115 lines
3.6 KiB
YAML
115 lines
3.6 KiB
YAML
---
|
|
|
|
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified"
|
|
when:
|
|
- ubtu24cis_rule_3_1_1
|
|
- not ubtu24cis_ipv6_required
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_3.1.1
|
|
- NIST800-53R5_CM-7
|
|
- ipv6
|
|
block:
|
|
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Replace ipv6.disable if it exists"
|
|
when: ubtu24cis_ipv6_disable == 'grub'
|
|
ansible.builtin.replace:
|
|
path: /etc/default/grub
|
|
regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)'
|
|
replace: '\1ipv6.disable=1\2'
|
|
register: discovered_ipv6disable_replaced
|
|
notify: Grub update
|
|
|
|
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux"
|
|
ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"'
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_ipv6_grub_cmdline_settings
|
|
|
|
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist"
|
|
when:
|
|
- ubtu24cis_ipv6_disable == 'grub'
|
|
- discovered_ipv6disable_replaced is not changed
|
|
- "'ipv6.disable' not in discovered_ipv6_grub_cmdline_settings.stdout"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/default/grub
|
|
regexp: '^(GRUB_CMDLINE_LINUX=".*)"$'
|
|
line: '\1 ipv6.disable=1"'
|
|
backrefs: true
|
|
notify: Grub update
|
|
|
|
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Remove net.ipv6.conf.all.disable_ipv6"
|
|
when: ubtu24cis_ipv6_disable == 'sysctl'
|
|
ansible.builtin.template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: 'g-wx,o-rwx'
|
|
notify: Flush ipv6 route table
|
|
loop:
|
|
- etc/sysctl.d/60-disable_ipv6.conf
|
|
|
|
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
|
|
when:
|
|
- prelim_wireless_modules.stdout is defined
|
|
- ubtu24cis_rule_3_1_2
|
|
tags:
|
|
- level1-server
|
|
- patch
|
|
- rule_3.1.2
|
|
- NIST800-53R5_CM-7
|
|
- wireless
|
|
vars:
|
|
warn_control_id: '3.1.2'
|
|
block:
|
|
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Create modprobe.d file"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/modprobe.d/{{ item }}.conf
|
|
regexp: '^(#)?install true(\\s|$)'
|
|
line: install {{ item }} true
|
|
create: true
|
|
mode: 'go-wx'
|
|
loop: "{{ prelim_wireless_modules.stdout_lines }}"
|
|
|
|
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | blacklist"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/modprobe.d/blacklist.conf
|
|
regexp: "^(#)?blacklist {{ item }}(\\s|$)"
|
|
line: "blacklist {{ item }}"
|
|
create: true
|
|
mode: 'go-rwx'
|
|
loop: "{{ prelim_wireless_modules.stdout_lines }}"
|
|
|
|
- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"
|
|
when:
|
|
- ubtu24cis_rule_3_1_3
|
|
tags:
|
|
- level1-server
|
|
- level2-workstation
|
|
- patch
|
|
- bluetooth
|
|
- rule_3.1.3
|
|
- NIST800-53R5_CM-7
|
|
block:
|
|
- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg"
|
|
when:
|
|
- not ubtu24cis_bluetooth_service
|
|
- not ubtu24cis_bluetooth_mask
|
|
ansible.builtin.package:
|
|
name: bluez
|
|
state: absent
|
|
|
|
- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | mask"
|
|
when:
|
|
- not ubtu24cis_bluetooth_service
|
|
- ubtu24cis_bluetooth_mask
|
|
notify: Systemd_daemon_reload
|
|
ansible.builtin.systemd:
|
|
name: bluetooth.service
|
|
enabled: false
|
|
state: stopped
|
|
masked: true
|