From b5361df285659679cbadc05c886e71efd51dd166 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Wed, 24 Jul 2024 14:05:57 +0100
Subject: [PATCH] updated for v2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 .../etc/sysctl.d/60-netipv4_sysctl.conf.j2    | 38 +++++++++----------
 .../etc/sysctl.d/60-netipv6_sysctl.conf.j2    | 19 ++++++----
 2 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
index 8bafbf9..336071c 100644
--- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
@@ -1,42 +1,32 @@
 ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
 
 # IPv4 Network sysctl
-{% if rhel9cis_rule_3_2_1 %}
-# CIS 3.2.1
-net.ipv4.ip_forward = 0
-{% endif %}
-{% if rhel9cis_rule_3_2_2 %}
-# CIS 3.2.2
-net.ipv4.conf.all.send_redirects = 0
-net.ipv4.conf.default.send_redirects = 0
-{% endif %}
 {% if rhel9cis_rule_3_3_1 %}
 # CIS 3.3.1
-net.ipv4.conf.all.accept_source_route = 0
-net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.ip_forward = 0
 {% endif %}
 {% if rhel9cis_rule_3_3_2 %}
 # CIS 3.3.2
-net.ipv4.conf.all.accept_redirects = 0
-net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
 {% endif %}
 {% if rhel9cis_rule_3_3_3 %}
 # CIS 3.3.3
-net.ipv4.conf.all.secure_redirects = 0
-net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.icmp_ignore_bogus_error_responses = 1
 {% endif %}
 {% if rhel9cis_rule_3_3_4 %}
 # CIS 3.3.4
-net.ipv4.conf.all.log_martians = 1
-net.ipv4.conf.default.log_martians = 1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
 {% endif %}
 {% if rhel9cis_rule_3_3_5 %}
 # CIS 3.3.5
-net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
 {% endif %}
 {% if rhel9cis_rule_3_3_6 %}
 # CIS 3.3.6
-net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
 {% endif %}
 {% if rhel9cis_rule_3_3_7 %}
 # CIS 3.3.7
@@ -45,5 +35,15 @@ net.ipv4.conf.default.rp_filter = 1
 {% endif %}
 {% if rhel9cis_rule_3_3_8 %}
 # CIS 3.3.8
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+{% endif %}
+{% if rhel9cis_rule_3_3_9 %}
+# CIS 3.3.9
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+{% endif %}
+{% if rhel9cis_rule_3_3_10 %}
+# CIS 3.3.10
 net.ipv4.tcp_syncookies = 1
 {% endif %}
diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
index 5e63a01..07e045d 100644
--- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
@@ -2,19 +2,22 @@
 
 # IPv6 Network sysctl
 {% if rhel9cis_ipv6_required %}
-{% if rhel9cis_rule_3_2_1 %}
+{% if rhel9cis_rule_3_3_1 %}
+# CIS 3.3.1
 net.ipv6.conf.all.forwarding = 0
 {% endif %}
-{% if rhel9cis_rule_3_3_1 %}
-net.ipv6.conf.all.accept_source_route = 0
-net.ipv6.conf.default.accept_source_route = 0
-{% endif %}
-{% if rhel9cis_rule_3_3_2 %}
+{% if rhel9cis_rule_3_3_5 %}
+# CIS 3.3.5
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 {% endif %}
-{% if rhel9cis_rule_3_3_9 %}
-# CIS 3.3.9
+{% if rhel9cis_rule_3_3_8 %}
+# CIS 3.3.8
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+{% endif %}
+{% if rhel9cis_rule_3_3_11 %}
+# CIS 3.3.11
 net.ipv6.conf.all.accept_ra = 0
 net.ipv6.conf.default.accept_ra = 0
 {% endif %}