masked or removal options

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2022-04-04 15:14:59 +01:00 · 2022-04-04 15:14:59 +01:00 · adcc647dd4
commit adcc647dd4
parent b4eefdbdd3
3 changed files with 45 additions and 10 deletions
--- a/tasks/section_3/cis_3.4.1.x.yml
+++ b/tasks/section_3/cis_3.4.1.x.yml
@ -42,10 +42,21 @@
      - rule_3.4.1.2

 - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld"
-  systemd:
-      name: nftables
-      state: stopped
-      masked: yes
+  block:
+      - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service"
+        systemd:
+            name: nftables
+            state: stopped
+            masked: yes
+        when:
+            - rhel9cis_firewalld_nftables_state == "masked"
+
+      - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed"
+        package:
+            name: nftables
+            state: absent
+        when:
+            - rhel9cis_firewalld_nftables_state == "absent"
  when:
      - rhel9cis_rule_3_4_1_3
  tags:
--- a/tasks/section_3/cis_3.4.2.x.yml
+++ b/tasks/section_3/cis_3.4.2.x.yml
@ -17,9 +17,21 @@
 # The control allows the service it be masked or not installed
 # We have chosen not installed
 - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables"
-  package:
-      name: firewalld
-      state: absent
+  block:
+      - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service"
+        systemd:
+            name: firewalld
+            masked: true
+            state: stopped
+        when:
+            - rhel9cis_nftables_firewalld_state == "masked"
+
+      - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed"
+        package:
+            name: firewalld
+            state: absent
+        when:
+            - rhel9cis_nftables_firewalld_state == "absent"
  when:
      - rhel9cis_rule_3_4_2_2
  tags:
--- a/tasks/section_3/cis_3.4.3.1.x.yml
+++ b/tasks/section_3/cis_3.4.3.1.x.yml
@ -33,9 +33,21 @@
 # The control allows the service it be masked or not installed
 # We have chosen not installed
 - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables"
-  package:
-      name: firewalld
-      state: absent
+  block:
+      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
+        systemd:
+            name: firewalld
+            masked: true
+            state: stopped
+        when:
+            - rhel9cis_iptables_firewalld_state == "masked"
+
+      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
+        package:
+            name: firewalld
+            state: absent
+        when:
+            - rhel9cis_iptables_firewalld_state == "absent"
  when:
      - rhel9cis_rule_3_4_3_1_3
  tags: