ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixes from Public Issue 418 and 419 + Lic year

Browse source 
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
This commit is contained in:
Frederick Witty 2026-01-08 14:08:35 -05:00
parent 2d02d8b048
commit 309ff4cdd7
No known key found for this signature in database
GPG key ID: 0CFA99C02DE4D8C3
4 changed files with 11 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Changelog.md
View file

@ -1,15 +1,14 @@
# Changes to rhel9CIS # Changes to RHEL9CIS
# Based on CIS v2.0.0 ## 2.0.4 - Based on CIS v2.0.0
addressed issue #419, thank you @aaronk1
addressed issue #418 thank you @bbaassssiiee
Added better sysctl logic to disable IPv6 Added better sysctl logic to disable IPv6
Added option to disable IPv6 via sysctl (original method) or via the kernel Added option to disable IPv6 via sysctl (original method) or via the kernel
# Based on CIS v2.0.0
pre-commit udpates pre-commit udpates
public issue #410 thanks to @kpi-nourman public issue #410 thanks to @kpi-nourman
public issue #413 thanks to @bbaassssiiee public issue #413 thanks to @bbaassssiiee
# Based on CIS v2.0.0
Public issues incorporated Public issues incorporated
Workflow updates Workflow updates
Pre-commit updates Pre-commit updates

2
LICENSE
View file

@ -1,6 +1,6 @@
MIT License MIT License
Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal

2
tasks/section_5/cis_5.1.x.yml
View file

@ -411,6 +411,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^(#)?MaxAuthTries \d' regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}' line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd

6
tasks/section_6/cis_6.2.2.x.yml
View file

@ -25,7 +25,7 @@
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: ^(\s*ForwardToSyslog) regexp: ^(\s*ForwardToSyslog\s*=.*)
replace: '#\1' replace: '#\1'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@ -50,7 +50,7 @@
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: (?i)(\s*compress=) regexp: ^(\s*Compress\s*=.*)
replace: '#\1' replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@ -76,5 +76,5 @@
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace: ansible.builtin.replace:
path: /etc/systemd/journald.conf path: /etc/systemd/journald.conf
regexp: (?i)(\s*storage=) regexp: ^(\s*Storage\s*=.*)
replace: '#\1' replace: '#\1'