From 553f18e9926bb6e6ba7772e470375b44c709bdf5 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 15 Aug 2025 15:13:33 +0100
Subject: [PATCH 1/7] updated pre-commit-hooks version

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index dec2081..aa27650 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v5.0.0
+  rev: v6.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials

From b21569c62dd7a15c269c9c928a2c61c4c5a81d9b Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 15 Aug 2025 16:00:36 +0100
Subject: [PATCH 2/7] added update for gdm and giu packages

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml        | 2 ++
 tasks/section_1/main.yml | 1 +
 2 files changed, 3 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index d50aecf..98efbba 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -617,6 +617,8 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an
 # End Banner
 
 ## Control 1.8.x - Settings for GDM
+# do not run Control 1.8.x if using a display manager different than gdm
+rhel10cis_display_manager: "gdm"
 # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
 # be executed either to:
 # - secure GDM, if GUI is needed('rhel9cis_gui: true')
diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml
index c540fab..29687b3 100644
--- a/tasks/section_1/main.yml
+++ b/tasks/section_1/main.yml
@@ -61,5 +61,6 @@
     file: cis_1.7.x.yml
 
 - name: "SECTION | 1.8 | Gnome Display Manager"
+  when: rhel10cis_display_manager == 'gdm'
   ansible.builtin.import_tasks:
     file: cis_1.8.x.yml

From fd2bfb7437215591945e4c0261f651f8e5eb04b0 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 15 Aug 2025 16:03:11 +0100
Subject: [PATCH 3/7] improved prelim tests for 5.2.4

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/main.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 460acc8..191ea25 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -93,11 +93,14 @@
       block:
         - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"  # noqa name[template]
           ansible.builtin.assert:
-            that:
-              - prelim_ansible_user_password_set.stdout | length != 0
-              - prelim_ansible_user_password_set.stdout != "!!"
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
-            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
+            that: |
+              (
+                ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
+              or
+                (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list)
+              )
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
 
         - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
           ansible.builtin.assert:

From cddad90a236347d6e20841488371363809bd2b99 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 15 Aug 2025 16:04:07 +0100
Subject: [PATCH 4/7] enabled different locale characters in password check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/main.yml b/tasks/main.yml
index 191ea25..83aff0c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -134,7 +134,7 @@
     - rule_5.4.2.4
   block:
     - name: "Ensure root password is set"
-      ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
       changed_when: false
       failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
       register: prelim_root_passwd_set

From 7428f269e74586716c11bb9404c240cd9cc39007 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 15 Aug 2025 16:09:51 +0100
Subject: [PATCH 5/7] changed rsyslog to insert before line134

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_6/cis_6.2.3.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml
index 9d26acf..eaa3bd1 100644
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@@ -131,7 +131,7 @@
           *.=warning;*.=err                                        -/var/log/warn
           *.crit                                                   /var/log/warn
           *.*;mail.none;news.none                                  /var/log/messages
-        insertafter: '#### RULES ####'
+        insertbefore: '# ### sample forwarding rule ###'
       notify: Restart rsyslog
 
     - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"

From f0fb7011226b5f25f34766bbe07f71eeae5279ea Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 15 Aug 2025 16:10:37 +0100
Subject: [PATCH 6/7] updated var naming on 5.4.2.5

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_5/cis_5.4.2.x.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml
index b3dd7d9..b291cc2 100644
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@@ -139,7 +139,7 @@
       ansible.builtin.stat:
         path: "{{ item }}"
       loop: "{{ discovered_root_paths_split.stdout_lines }}"
-      register: paths_stat
+      register: discovered_root_paths_stat
 
     - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
       ansible.builtin.file:
@@ -148,7 +148,7 @@
         owner: root
         group: root
         mode: 'go-w'
-      loop: "{{ paths_stat.results }}"
+      loop: "{{ discovered_root_paths_stat.results }}"
       when: not item.stat.exists
 
     - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"

From f8d95213671abb8a0bfc39a6144380f1e22e8c26 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 15 Aug 2025 16:19:07 +0100
Subject: [PATCH 7/7] updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 Changelog.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Changelog.md b/Changelog.md
index b6db646..68ba2d4 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,12 @@
 # Changes to rhel9CIS
 
+## 2.0.3 - Based on CIS v2.0.0
+
+- addressed issue 371 thanks to @bgro and kodebach
+- addressed issue 350 thanks to @chrispipo
+- addressed issue 364 thanks to @polski-g
+- pre-commit update
+
 ## 2.0.2 - Based on CIS v2.0.0
 
 - Update to audit_only to allow fetching results