--- # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Ensure IPv6 status is identified" block: - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" set_fact: sysctl_update: true flush_ipv6_route: true - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 tags: - level1-server - level1-workstation - manual - patch - ipv6 - networking - rule_3.1.1 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" command: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false register: rhel_08_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" command: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" command: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed when: - rhel9cis_rule_3_1_2 tags: - level1-server - patch - wireless - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure TIPC is disabled" template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" mode: "0600" owner: root group: root with_items: - tipc when: - rhel9cis_rule_3_1_3 tags: - level2-server - level2-workstation - patch - tipc - rule_3.1.3