Describe the Issue
Task 3.1.1 to disable ipv6 in grub does not work when the regex 'ipv6.disable=(0|1) is not already present in /etc/default/grub
Expected Behavior
Task should locate existing 'GRUB_CMDLINE_LINUX=' line and either a) change the existing value of ipv6.disable to 1 OR b) add ipv6.disable=1 when it doesn't exist.
Actual Behavior
If ipv6.disable=(0|1) isn't already present in /etc/default/grub, nothing is changed.
Control(s) Affected
3.1.1
Environment (please complete the following information):
branch being used: community_work_fix
Ansible Version: core 2.15.4
Host Python Version: Python 3.10.12
Ansible Server Python Version: Python 3.9.16
Additional Details:
Possible Solution
Change the regex to the following:
CURRENT:
- name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Add ipv6.disable if does not exist"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=.*)ipv6.disable=(0|1)(.*$)'
line: '\g<1>\g<3> ipv6.disable=1'
backrefs: true
when: ubtu22cis_ipv6_disable == 'grub'
notify: Grub update
PROPOSED:
- name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Replace ipv6.disable if it exists"
ansible.builtin.replace:
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)'
replace: '\1ipv6.disable=1\2'
when: ubtu22cis_ipv6_disable == 'grub'
register: ipv6disable_replaced
notify: Grub update
- name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=".*)"$'
line: '\1 ipv6.disable=1"'
backrefs: true
when: ipv6disable_replaced is not changed
notify: Grub update
Describe the Issue Task 3.1.1 to disable ipv6 in grub does not work when the regex 'ipv6.disable=(0|1) is not already present in /etc/default/grub
Expected Behavior Task should locate existing 'GRUB_CMDLINE_LINUX=' line and either a) change the existing value of ipv6.disable to 1 OR b) add ipv6.disable=1 when it doesn't exist.
Actual Behavior If ipv6.disable=(0|1) isn't already present in /etc/default/grub, nothing is changed.
Control(s) Affected 3.1.1
Environment (please complete the following information):
Possible Solution Change the regex to the following:
CURRENT:
PROPOSED: