:
      - rhel9cis_rule_1_3_2
      - not system_is_ec2
  tags:
      - level1-server
      - level1-workstation
      - aide
      - file_integrity
      - patch
      - rule_1.3.2
 - name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
  ansible.builtin.blockinfile:
      path: /etc/aide.conf
      marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
      block: |
        /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
        /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
        /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
        /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
        /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
        /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
      validate: aide -D --config %s
  when:
      - rhel9cis_rule_1_3_3
      - not system_is_ec2
  tags:
      - level1-server
      - level1-workstation
      - aide
      - file_integrity
      - patch
      - rule_1.3.3
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@ -15,8 +15,8 @@
    msg: "Captured in prelim to ensure not LEGACY. Runs handler to update"
  changed_when: true
  notify:
-  - Update Crypto Policy
+    - Update Crypto Policy
-  - Set Crypto Policy
+    - Set Crypto Policy
 - name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration"
  when:
@ -36,7 +36,7 @@
    state: absent
  notify: Restart sshd
- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support"
+- name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion"
  when:
    - rhel9cis_rule_1_6_3
    - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
@ -49,7 +49,7 @@
    - rule_1.6.3
    - NIST800-53R5_SC-6
  block:
-    - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion"
+    - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support"
      ansible.builtin.template:
        src: etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
        dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
@ -92,7 +92,6 @@
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-WEAKMAC' }}"
 - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh"
  when:
    - rhel9cis_rule_1_6_5
@ -124,7 +123,7 @@
 - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh"
  when:
    - rhel9cis_rule_1_6_6
-    - "'NO-SSHCHACHA20' not in rhel9cis_crypto_policy_module"
+    - "'NO-SSHWEAKMAC' not in rhel9cis_crypto_policy_module"
  tags:
    - level1-server
    - level1-workstation
@ -136,8 +135,8 @@
  block:
    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
      ansible.builtin.template:
-        src: etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2
+        src: etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2
-        dest: /etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod
+        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod
        owner: root
        group: root
        mode: '0640'
@ -147,7 +146,7 @@
    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
      ansible.builtin.set_fact:
-        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHCHACHA20' }}"
+        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKMAC' }}"
 - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh"
  when:
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@ -51,7 +51,6 @@
        mode: '0644'
      notify: Reload dconf
 - name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled"
  when:
    - rhel9cis_rule_1_8_3
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -51,8 +51,8 @@
        - not rhel9cis_avahi_mask
      ansible.builtin.package:
        name:
-            - avahi-autoipd
+          - avahi-autoipd
-            - avahi
+          - avahi
        state: absent
    - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service"
@ -255,8 +255,8 @@
        - not rhel9cis_message_mask
      ansible.builtin.package:
        name:
-            - dovecot
+          - dovecot
-            - cyrus-imapd
+          - cyrus-imapd
        state: absent
    - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service"
@ -451,32 +451,32 @@
    - "'net-snmp' in ansible_facts.packages"
    - rhel9cis_rule_2_1_14
  tags:
-      - level1-server
+    - level1-server
-      - level1-workstation
+    - level1-workstation
-      - automation
+    - automation
-      - patch
+    - patch
-      - snmp
+    - snmp
-      - NIST800-53R5_CM-7
+    - NIST800-53R5_CM-7
-      - rule_2.1.14
+    - rule_2.1.14
  block:
-      - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package"
+    - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Remove package"
-        when:
+      when:
-          - not rhel9cis_net_snmp_server
+        - not rhel9cis_net_snmp_server
-          - not rhel9cis_net_snmp_mask
+        - not rhel9cis_net_snmp_mask
-        ansible.builtin.package:
+      ansible.builtin.package:
-          name: net-snmp
+        name: net-snmp
-          state: absent
+        state: absent
-      - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service"
+    - name: "2.1.14 | PATCH | Ensure snmp services are not in use | Mask service"
-        when:
+      when:
-          - not rhel9cis_net_snmp_server
+        - not rhel9cis_net_snmp_server
-          - rhel9cis_net_snmp_mask
+        - rhel9cis_net_snmp_mask
-        notify: Systemd_daemon_reload
+      notify: Systemd_daemon_reload
-        ansible.builtin.systemd:
+      ansible.builtin.systemd:
-          name: snmpd.service
+        name: snmpd.service
-          enabled: false
+        enabled: false
-          state: stopped
+        state: stopped
-          masked: true
+        masked: true
 - name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
  when:
@ -669,20 +669,20 @@
 - name: "2.1.20 | PATCH | Ensure X window server services are not in use"
  when:
-      - not rhel9cis_xwindow_server
+    - not rhel9cis_xwindow_server
-      - "'xorg-x11-server-common' in ansible_facts.packages"
+    - "'xorg-x11-server-common' in ansible_facts.packages"
-      - rhel9cis_rule_2_1_20
+    - rhel9cis_rule_2_1_20
  tags:
-      - level1-server
+    - level1-server
-      - level1-workstation
+    - level1-workstation
-      - automated
+    - automated
-      - patch
+    - patch
-      - xwindow
+    - xwindow
-      - NIST800-53R5_CM-11
+    - NIST800-53R5_CM-11
-      - rule_2.1.20
+    - rule_2.1.20
  ansible.builtin.package:
-      name: xorg-x11-server-common
+    name: xorg-x11-server-common
-      state: absent
+    state: absent
 - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode"
  when:
--- a/tasks/section_2/main.yml
+++ b/tasks/section_2/main.yml
@ -2,16 +2,16 @@
 - name: "SECTION | 2.1 | Special Purpose Services"
  ansible.builtin.import_tasks:
-      file: cis_2.1.x.yml
+    file: cis_2.1.x.yml
 - name: "SECTION | 2.2 | Service Clients"
  ansible.builtin.import_tasks:
-      file: cis_2.2.x.yml
+    file: cis_2.2.x.yml
 - name: "SECTION | 2.3 | Time Synchronization"
  ansible.builtin.import_tasks:
-      file: cis_2.3.x.yml
+    file: cis_2.3.x.yml
 - name: "SECTION | 2.4 | Job Schedulers"
  ansible.builtin.import_tasks:
-      file: cis_2.4.x.yml
+    file: cis_2.4.x.yml
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -3,82 +3,93 @@
 # The CIS Control wants IPv6 disabled if not in use.
 # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
 - name: "3.1.1 | PATCH | Ensure IPv6 status is identified"
  block:
      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv6_route: true
      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
  when:
-      - not rhel9cis_ipv6_required
+    - not rhel9cis_ipv6_required
-      - rhel9cis_rule_3_1_1
+    - rhel9cis_rule_3_1_1
  tags:
-      - level1-server
+    - level1-server
-      - level1-workstation
+    - level1-workstation
-      - manual
+    - manual
-      - patch
+    - patch
-      - ipv6
+    - ipv6
-      - networking
+    - networking
-      - rule_3.1.1
+    - rule_3.1.1
    - NIST800-53R5_CM-7
  block:
    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true
    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  block:
      - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available | if wlan exists"
        ansible.builtin.shell: rpm -q NetworkManager
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_09_nmcli_available
      - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
        ansible.builtin.shell: nmcli radio wifi
        register: rhel_09_wifi_enabled
        changed_when: rhel_09_wifi_enabled.stdout != "disabled"
        failed_when: false
        when: rhel_09_nmcli_available.rc == 0
      - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
        ansible.builtin.shell: nmcli radio all off
        changed_when: false
        failed_when: false
        when: rhel_09_wifi_enabled is changed  # noqa no-handler
  when:
-      - rhel9cis_rule_3_1_2
+    - rhel9cis_rule_3_1_2
-      - "'wlan' in ansible_facts.interfaces"
+    - discover_wireless_adapters.rc == 0
  tags:
-      - level1-server
+    - level1-server
-      - patch
+    - patch
-      - wireless
+    - rule_3.1.2
-      - rule_3.1.2
+    - wireless
-
+    - NIST800-53R5_CM-7
- name: "3.1.3 | PATCH | Ensure TIPC is disabled"
+  vars:
    warn_control_id: '3.1.2'
  block:
-      - name: "3.1.3 | PATCH | Ensure TIPC is disabled"
+    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
-        ansible.builtin.template:
+      when: "'network-manager' in ansible_facts.packages"
-            src: "etc/modprobe.d/modprobe.conf.j2"
+      ansible.builtin.shell: nmcli radio wifi
-            dest: "/etc/modprobe.d/{{ item }}.conf"
+      changed_when: false
-            mode: '0600'
+      failed_when: false
-            owner: root
+      check_mode: false
-            group: root
+      register: rhel9cis_3_1_2_wifi_status
        loop:
            - tipc
            # note the item used in the template
-      - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist"
+    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed"
-        ansible.builtin.lineinfile:
+      when:
-            path: /etc/modprobe.d/blacklist.conf
+        - "'network-manager' in ansible_facts.packages"
-            regexp: "^(#)?blacklist tipc(\\s|$)"
+        - "'enabled' in rhel9cis_3_1_2_wifi_status.stdout"
-            line: "blacklist tipc"
+      ansible.builtin.shell: nmcli radio all off
-            create: true
+      changed_when: rhel9cis_3_1_2_nmcli_radio_off.rc == 0
-            mode: '0600'
+      register: rhel9cis_3_1_2_nmcli_radio_off
    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed"
      when: "'network-manager' not in ansible_facts.packages"
      ansible.builtin.debug:
        msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed"
    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count"
      when: "'network-manager' not in ansible_facts.packages"
      ansible.builtin.import_tasks:
        file: warning_facts.yml
 - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"
  when:
-      - rhel9cis_rule_3_1_3
+    - rhel9cis_rule_3_1_3
  tags:
-      - level2-server
+    - level1-server
-      - level2-workstation
+    - level2-workstation
-      - patch
+    - patch
-      - tipc
+    - bluetooth
-      - rule_3.1.3
+    - rule_3.1.3
    - NIST800-53R5_CM-7
  block:
    - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg"
      when:
        - not rhel9cis_bluetooth_service
        - not rhel9cis_bluetooth_mask
      ansible.builtin.package:
        name: bluez
        state: absent
    - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | mask"
      when:
        - not rhel9cis_bluetooth_service
        - rhel9cis_bluetooth_mask
      notify: Systemd_daemon_reload
      ansible.builtin.systemd:
        name: bluetooth.service
        enabled: false
        state: stopped
        masked: true
--- a/tasks/section_3/cis_3.2.x.yml
+++ b/tasks/section_3/cis_3.2.x.yml
@ -1,52 +1,121 @@
 ---
- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled"
+- name: "3.2.1 | PATCH | Ensure dccp kernel module is not available"
  block:
      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | IPv6"
        block:
            - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
              ansible.builtin.set_fact:
                  rhel9cis_flush_ipv6_route: true
            - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
              ansible.builtin.debug:
                  msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
        when: rhel9cis_ipv6_required
  when:
-      - not rhel9cis_is_router
+    - rhel9cis_rule_3_2_1
      - rhel9cis_rule_3_2_1
  tags:
-      - level1-server
+    - level2-server
-      - level1-workstation
+    - level2-workstation
-      - sysctl
+    - patch
-      - patch
+    - rule_3.2.1
-      - rule_3.2.1
+    - dccp
-
+    - NIST800-53R5_CM-7
- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
+    - NIST800-53R5_SI-4
  block:
-      - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact"
+    - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | modprobe"
-        ansible.builtin.set_fact:
+      ansible.builtin.lineinfile:
-            rhel9cis_sysctl_update: true
+        path: /etc/modprobe.d/dccp.conf
-            rhel9cis_flush_ipv4_route: true
+        regexp: '^(#)?install dccp(\\s|$)'
-      - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
+        line: "{{ item }}"
-        ansible.builtin.debug:
+        create: true
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
+      loop:
        - install dccp /bin/true
        - blacklist dccp
    - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist cramfs(\\s|$)"
        line: "blacklist cramfs"
        create: true
        mode: '0600'
 - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
  when:
-      - not rhel9cis_is_router
+    - rhel9cis_rule_3_2_2
      - rhel9cis_rule_3_2_2
  tags:
-      - level1-server
+    - level2-server
-      - level1-workstation
+    - level2-workstation
-      - patch
+    - patch
-      - sysctl
+    - rule_3.2.2
-      - rule_3.2.2
+    - tipc
    - NIST800-53R5_CM-7
    - NIST800-53R5_SI-4
  block:
    - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | modprobe"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/tipc.conf
        regexp: '^(#)?install tipc(\\s|$)'
        line: "{{ item }}"
        create: true
      loop:
        - install tipc /bin/true
        - blacklist tipc
    - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist tipc(\\s|$)"
        line: "blacklist tipc"
        create: true
        mode: '0600'
 - name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
  when:
    - rhel9cis_rule_3_2_3
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_3.2.3
    - rds
    - NIST800-53R5_CM-7
    - NIST800-53R5_SI-4
  block:
    - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | modprobe"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/rds.conf
        regexp: '^(#)?install rds(\\s|$)'
        line: "{{ item }}"
        create: true
      loop:
        - install rds /bin/true
        - blacklist rds
    - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist rds(\\s|$)"
        line: "blacklist rds"
        create: true
        mode: '0600'
 - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
  when:
    - rhel9cis_rule_3_2_4
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_3.2.4
    - sctp
    - NIST800-53R5_CM-7
    - NIST800-53R5_SI-4
  block:
    - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | modprobe"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/sctp.conf
        regexp: '^(#)?install sctp(\\s|$)'
        line: "{{ item }}"
        create: true
      loop:
        - install sctp /bin/true
        - blacklist sctp
    - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist sctp(\\s|$)"
        line: "blacklist sctp"
        create: true
        mode: '0600'
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@ -1,194 +1,306 @@
 ---
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
+- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled"
  block:
      - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
      - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6"
        block:
            - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact"
              ansible.builtin.set_fact:
                  rhel9cis_flush_ipv6_route: true
            - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6"
              ansible.builtin.debug:
                  msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
        when: rhel9cis_ipv6_required
  when:
-      - rhel9cis_rule_3_3_1
+    - not rhel9cis_is_router
    - rhel9cis_rule_3_3_1
  tags:
-      - level1-server
+    - level1-server
-      - level1-workstation
+    - level1-workstation
-      - sysctl
+    - sysctl
-      - patch
+    - patch
-      - rule_3.3.1
+    - rule_3.3.1
-
+    - NIST800-53R5_CM-1
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
+    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
-      - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact"
+    - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
-        ansible.builtin.set_fact:
+      ansible.builtin.set_fact:
-            rhel9cis_sysctl_update: true
+        rhel9cis_sysctl_update: true
-            rhel9cis_flush_ipv4_route: true
+        rhel9cis_flush_ipv4_route: true
-      - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4"
+    - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
-        ansible.builtin.debug:
+      ansible.builtin.debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
+        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
-      - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
+    - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6"
-        block:
+      when: rhel9cis_ipv6_required
-            - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
+      block:
-              ansible.builtin.set_fact:
+        - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
-                  rhel9cis_flush_ipv6_route: true
+          ansible.builtin.set_fact:
            - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
              ansible.builtin.debug:
                  msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
        when: rhel9cis_ipv6_required
  when:
      - rhel9cis_rule_3_3_2
  tags:
      - level1-server
      - level1-workstation
      - sysctl
      - patch
      - rule_3.3.2
 - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
  block:
      - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
  when:
      - rhel9cis_rule_3_3_3
  tags:
      - level1-server
      - level1-workstation
      - sysctl
      - patch
      - rule_3.3.3
 - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
  block:
      - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
  when:
      - rhel9cis_rule_3_3_4
  tags:
      - level1-server
      - level1-workstation
      - sysctl
      - patch
      - rule_3.3.4
 - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
  block:
      - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
  when:
      - rhel9cis_rule_3_3_5
  tags:
      - level1-server
      - level1-workstation
      - sysctl
      - patch
      - rule_3.3.5
 - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
  block:
      - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
  when:
      - rhel9cis_rule_3_3_6
  tags:
      - level1-server
      - level1-workstation
      - sysctl
      - patch
      - rule_3.3.6
 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
  block:
      - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
  when:
      - rhel9cis_rule_3_3_7
  tags:
      - level1-server
      - level1-workstation
      - sysctl
      - patch
      - rule_3.3.7
 - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
  block:
      - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv4_route: true
      - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
  when:
      - rhel9cis_rule_3_3_8
  tags:
      - level1-server
      - level1-workstation
      - sysctl
      - patch
      - rule_3.3.8
 - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
  block:
      - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
        ansible.builtin.set_fact:
            rhel9cis_sysctl_update: true
            rhel9cis_flush_ipv6_route: true
-      - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
+        - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
-        ansible.builtin.debug:
+          ansible.builtin.debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
 - name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled"
  when:
-      - rhel9cis_ipv6_required
+    - not rhel9cis_is_router
-      - rhel9cis_rule_3_3_9
+    - rhel9cis_rule_3_3_2
  tags:
-      - level2-server
+    - level1-server
-      - level2-workstation
+    - level1-workstation
-      - sysctl
+    - patch
-      - patch
+    - sysctl
-      - rule_3.3.9
+    - rule_3.3.2
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
  when:
    - rhel9cis_rule_3_3_3
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.3
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
  when:
    - rhel9cis_rule_3_3_4
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.4
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: 3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
  when:
    - rhel9cis_rule_3_3_5
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.5
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
    - name: "3.3.5 | PATCH | Ensure  ICMP redirects are not accepted | IPv6"
      when: rhel9cis_ipv6_required
      block:
        - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
          ansible.builtin.set_fact:
            rhel9cis_flush_ipv6_route: true
        - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
          ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
 - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
  when:
    - rhel9cis_rule_3_3_6
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.6
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4 | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv4"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
    - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
      when: rhel9cis_ipv6_required
      block:
        - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6 | Set Fact"
          ansible.builtin.set_fact:
            rhel9cis_flush_ipv6_route: true
        - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted | IPv6"
          ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
  when:
    - rhel9cis_rule_3_3_7
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.7
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted"
  when:
    - rhel9cis_rule_3_3_8
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.8
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
    - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6"
      when: rhel9cis_ipv6_required
      block:
        - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact"
          ansible.builtin.set_fact:
            rhel9cis_flush_ipv6_route: true
        - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6"
          ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
 - name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
  when:
    - rhel9cis_rule_3_3_9
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.9
    - NIST800-53R5_AU-3
  block:
    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
  when:
    - rhel9cis_rule_3_3_10
  tags:
    - level1-server
    - level1-workstation
    - sysctl
    - patch
    - rule_3.3.10
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv4_route: true
    - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted"
  when:
    - rhel9cis_ipv6_required
    - rhel9cis_rule_3_3_11
  tags:
    - level2-server
    - level2-workstation
    - sysctl
    - patch
    - rule_3.3.11
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
  block:
    - name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true
    - name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"
--- a/tasks/section_3/cis_3.4.1.x.yml
+++ b/tasks/section_3/cis_3.4.1.x.yml
@ -1,59 +0,0 @@
 ---
 - name: "3.4.1.1 | PATCH | Ensure nftables is installed"
  ansible.builtin.package:
      name:
          - nftables
      state: present
  when:
      - rhel9cis_rule_3_4_1_1
      - rhel9cis_firewall == 'nftables'
  tags:
      - level1-server
      - level1-workstation
      - patch
      - nftables
      - rule_3.4.1.1
 - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use"
  block:
      - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables"
        ansible.builtin.systemd:
            name: "{{ item }}"
            masked: true
        loop:
            - firewalld
        when:
            - item in ansible_facts.packages
            - rhel9cis_firewall == 'nftables'
      - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld"
        ansible.builtin.systemd:
            name: "{{ item }}"
            masked: true
        loop:
            - nftables
        when:
            - item in ansible_facts.packages
            - rhel9cis_firewall == 'firewalld'
      - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed"
        ansible.builtin.package:
            name: "{{ rhel9cis_firewall }}"
            state: installed
      - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"
        ansible.builtin.systemd:
            name: "{{ rhel9cis_firewall }}"
            enabled: true
            state: started
  when:
      - rhel9cis_rule_3_4_1_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - firewalld
      - nftables
      - rule_3.4.1.2
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@ -1,301 +0,0 @@
 ---
 - name: "3.4.2.1 | PATCH | Ensure firewalld default zone is set"
  block:
      - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set"
        ansible.builtin.shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}"
        changed_when: false
        failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] )
        register: firewalld_zone_set
      - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set"
        ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
        when: firewalld_zone_set.rc != 0
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_1
  tags:
      - level1-server
      - level1-workstation
      - patch
      - firewalld
      - rule_3.4.2.1
 - name: "3.4.2.2 | AUDIT | Ensure at least one nftables table exists"
  block:
      - name: "3.4.2.2 | AUDIT | Ensure a table exists | Check for tables"
        ansible.builtin.command: nft list tables
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_2_nft_tables
      - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Show existing tables"
        ansible.builtin.debug:
            msg:
                - "Below are the current nft tables, please review"
                - "{{ rhel9cis_3_4_2_2_nft_tables.stdout_lines }}"
        when: rhel9cis_3_4_2_2_nft_tables.stdout | length > 0
      - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables"
        ansible.builtin.debug:
            msg:
                - "Warning!! You currently have no nft tables, please review your setup"
                - 'Use the command "nft create table inet <table name>" to create a new table'
        when:
            - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0
            - not rhel9cis_nft_tables_autonewtable
      - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
        ansible.builtin.import_tasks:
            file: warning_facts.yml
        when:
            - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0
            - not rhel9cis_nft_tables_autonewtable
      - name: "3.4.2.2 | PATCH | Ensure a table exists | Create table if needed"
        ansible.builtin.command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
        failed_when: false
        when: rhel9cis_nft_tables_autonewtable
  vars:
      warn_control_id: '3.4.2.2'
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_2
  tags:
      - level1-server
      - level1-workstation
      - patch
      - nftables
      - rule_3.4.2.2
 - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist"
  block:
      - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT"
        ansible.builtin.shell: nft list ruleset | grep 'hook input'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_3_input_chains
      - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD"
        ansible.builtin.shell: nft list ruleset | grep 'hook forward'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_3_forward_chains
      - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT"
        ansible.builtin.shell: nft list ruleset | grep 'hook output'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_3_output_chains
      - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Display chains for review"
        ansible.builtin.debug:
            msg:
                - "Below are the current INPUT chains"
                - "{{ rhel9cis_3_4_2_3_input_chains.stdout_lines }}"
                - "Below are the current FORWARD chains"
                - "{{ rhel9cis_3_4_2_3_forward_chains.stdout_lines }}"
                - "Below are teh current OUTPUT chains"
                - "{{ rhel9cis_3_4_2_3_output_chains.stdout_lines }}"
        when: not rhel9cis_nft_tables_autochaincreate
      - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed"
        ansible.builtin.shell: "{{ item }}"
        failed_when: false
        loop:
            - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
            - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; }
            - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
        when: rhel9cis_nft_tables_autochaincreate
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_3
  tags:
      - level1-server
      - level1-workstation
      - patch
      - nftables
      - rule_3.4.2.3
 - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured"
  block:
      - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather iif lo accept existence | nftables"
        ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_4_iiflo
      - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip saddr existence | nftables"
        ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_4_ipsaddr
      - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip6 saddr existence | nftables"
        ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_4_ip6saddr
      - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set iif lo accept rule | nftables"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
        when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_4_iiflo.stdout'
      - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip sddr rule | nftables"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
        when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ipsaddr.stdout'
      - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip6 saddr rule | nftables"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
        when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ip6saddr.stdout'
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - nftables
      - rule_3.4.2.4
 - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld"
  ansible.posix.firewalld:
      rich_rule: "{{ item }}"
      zone: "{{ rhel9cis_default_zone }}"
      permanent: true
      immediate: true
      state: enabled
  loop:
      - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop
      - rule family="ipv6" source address="::1" destination not address="::1" drop
  when:
      - rhel9cis_firewall == "firewalld"
      - rhel9cis_rule_3_4_2_4
  tags:
      - level1-server
      - level1-workstation
      - patch
      - nftables
      - rule_3.4.2.4
 - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports"
  block:
      - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
        ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel9cis_3_4_2_5_servicesport
      - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
        ansible.builtin.debug:
            msg:
                - "The items below are the services and ports that are accepted, please correct as needed"
                - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}"
  when:
      - rhel9cis_rule_3_4_2_5
      - rhel9cis_firewall == "firewalld"
  tags:
      - level1-server
      - level1-workstation
      - manual
      - audit
      - rule_3.4.2.5
 - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured"
  block:
      - name: "3.4.2.6 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules"
        ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_6_inconnectionrule
      - name: "3.4.2.6| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
        ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
        changed_when: false
        failed_when: false
        register: rhel9cis_3_4_2_6_outconnectionrule
      - name: "3.4.2.6| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
        when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout'
      - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
        when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout'
      - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
        when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout'
      - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
        when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout'
      - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
        when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout'
      - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
        when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout'
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_6
  tags:
      - level1-server
      - level1-workstation
      - patch
      - nftables
      - rule_3.4.2.6
 - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy"
  block:
      - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy"
        ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
        failed_when: false
        changed_when: false
        register: rhel9cis_3_4_2_7_inputpolicy
      - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy"
        ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
        failed_when: false
        changed_when: false
        register: rhel9cis_3_4_2_7_forwardpolicy
      - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy"
        ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
        failed_when: false
        changed_when: false
        register: rhel9cis_3_4_2_7_outputpolicy
      - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow"
        ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
        failed_when: false
        changed_when: false
        register: rhel9cis_3_4_2_7_sshallowcheck
      - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
        ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
        when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_7_sshallowcheck.stdout'
      - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
        ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
        when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_7_inputpolicy.stdout'
      - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
        ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
        when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_7_forwardpolicy.stdout'
      - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
        ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
        when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_7_outputpolicy.stdout'
  when:
      - rhel9cis_firewall == "nftables"
      - rhel9cis_rule_3_4_2_7
  tags:
      - level1-server
      - level1-workstation
      - patch
      - nftables
      - rule_3.4.2.7
--- a/tasks/section_3/main.yml
+++ b/tasks/section_3/main.yml
@ -1,21 +1,13 @@
 ---
- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
+- name: "SECTION | 3.1.x | Configure Network Devices"
  ansible.builtin.import_tasks:
-      file: cis_3.1.x.yml
+    file: cis_3.1.x.yml
- name: "SECTION | 3.2.x | Network Parameters (Host Only)"
+- name: "SECTION | 3.2.x | Configure Network Kernel Modules"
  ansible.builtin.import_tasks:
-      file: cis_3.2.x.yml
+    file: cis_3.2.x.yml
- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
+- name: "SECTION | 3.3.x | Configure Network Kernel Parameters"
  ansible.builtin.import_tasks:
-      file: cis_3.3.x.yml
+    file: cis_3.3.x.yml
 - name: "SECTION | 3.4.1.x | Firewall configuration"
  ansible.builtin.import_tasks:
      file: cis_3.4.1.x.yml
 - name: "SECTION | 3.4.2.x | Configure firewall"
  ansible.builtin.import_tasks:
      file: cis_3.4.2.x.yml