From adcc647dd4059c870f5d5463830841499723bf22 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 4 Apr 2022 15:14:59 +0100
Subject: [PATCH] masked or removal options

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_3/cis_3.4.1.x.yml   | 19 +++++++++++++++----
 tasks/section_3/cis_3.4.2.x.yml   | 18 +++++++++++++++---
 tasks/section_3/cis_3.4.3.1.x.yml | 18 +++++++++++++++---
 3 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml
index 51fb5b0..bb5cf97 100644
--- a/tasks/section_3/cis_3.4.1.x.yml
+++ b/tasks/section_3/cis_3.4.1.x.yml
@@ -42,10 +42,21 @@
       - rule_3.4.1.2
 
 - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld"
-  systemd:
-      name: nftables
-      state: stopped
-      masked: yes
+  block:
+      - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service"
+        systemd:
+            name: nftables
+            state: stopped
+            masked: yes
+        when:
+            - rhel9cis_firewalld_nftables_state == "masked"
+
+      - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed"
+        package:
+            name: nftables
+            state: absent
+        when:
+            - rhel9cis_firewalld_nftables_state == "absent"
   when:
       - rhel9cis_rule_3_4_1_3
   tags:
diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml
index 23717c2..f3c7e5e 100644
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@@ -17,9 +17,21 @@
 # The control allows the service it be masked or not installed
 # We have chosen not installed
 - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables"
-  package:
-      name: firewalld
-      state: absent
+  block:
+      - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service"
+        systemd:
+            name: firewalld
+            masked: true
+            state: stopped
+        when:
+            - rhel9cis_nftables_firewalld_state == "masked"
+
+      - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed"
+        package:
+            name: firewalld
+            state: absent
+        when:
+            - rhel9cis_nftables_firewalld_state == "absent"
   when:
       - rhel9cis_rule_3_4_2_2
   tags:
diff --git a/tasks/section_3/cis_3.4.3.1.x.yml b/tasks/section_3/cis_3.4.3.1.x.yml
index 5d07856..56ce076 100644
--- a/tasks/section_3/cis_3.4.3.1.x.yml
+++ b/tasks/section_3/cis_3.4.3.1.x.yml
@@ -33,9 +33,21 @@
 # The control allows the service it be masked or not installed
 # We have chosen not installed
 - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables"
-  package:
-      name: firewalld
-      state: absent
+  block:
+      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
+        systemd:
+            name: firewalld
+            masked: true
+            state: stopped
+        when:
+            - rhel9cis_iptables_firewalld_state == "masked"
+
+      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
+        package:
+            name: firewalld
+            state: absent
+        when:
+            - rhel9cis_iptables_firewalld_state == "absent"
   when:
       - rhel9cis_rule_3_4_3_1_3
   tags: