RHEL9-CIS/tasks/section_3/cis_3.1.x.yml

---

# The CIS Control wants IPv6 disabled if not in use.
# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified"
  block:
      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
        ansible.builtin.set_fact:
            sysctl_update: true
            flush_ipv6_route: true

      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
  when:
      - not rhel9cis_ipv6_required
      - rhel9cis_rule_3_1_1
  tags:
      - level1-server
      - level1-workstation
      - manual
      - patch
      - ipv6
      - networking
      - rule_3.1.1

- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  block:
      - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
        ansible.builtin.shell: rpm -q NetworkManager
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_09_nmcli_available

      - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
        ansible.builtin.shell: nmcli radio wifi
        register: rhel_09_wifi_enabled
        changed_when: rhel_09_wifi_enabled.stdout != "disabled"
        failed_when: false
        when: rhel_09_nmcli_available.rc == 0

      - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
        ansible.builtin.shell: nmcli radio all off
        changed_when: false
        failed_when: false
        when: rhel_09_wifi_enabled is changed
  when:
      - rhel9cis_rule_3_1_2
  tags:
      - level1-server
      - patch
      - wireless
      - rule_3.1.2

- name: "3.1.3 | PATCH | Ensure TIPC is disabled"
  block:
      - name: "3.1.3 | PATCH | Ensure TIPC is disabled"
        ansible.builtin.template:
            src: "etc/modprobe.d/modprobe.conf.j2"
            dest: "/etc/modprobe.d/{{ item }}.conf"
            mode: "0600"
            owner: root
            group: root
        loop:
        - tipc
        # note the item used in the template

      - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist"
        ansible.builtin.lineinfile:
            path: /etc/modprobe.d/blacklist.conf
            regexp: "^(#)?blacklist tipc(\\s|$)"
            line: "blacklist tipc"
            create: true
            mode: 0600
  when:
      - rhel9cis_rule_3_1_3
  tags:
      - level2-server
      - level2-workstation
      - patch
      - tipc
      - rule_3.1.3