Update cis311 with sysctl and kernel check

Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
2026-06-01 18:40:41 +00:00 · 2025-12-24 14:06:41 -05:00
parent ff32403911
commit 8ce0aefb55
1 changed files with 39 additions and 0 deletions
@@ -51,5 +51,44 @@ command:
      NIST800-53R5:
      - CM-7
    {{ end }}
+    {{ if eq .Vars.rhel9cis_ipv6_disable_method: "sysctl" }}
+    ipv6_disabled_sysctl:
+      title: 3.1.1 | Ensure IPv6 status is identified
+      exec: sysctl -w net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1
+      exit-status: 0
+      stdout:
+      - 'net.ipv6.conf.all.disable_ipv6 = 1'
+      - 'net.ipv6.conf.default.disable_ipv6 = 1'
+      meta:
+        server: 1
+        workstation: 1
+        CIS_ID:
+        - 3.1.1
+        CISv8: 4.8
+        CISv8_IG1: false
+        CISv8_IG2: true
+        CISv8_IG3: true
+        NIST800-53R5:
+        - CM-7
+      {{ end }}
+    {{ if eq .Vars.rhel9cis_ipv6_disable_method: "kernel" }}
+    ipv6_disabled_kernel:
+      title: 3.1.1 | Ensure IPv6 status is identified
+      exec: grubby --info=ALL | grep 'ipv6.disable'
+      exit-status: 0
+      stdout:
+      - 'ipv6.disable=1'
+      meta:
+        server: 1
+        workstation: 1
+        CIS_ID:
+        - 3.1.1
+        CISv8: 4.8
+        CISv8_IG1: false
+        CISv8_IG2: true
+        CISv8_IG3: true
+        NIST800-53R5:
+        - CM-7
+      {{ end }}
  {{ end }}
 {{ end }}