resist-vpn-infra/roles/system_hardening/tasks/disable_protocols.yml

---
# Disable Uncommon Network Protocols (CIS 3.3.x)

- name: Disable DCCP protocol (CIS 3.3.1)
  ansible.builtin.lineinfile:
    path: /etc/modprobe.d/cis.conf
    line: "install dccp /bin/true"
    create: yes
    owner: root
    group: root
    mode: '0644'

- name: Disable SCTP protocol (CIS 3.3.2)
  ansible.builtin.lineinfile:
    path: /etc/modprobe.d/cis.conf
    line: "install sctp /bin/true"
    create: yes
    owner: root
    group: root
    mode: '0644'

- name: Disable RDS protocol (CIS 3.3.3)
  ansible.builtin.lineinfile:
    path: /etc/modprobe.d/cis.conf
    line: "install rds /bin/true"
    create: yes
    owner: root
    group: root
    mode: '0644'

- name: Disable TIPC protocol (CIS 3.3.4)
  ansible.builtin.lineinfile:
    path: /etc/modprobe.d/cis.conf
    line: "install tipc /bin/true"
    create: yes
    owner: root
    group: root
    mode: '0644'

- name: Unload uncommon protocols if loaded
  community.general.modprobe:
    name: "{{ item }}"
    state: absent
  loop:
    - dccp
    - sctp
    - rds
    - tipc
  failed_when: false