From f716f32a6dbe788a80a02326c00403f375cefe6b Mon Sep 17 00:00:00 2001 From: Jason Hendry Date: Tue, 14 Nov 2023 16:31:45 +1100 Subject: [PATCH 1/2] fix: #172 checks if ipv6.disable is present in GRUB_CMDLINE_LINUX before appending it to prevent duplication Signed-off-by: Jason Hendry --- tasks/section_3/cis_3.1.x.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index a708647b..2d9dcd94 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -11,13 +11,23 @@ register: ipv6disable_replaced notify: Grub update + - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux" + ansible.builtin.shell: 'cat /etc/default/grub | grep ^GRUB_CMDLINE_LINUX' + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_3_1_1_GRUB_CMDLINE_LINUX + when: ubtu22cis_ipv6_disable == 'grub' + - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' line: '\1 ipv6.disable=1"' backrefs: true - when: ipv6disable_replaced is not changed + when: + - ipv6disable_replaced is not changed + - "'ipv6.disable' not in ubtu22cis_3_1_1_GRUB_CMDLINE_LINUX.stdout" notify: Grub update - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6" From 4e6755020986df30f554c8fcdea1eed63a4e70da Mon Sep 17 00:00:00 2001 From: Jason Hendry Date: Wed, 22 Nov 2023 13:52:22 +1100 Subject: [PATCH 2/2] style: fix yamllint and align command and variable name to other tasks that do the same thing. Signed-off-by: Jason Hendry --- tasks/section_3/cis_3.1.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 2d9dcd94..73021427 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -12,11 +12,11 @@ notify: Grub update - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux" - ansible.builtin.shell: 'cat /etc/default/grub | grep ^GRUB_CMDLINE_LINUX' + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' changed_when: false failed_when: false check_mode: false - register: ubtu22cis_3_1_1_GRUB_CMDLINE_LINUX + register: ubtu22cis_3_1_1_cmdline_settings when: ubtu22cis_ipv6_disable == 'grub' - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" @@ -26,8 +26,8 @@ line: '\1 ipv6.disable=1"' backrefs: true when: - - ipv6disable_replaced is not changed - - "'ipv6.disable' not in ubtu22cis_3_1_1_GRUB_CMDLINE_LINUX.stdout" + - ipv6disable_replaced is not changed + - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" notify: Grub update - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6"