fix: #172 checks if ipv6.disable is present in GRUB_CMDLINE_LINUX bef…

…ore appending it to prevent duplication Signed-off-by: Jason Hendry <[email protected]>
ansible-lockdown · Nov 14, 2023 · 501bd56 · 501bd56
1 parent 3461d49
commit 501bd56
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
@@ -11,13 +11,23 @@
         register: ipv6disable_replaced
         notify: Grub update
 
+      - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux"
+        ansible.builtin.shell: 'cat /etc/default/grub | grep ^GRUB_CMDLINE_LINUX'
+        changed_when: false
+        failed_when: false
+        check_mode: false
+        register: ubtu22cis_3_1_1_GRUB_CMDLINE_LINUX
+        when: ubtu22cis_ipv6_disable == 'grub'
+
       - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist"
         ansible.builtin.lineinfile:
             path: /etc/default/grub
             regexp: '^(GRUB_CMDLINE_LINUX=".*)"$'
             line: '\1 ipv6.disable=1"'
             backrefs: true
-        when: ipv6disable_replaced is not changed
+        when:
+         - ipv6disable_replaced is not changed
+         - "'ipv6.disable' not in ubtu22cis_3_1_1_GRUB_CMDLINE_LINUX.stdout"
         notify: Grub update
 
       - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6"