Merge pull request #173 from Jason-Hendry/fix/ipv6disable-grub-mutlip…

…le-entries fix: #172 checks if ipv6.disable is present in GRUB_CMDLINE_LINUX bef…
ansible-lockdown · Nov 23, 2023 · fa365a3 · fa365a3
2 parents fba3678 + 4e67550
commit fa365a3
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
@@ -11,13 +11,23 @@
         register: ipv6disable_replaced
         notify: Grub update
 
+      - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux"
+        ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"'
+        changed_when: false
+        failed_when: false
+        check_mode: false
+        register: ubtu22cis_3_1_1_cmdline_settings
+        when: ubtu22cis_ipv6_disable == 'grub'
+
       - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist"
         ansible.builtin.lineinfile:
             path: /etc/default/grub
             regexp: '^(GRUB_CMDLINE_LINUX=".*)"$'
             line: '\1 ipv6.disable=1"'
             backrefs: true
-        when: ipv6disable_replaced is not changed
+        when:
+            - ipv6disable_replaced is not changed
+            - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout"
         notify: Grub update
 
       - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6"