diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a7b9e43..6abad7b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,13 +42,13 @@ repos: name: Detect Secrets test - repo: https://github.com/gitleaks/gitleaks - rev: v8.29.1 + rev: v8.30.0 hooks: - id: gitleaks name: Run Gitleaks test - repo: https://github.com/ansible-community/ansible-lint - rev: v25.11.0 + rev: v26.1.1 hooks: - id: ansible-lint name: Ansible-lint @@ -67,7 +67,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.37.1 # or higher tag + rev: v1.38.0 # or higher tag hooks: - id: yamllint name: Check YAML Lint diff --git a/Changelog.md b/Changelog.md index 8730cbb..035d685 100644 --- a/Changelog.md +++ b/Changelog.md @@ -77,9 +77,11 @@ tidy up tags on tasks/main.yml - public issue 372 - allow password with different locale - ## 2.0.4 - Based on CIS v2.0.0 +- addressed issue #419, thank you @aaronk1 +- addressed issue #418 thank you @bbaassssiiee +- addressed issue #416 thank you @georgenalen and @bbaassssiiee - addressed issue #393 thank you to @fragglexarmy - addressed issue #394 thank you to @dbeuker - addressed issues #390 and #391 thanks to @polski-g @@ -88,6 +90,9 @@ tidy up tags on tasks/main.yml - work flow updates - audit logic improvements - auditd template 2.19 compatible +- pre-commit updates +- #410 thanks to @kpi-nourman +- #413 thanks to @bbaassssiiee ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy diff --git a/defaults/main.yml b/defaults/main.yml index 5df8ecb..a31521a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -614,14 +614,7 @@ rhel9cis_crypto_policy_ansiblemanaged: true # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# This variable contains the value of the crypto policy module(combinations of policies and -# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, -# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: -# - 'OSPP' -# - 'AD-SUPPORT' -# - 'AD-SUPPORT-LEGACY' -rhel9cis_crypto_policy_module: '' -## Controls 1.6.x +## Control 1.6 # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable. @@ -814,6 +807,8 @@ rhel9cis_tftp_client: false ## Control 3.1.1 - Ensure IPv6 status is identified # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true +# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel +rhel9cis_ipv6_disable_method: "sysctl" # 3.1.1 Disable IPv6 # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 2b372de..a75e444 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -433,6 +433,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: (?i)^(#|)\s*MaxStartups line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 755e737..51f032e 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -93,10 +93,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons @@ -112,10 +112,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons