mirror of
https://github.com/ansible-lockdown/RHEL9-CIS-Audit.git
synced 2026-06-01 18:40:41 +00:00
Frederick Witty
95 lines
2.4 KiB
YAML
95 lines
2.4 KiB
YAML
---
|
|
|
|
{{ if .Vars.rhel9cis_level_1 }}
|
|
{{ if .Vars.rhel9cis_rule_3_1_1 }}
|
|
command:
|
|
{{ if not .Vars.rhel9cis_ipv6_required }}
|
|
ipv6_disabled:
|
|
title: 3.1.1 | Ensure IPv6 status is identified
|
|
exec: |
|
|
if [ `grep 1 /proc/sys/net/ipv6/conf/all/disable_ipv6` ] || [ `grep 1 /proc/sys/net/ipv6/conf/default/disable_ipv6` ] || [ `cat /sys/module/ipv6/parameters/disable` == 1 ]; \
|
|
then \
|
|
echo 'ipv6_disabled'; \
|
|
else echo 'fail'; \
|
|
fi
|
|
exit-status: 0
|
|
stdout:
|
|
- 'ipv6_disabled'
|
|
meta:
|
|
server: 1
|
|
workstation: 1
|
|
CIS_ID:
|
|
- 3.1.1
|
|
CISv8: 4.8
|
|
CISv8_IG1: false
|
|
CISv8_IG2: true
|
|
CISv8_IG3: true
|
|
NIST800-53R5:
|
|
- CM-7
|
|
{{ end }}
|
|
{{ if .Vars.rhel9cis_ipv6_required }}
|
|
ipv6_required:
|
|
title: 3.1.1 | Ensure IPv6 status is identified
|
|
exec: |
|
|
if [ `grep 0 /proc/sys/net/ipv6/conf/all/disable_ipv6` ] || [ `grep 0 /proc/sys/net/ipv6/conf/default/disable_ipv6` ] || [ `cat /sys/module/ipv6/parameters/disable` == 0 ]; \
|
|
then \
|
|
echo 'ipv6_enabled'; \
|
|
else echo 'fail'; \
|
|
fi
|
|
exit-status: 0
|
|
stdout:
|
|
- 'ipv6_enabled'
|
|
meta:
|
|
server: 1
|
|
workstation: 1
|
|
CIS_ID:
|
|
- 3.1.1
|
|
CISv8: 4.8
|
|
CISv8_IG1: false
|
|
CISv8_IG2: true
|
|
CISv8_IG3: true
|
|
NIST800-53R5:
|
|
- CM-7
|
|
{{ end }}
|
|
{{ if eq .Vars.rhel9cis_ipv6_disable_method: "sysctl" }}
|
|
ipv6_disabled_sysctl:
|
|
title: 3.1.1 | Ensure IPv6 status is identified
|
|
exec: sysctl -w net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1
|
|
exit-status: 0
|
|
stdout:
|
|
- 'net.ipv6.conf.all.disable_ipv6 = 1'
|
|
- 'net.ipv6.conf.default.disable_ipv6 = 1'
|
|
meta:
|
|
server: 1
|
|
workstation: 1
|
|
CIS_ID:
|
|
- 3.1.1
|
|
CISv8: 4.8
|
|
CISv8_IG1: false
|
|
CISv8_IG2: true
|
|
CISv8_IG3: true
|
|
NIST800-53R5:
|
|
- CM-7
|
|
{{ end }}
|
|
{{ if eq .Vars.rhel9cis_ipv6_disable_method: "kernel" }}
|
|
ipv6_disabled_kernel:
|
|
title: 3.1.1 | Ensure IPv6 status is identified
|
|
exec: grubby --info=ALL | grep 'ipv6.disable'
|
|
exit-status: 0
|
|
stdout:
|
|
- 'ipv6.disable=1'
|
|
meta:
|
|
server: 1
|
|
workstation: 1
|
|
CIS_ID:
|
|
- 3.1.1
|
|
CISv8: 4.8
|
|
CISv8_IG1: false
|
|
CISv8_IG2: true
|
|
CISv8_IG3: true
|
|
NIST800-53R5:
|
|
- CM-7
|
|
{{ end }}
|
|
{{ end }}
|
|
{{ end }}
|