RHEL9-CIS/tasks/post.yml

---

- name: POST | Gather the package facts after remediation
  tags: always
  ansible.builtin.package_facts:
    manager: auto

- name: POST | Update sysctl
  when:
    - rhel9cis_sysctl_update
    - not system_is_container
    - "'procps-ng' in ansible_facts.packages"
  ansible.builtin.template:
    src: "etc/sysctl.d/{{ item }}.j2"
    dest: "/etc/sysctl.d/{{ item }}"
    owner: root
    group: root
    mode: 'go-rwx'
  notify: Reload sysctl
  loop:
    - 60-kernel_sysctl.conf
    - 60-disable_ipv6.conf
    - 60-netipv4_sysctl.conf
    - 60-netipv6_sysctl.conf

- name: Flush handlers
  ansible.builtin.meta: flush_handlers

- name: POST | reboot system if changes require it and not skipped
  when: change_requires_reboot
  tags:
    - always
  vars:
    warn_control_id: Reboot_required
  block:
    - name: POST | Reboot system if changes require it and not skipped
      when: not skip_reboot
      ansible.builtin.reboot:

    - name: POST | Warning a reboot required but skip option set
      when: skip_reboot
      ansible.builtin.debug:
        msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
      changed_when: true

    - name: "POST | Warning a reboot required but skip option set | warning count"
      when: skip_reboot
      ansible.builtin.import_tasks:
        file: warning_facts.yml