--- # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" notify: - update sysctl - sysctl flush ipv6 route table when: - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 tags: - level1-server - level1-workstation - manual - patch - ipv6 - networking - rule_3.1.1 - name: "3.1.2 | PATCH | Ensure SCTP is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install sctp(\\s|$)" line: "install sctp /bin/true" create: yes mode: 0600 when: - rhel9cis_rule_3_1_2 tags: - level2-server - level2-workstation - automated - patch - sctp - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure DCCP is disabled" lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install dccp(\\s|$)" line: "install dccp /bin/true" create: yes mode: 0600 when: - rhel9cis_rule_3_1_3 tags: - level2-server - level2-workstation - automated - dccp - patch - rule_3.1.3 - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" command: rpm -q NetworkManager changed_when: false failed_when: false check_mode: no args: warn: no register: rhel_08_nmcli_available - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" command: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" command: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed when: - rhel9cis_rule_3_1_4 tags: - level1-server - automated - patch - wireless - rule_3.1.4