From fef891dc1bd8949270d53c1c7c88f63855e13b1a Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 4 Apr 2022 15:14:13 +0100
Subject: [PATCH] tidy up sysctl templates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_3/cis_3.1.x.yml                 | 30 ++++++++------
 tasks/section_3/cis_3.2.x.yml                 | 40 +++++++------------
 tasks/section_3/cis_3.3.x.yml                 | 24 +++++------
 ...sctl.conf.j2 => 60-netipv4_sysctl.conf.j2} | 18 +--------
 .../etc/sysctl.d/60-netipv6_sysctl.conf.j2    | 21 ++++++++++
 5 files changed, 66 insertions(+), 67 deletions(-)
 rename templates/etc/sysctl.d/{99-sysctl.conf.j2 => 60-netipv4_sysctl.conf.j2} (68%)
 create mode 100644 templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
index 241ec20..327ec96 100644
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@@ -4,7 +4,7 @@
 # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
 - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system"
   debug:
-      msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+      msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
       notify: 
           - update sysctl
           - sysctl flush ipv6 route table
@@ -21,12 +21,14 @@
       - rule_3.1.1
 
 - name: "3.1.2 | PATCH | Ensure SCTP is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install sctp(\\s|$)"
-      line: "install sctp /bin/true"
-      create: yes
-      mode: 0600
+  template:
+      src: "/etc/modprobe.d/modprobe.conf.j2"
+      dest: "/etc/modprobe.d/{{ item }}.conf"
+      mode: "0600"
+      owner: root
+      group: root
+  with_items:
+      - sctp
   when:
       - rhel9cis_rule_3_1_2
   tags:
@@ -38,12 +40,14 @@
       - rule_3.1.2
 
 - name: "3.1.3 | PATCH | Ensure DCCP is disabled"
-  lineinfile:
-      dest: /etc/modprobe.d/CIS.conf
-      regexp: "^(#)?install dccp(\\s|$)"
-      line: "install dccp /bin/true"
-      create: yes
-      mode: 0600
+  template:
+      src: "/etc/modprobe.d/modprobe.conf.j2"
+      dest: "/etc/modprobe.d/{{ item }}.conf"
+      mode: "0600"
+      owner: root
+      group: root
+  with_items:
+      - dccp
   when:
       - rhel9cis_rule_3_1_3
   tags:
diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml
index f9a759c..b7f0f6b 100644
--- a/tasks/section_3/cis_3.2.x.yml
+++ b/tasks/section_3/cis_3.2.x.yml
@@ -3,22 +3,18 @@
 - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled"
   block:
       - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
-        sysctl:
-            name: net.ipv4.ip_forward
-            value: '0'
-            state: present
-            reload: yes
-            ignoreerrors: yes
-        notify: sysctl flush ipv4 route table
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
+        notify: 
+            - update sysctl
+            - sysctl flush ipv4 route table
 
       - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
-        sysctl:
-            name: net.ipv6.conf.all.forwarding
-            value: '0'
-            state: present
-            reload: yes
-            ignoreerrors: yes
-        notify: sysctl flush ipv6 route table
+        debug:
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
+        notify:
+            - update sysctl
+            - sysctl flush ipv6 route table
         when: rhel9cis_ipv6_required
   when:
       - not rhel9cis_is_router
@@ -32,17 +28,11 @@
       - rule_3.2.1
 
 - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
-  sysctl:
-      name: '{{ item.name }}'
-      value: '{{ item.value }}'
-      sysctl_set: yes
-      state: present
-      reload: yes
-      ignoreerrors: yes
-  notify: sysctl flush ipv4 route table
-  with_items:
-      - { name: net.ipv4.conf.all.send_redirects, value: 0 }
-      - { name: net.ipv4.conf.default.send_redirects, value: 0 }
+  debug:
+      msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
+  notify:
+      - update sysctl
+      - sysctl flush ipv4 route table
   when:
       - not rhel9cis_is_router
       - rhel9cis_rule_3_2_2
diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml
index 8c15cde..e6d4952 100644
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@@ -4,14 +4,14 @@
   block:
       - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
         debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
         notify: 
             - update sysctl
             - sysctl flush ipv4 route table
 
       - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
         debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
         notify:
             - sysctl flush ipv6 route table
             - update sysctl
@@ -29,14 +29,14 @@
   block:
       - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
         debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
         notify: 
             - update sysctl
             - sysctl flush ipv4 route table
 
       - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
         debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
         notify:
             - sysctl flush ipv6 route table
             - update sysctl
@@ -52,7 +52,7 @@
 
 - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
   debug:
-    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
   notify: update sysctl
   when:
       - rhel9cis_rule_3_3_3
@@ -65,7 +65,7 @@
 
 - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
   debug:
-    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
   notify: update sysctl
   when:
       - rhel9cis_rule_3_3_4
@@ -78,7 +78,7 @@
 
 - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
   debug:
-    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
   notify: update sysctl
   when:
       - rhel9cis_rule_3_3_5
@@ -91,7 +91,7 @@
 
 - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
   debug:
-    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
   notify: update sysctl
   when:
       - rhel9cis_rule_3_3_6
@@ -104,7 +104,7 @@
 
 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
   debug:
-    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
   notify: update sysctl
   when:
       - rhel9cis_rule_3_3_7
@@ -117,7 +117,7 @@
 
 - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
   debug:
-    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+    msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
   notify: update sysctl
   when:
       - rhel9cis_rule_3_3_8
@@ -132,14 +132,14 @@
   block:
       - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
         debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
         notify: 
             - update sysctl
             - sysctl flush ipv4 route table
 
       - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
         debug:
-            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf"
+            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl"
         notify:
             - sysctl flush ipv6 route table
             - update sysctl
diff --git a/templates/etc/sysctl.d/99-sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
similarity index 68%
rename from templates/etc/sysctl.d/99-sysctl.conf.j2
rename to templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
index 177db21..19a9fd3 100644
--- a/templates/etc/sysctl.d/99-sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
@@ -1,12 +1,9 @@
 # Setting added via ansible CIS remediation playbook
 
-# Network sysctl
+# IPv4 Network sysctl
 {% if rhel9cis_rule_3_2_1 %}
 # CIS 3.2.1
 net.ipv4.ip_forward = 0
-{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %}
-net.ipv6.conf.all.forwarding = 0
-{% endif %}
 {% endif %}
 {% if rhel9cis_rule_3_2_2 %}
 # CIS 3.2.2
@@ -17,19 +14,11 @@ net.ipv4.conf.default.send_redirects = 0
 # CIS 3.3.1
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
-{% if rhel9cis_rule_3_3_1 and rhel9cis_ipv6_required %}
-net.ipv6.conf.all.accept_source_route = 0
-net.ipv6.conf.default.accept_source_route = 0
-{% endif %}
 {% endif %}
 {% if rhel9cis_rule_3_3_2 %}
 # CIS 3.3.2
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
-{% if rhel9cis_rule_3_3_2 and rhel9cis_ipv6_required %}
-net.ipv6.conf.all.accept_redirects = 0
-net.ipv6.conf.default.accept_redirects = 0
-{% endif %}
 {% endif %}
 {% if rhel9cis_rule_3_3_3 %}
 # CIS 3.3.3
@@ -57,8 +46,3 @@ net.ipv4.conf.default.rp_filter = 1
 # CIS 3.3.8
 net.ipv4.tcp_syncookies = 1
 {% endif %}
-{% if rhel9cis_rule_3_3_9 %}
-# CIS 3.3.9
-net.ipv6.conf.all.accept_ra = 0
-net.ipv6.conf.default.accept_ra = 0
-{% endif %}
\ No newline at end of file
diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
new file mode 100644
index 0000000..0b23c55
--- /dev/null
+++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
@@ -0,0 +1,21 @@
+# Setting added via ansible CIS remediation playbook
+
+# IPv6 Network sysctl
+{% if rhel9cis_ipv6_required %}
+{% if rhel9cis_rule_3_2_1 %}
+net.ipv6.conf.all.forwarding = 0
+{% endif %}
+{% if rhel9cis_rule_3_3_1 %}
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+{% endif %}
+{% if rhel9cis_rule_3_3_2 %}
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+{% endif %}
+{% if rhel9cis_rule_3_3_9 %}
+# CIS 3.3.9
+net.ipv6.conf.all.accept_ra = 0
+net.ipv6.conf.default.accept_ra = 0
+{% endif %}
+{% endif %}
\ No newline at end of file