ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixes from Public Issue 418 and 419 + Lic year

Browse source 
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
This commit is contained in:
Frederick Witty 2026-01-08 14:08:35 -05:00
parent 2d02d8b048
commit 309ff4cdd7
No known key found for this signature in database
GPG key ID: 0CFA99C02DE4D8C3
4 changed files with 11 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Changelog.md
View file

@ -1,15 +1,14 @@
# Changes to rhel9CIS
# Changes to RHEL9CIS
# Based on CIS v2.0.0
## 2.0.4 - Based on CIS v2.0.0
addressed issue #419, thank you @aaronk1
addressed issue #418 thank you @bbaassssiiee
Added better sysctl logic to disable IPv6
Added option to disable IPv6 via sysctl (original method) or via the kernel
# Based on CIS v2.0.0
pre-commit udpates
public issue #410 thanks to @kpi-nourman
public issue #413 thanks to @bbaassssiiee
# Based on CIS v2.0.0
Public issues incorporated
Workflow updates
Pre-commit updates

2
LICENSE
View file

@ -1,6 +1,6 @@
MIT License
Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

2
tasks/section_5/cis_5.1.x.yml
View file

@ -411,6 +411,8 @@
path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s
notify: Restart sshd

6
tasks/section_6/cis_6.2.2.x.yml
View file

@ -25,7 +25,7 @@
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(\s*ForwardToSyslog)
regexp: ^(\s*ForwardToSyslog\s*=.*)
replace: '#\1'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@ -50,7 +50,7 @@
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: (?i)(\s*compress=)
regexp: ^(\s*Compress\s*=.*)
replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@ -76,5 +76,5 @@
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: (?i)(\s*storage=)
regexp: ^(\s*Storage\s*=.*)
replace: '#\1'