RHEL9-CIS/tasks/section_3/cis_3.1.x.yml

---

# The CIS Control wants IPv6 disabled if not in use. 
# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use
- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system"
  debug:
      msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
      notify: 
          - update sysctl
          - sysctl flush ipv6 route table
  when:
      - not rhel9cis_ipv6_required
      - rhel9cis_rule_3_1_1
  tags:
      - level1-server
      - level1-workstation
      - manual
      - patch
      - ipv6
      - networking
      - rule_3.1.1

- name: "3.1.2 | PATCH | Ensure SCTP is disabled"
  template:
      src: "etc/modprobe.d/modprobe.conf.j2"
      dest: "/etc/modprobe.d/{{ item }}.conf"
      mode: "0600"
      owner: root
      group: root
  with_items:
      - sctp
  when:
      - rhel9cis_rule_3_1_2
  tags:
      - level2-server
      - level2-workstation
      - automated
      - patch
      - sctp
      - rule_3.1.2

- name: "3.1.3 | PATCH | Ensure DCCP is disabled"
  template:
      src: "etc/modprobe.d/modprobe.conf.j2"
      dest: "/etc/modprobe.d/{{ item }}.conf"
      mode: "0600"
      owner: root
      group: root
  with_items:
      - dccp
  when:
      - rhel9cis_rule_3_1_3
  tags:
      - level2-server
      - level2-workstation
      - automated
      - dccp
      - patch
      - rule_3.1.3

- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled"
  block:
      - name: "3.1.4 | AUDIT |  Ensure wireless interfaces are disabled | Check if nmcli command is available"
        command: rpm -q NetworkManager
        changed_when: false
        failed_when: false
        check_mode: no
        args:
            warn: no
        register: rhel_08_nmcli_available

      - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
        command: nmcli radio wifi
        register: rhel_08_wifi_enabled
        changed_when: rhel_08_wifi_enabled.stdout != "disabled"
        failed_when: false
        when: rhel_08_nmcli_available.rc == 0

      - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
        command: nmcli radio all off
        changed_when: false
        failed_when: false
        when: rhel_08_wifi_enabled is changed
  when:
      - rhel9cis_rule_3_1_4
  tags:
      - level1-server
      - automated
      - patch
      - wireless
      - rule_3.1.4