---

- name: "3.2.1 | PATCH | Ensure dccp kernel module is not available"
  when:
    - ubtu24cis_rule_3_2_1
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_3.2.1
    - NIST800-53R5_CM-7
    - NIST800-53R5_SI-4
    - dccp
  block:
    - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | modprobe"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/dccp.conf
        regexp: '^(#)?install dccp(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install dccp /bin/true
        - blacklist dccp

    - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist cramfs(\\s|$)"
        line: "blacklist cramfs"
        create: true
        mode: 'go-rwx'

- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
  when:
    - ubtu24cis_rule_3_2_2
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_3.2.2
    - NIST800-53R5_CM-7
    - NIST800-53R5_SI-4
    - tipc
  block:
    - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | modprobe"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/tipc.conf
        regexp: '^(#)?install tipc(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install tipc /bin/true
        - blacklist tipc

    - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist tipc(\\s|$)"
        line: "blacklist tipc"
        create: true
        mode: 'go-rwx'

- name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
  when:
    - ubtu24cis_rule_3_2_3
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_3.2.3
    - NIST800-53R5_CM-7
    - NIST800-53R5_SI-4
    - rds
  block:
    - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | modprobe"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/rds.conf
        regexp: '^(#)?install rds(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install rds /bin/true
        - blacklist rds

    - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist rds(\\s|$)"
        line: "blacklist rds"
        create: true
        mode: 'go-rwx'

- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
  when:
    - ubtu24cis_rule_3_2_4
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_3.2.4
    - NIST800-53R5_CM-7
    - NIST800-53R5_SI-4
    - sctp
  block:
    - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | modprobe"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/sctp.conf
        regexp: '^(#)?install sctp(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'u-x,go-wx'
      loop:
        - install sctp /bin/true
        - blacklist sctp

    - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
        path: /etc/modprobe.d/blacklist.conf
        regexp: "^(#)?blacklist sctp(\\s|$)"
        line: "blacklist sctp"
        create: true
        mode: 'go-rwx'