Merge branch 'devel' into pub_feb26_updates

Signed-off-by: uk-bolly <69214557+uk-bolly@users.noreply.github.com>
2026-03-25 14:27:12 +00:00 · 2026-02-12 09:54:10 +00:00 · 2026-02-12 09:54:10 +00:00 · 3015e2fe2f
commit 3015e2fe2f
parent 032c75924e 15ebe5500b
5 changed files with 18 additions and 16 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -42,13 +42,13 @@ repos:
    name: Detect Secrets test

 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.29.1
+  rev: v8.30.0
  hooks:
  - id: gitleaks
    name: Run Gitleaks test

 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.11.0
+  rev: v26.1.1
  hooks:
  - id: ansible-lint
    name: Ansible-lint
@ -67,7 +67,7 @@ repos:
    # - ansible-core>=2.10.1

 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.1  # or higher tag
+  rev: v1.38.0  # or higher tag
  hooks:
  - id: yamllint
    name: Check YAML Lint
--- a/Changelog.md
+++ b/Changelog.md
@ -77,9 +77,11 @@ tidy up tags on tasks/main.yml
  - public issue 372
  - allow password with different locale

-
 ## 2.0.4 - Based on CIS v2.0.0

+- addressed issue #419, thank you @aaronk1
+- addressed issue #418 thank you @bbaassssiiee
+- addressed issue #416 thank you @georgenalen and @bbaassssiiee
 - addressed issue #393 thank you to @fragglexarmy
 - addressed issue #394 thank you to @dbeuker
 - addressed issues #390 and #391 thanks to @polski-g
@ -88,6 +90,9 @@ tidy up tags on tasks/main.yml
 - work flow updates
 - audit logic improvements
 - auditd template 2.19 compatible
+- pre-commit updates
+- #410 thanks to @kpi-nourman
+- #413 thanks to @bbaassssiiee

 ## 2.0.3 - Based on CIS v2.0.0
 - addressed issue #387, thank you @fragglexarmy
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -614,14 +614,7 @@ rhel9cis_crypto_policy_ansiblemanaged: true
 #  -'FUTURE': conservative security level that is believed to withstand any near-term future attacks
 #  -'FIPS': A level that conforms to the FIPS140-2 requirements
 rhel9cis_crypto_policy: 'DEFAULT'
-# This variable contains the value of the crypto policy module(combinations of policies and
-# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
-# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
-#    - 'OSPP'
-#    - 'AD-SUPPORT'
-#    - 'AD-SUPPORT-LEGACY'
-rhel9cis_crypto_policy_module: ''
-## Controls 1.6.x
+## Control 1.6
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
 # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
@ -814,6 +807,8 @@ rhel9cis_tftp_client: false
 ## Control 3.1.1 - Ensure IPv6 status is identified
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
+# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
+rhel9cis_ipv6_disable_method: "sysctl"

 # 3.1.1 Disable IPv6
 # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -433,6 +433,8 @@
    path: "{{ rhel9cis_sshd_config_file }}"
    regexp: (?i)^(#|)\s*MaxStartups
    line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
+    insertbefore: "^Match"
+    firstmatch: true
    validate: sshd -t -f %s
  notify: Restart sshd

--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -93,10 +93,10 @@
          loop:
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
              after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
              before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "account\\s+required\\s+pam_faillock.so"
              before: "account\\s+required\\s+pam_unix.so"
              line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons
@ -112,10 +112,10 @@
          loop:
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
              after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
              before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
            - regexp: "account\\s+required\\s+pam_faillock.so"
              before: "account\\s+required\\s+pam_unix.so"
              line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons