PR #180 thanks to @ipruteanu-sie and @raabf

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-27 15:33:06 +00:00 · 2024-03-06 09:28:18 +00:00 · 2024-03-06 09:28:18 +00:00 · 1b655bb473
commit 1b655bb473
parent bf7df3fea2
7 changed files with 8 additions and 10 deletions
--- a/tasks/section_1/cis_1.1.7.x.yml
+++ b/tasks/section_1/cis_1.1.7.x.yml
@ -39,7 +39,6 @@
  notify: Change_requires_reboot
  when:
      - item.mount == "/home"
-      - rhel9cis_rule_1_1_7_1
      - rhel9cis_rule_1_1_7_2 or
        rhel9cis_rule_1_1_7_3
  tags:
@ -49,5 +48,4 @@
      - mounts
      - rule_1.1.7.2
      - rule_1.1.7.3
-      - rule_1.1.7.4
      - skip_ansible_lint
--- a/tasks/section_1/cis_1.3.x.yml
+++ b/tasks/section_1/cis_1.3.x.yml
@ -54,7 +54,7 @@
      - patch
      - rule_1.3.2

- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
+- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
  ansible.builtin.blockinfile:
      path: /etc/aide.conf
      marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@ -118,7 +118,7 @@
      - gui
      - rule_1.8.4

- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden"
+- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
  block:
      - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory"
        ansible.builtin.file:
--- a/tasks/section_4/cis_4.1.3.x.yml
+++ b/tasks/section_4/cis_4.1.3.x.yml
@ -99,7 +99,7 @@
      - level2-workstation
      - patch
      - auditd
-      - rule_4.1.3_7
+      - rule_4.1.3.7

 # All changes selected are managed by the POST audit and handlers to update
 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
@ -268,7 +268,7 @@
      - level2-workstation
      - patch
      - auditd
-      - rule_4.1.20
+      - rule_4.1.3.20

 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
  ansible.builtin.debug:
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -1,6 +1,6 @@
 ---

- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
+- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
  ansible.builtin.file:
      path: "/etc/ssh/sshd_config"
      owner: root
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -2,7 +2,7 @@

 - name: "5.6.2 | PATCH | Ensure system accounts are secured"
  block:
-      - name: "5.6.2 | Ensure system accounts are secured | Set nologin"
+      - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin"
        ansible.builtin.user:
            name: "{{ item.id }}"
            shell: /usr/sbin/nologin
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@ -75,7 +75,7 @@
      - groups
      - rule_6.2.3

- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist"
+- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist"
  block:
      - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
        ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"