Merge pull request #63 from ansible-lockdown/Feb26_updates

Update .j2 branding
2026-03-25 14:27:12 +00:00 · 2026-02-11 17:01:56 -05:00 · 2026-02-11 17:01:56 -05:00 · 3cfcf00717
commit 3cfcf00717
parent 4aa09d558f f413385208
40 changed files with 53 additions and 50 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -3,6 +3,7 @@
 ## 2.0.5 - Based on CIS v2.0.0

 - QA Fixes
+- .j2 Branding Update
 - Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
 - fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml
 - Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis)
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,11 +1,11 @@
 ---
 galaxy_info:
-  author: "MindPoint Group"
+  author: "Ansible-Lockdown"
  description: "Apply the RHEL 9 CIS"
-  company: "MindPoint Group"
+  company: "MindPoint Group - A Tyto Athene Company"
  license: MIT
  role_name: rhel9_cis
-  namespace: mindpointgroup
+  namespace: ansible-lockdown
  min_ansible_version: 2.10.1
  platforms:
    - name: EL
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}
 ### YOUR CHANGES WILL BE LOST!

 # This file contains users whose actions are not logged by auditd
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}
 ### YOUR CHANGES WILL BE LOST!

 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
--- a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2
+++ b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # Audit Tools
 /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
--- a/templates/etc/ansible/compliance_facts.j2
+++ b/templates/etc/ansible/compliance_facts.j2
@ -1,6 +1,4 @@
-# CIS Hardening Carried out
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 [lockdown_details]
 # Benchmark release
--- a/templates/etc/chrony.conf.j2
+++ b/templates/etc/chrony.conf.j2
@ -1,4 +1,4 @@
-{{ ansible_managed | comment }}
+{{ file_managed_by_ansible }}

 # Use public servers from the pool.ntp.org project.
 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,7 +1,5 @@
+{{ file_managed_by_ansible }}
 # Run AIDE integrity check
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2

--- a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy dropping the SHA1 hash and signature support
 # Carried out as part of CIS Benchmark rule 1.6.3

--- a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable all CBC mode ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.5
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable Encrypt then MAC
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.7
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark control 5.1.6

--- a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark rule 1.6.4

--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 [org/gnome/desktop/media-handling]
 automount=false
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 [org/gnome/desktop/media-handling]
 autorun-never=true
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 # Specify the dconf path
 [org/gnome/desktop/session]
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by {{ company_title }}
+{{ file_managed_by_ansible }}

 [org/gnome/login-screen]
 banner-message-enable=true
--- a/templates/etc/logrotate.d/rsyslog_log.j2
+++ b/templates/etc/logrotate.d/rsyslog_log.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 /var/log/rsyslog/*.log {
    {{ rhel9cis_rsyslog_logrotate_rotated_when }}
    rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}
--- a/templates/etc/modprobe.d/modprobe.conf.j2
+++ b/templates/etc/modprobe.d/modprobe.conf.j2
@ -1,6 +1,4 @@
-# Disable usage of protocol {{ item }}
-# Set by ansible {{ benchmark }} remediation role
-# https://github.com/ansible-lockdown
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!

 install {{ item }} /bin/true
--- a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.3 Ensure password complexity is configured
 {% if rhel9cis_passwd_complex_option == 'minclass' %}  # pragma: allowlist secret
--- a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.6 Ensure password dictionary check is enabled
 dictcheck = {{ rhel9cis_passwd_dictcheck_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.1 Ensure password number of changed characters is configured
 difok = {{ rhel9cis_passwd_difok_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.2 Ensure minimum password length is configured
 minlen = {{ rhel9cis_passwd_minlen_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.5 Ensure password maximum sequential characters is configured
 maxsequence = {{ rhel9cis_passwd_maxsequence_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.7 Ensure password quality checking is enforced
 enforcing = {{ rhel9cis_passwd_quality_enforce_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.4 Ensure password same consecutive characters is configured
 maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.7 Ensure password quality is enforced for the root user
 {{ rhel9cis_passwd_quality_enforce_root_value }}
--- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
+++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!

 # IPv6 disable
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
--- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!

 {% if rhel9cis_rule_1_5_1 %}
 # Adress space randomise
--- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!

 # IPv4 Network sysctl
 {% if rhel9cis_rule_3_3_1 %}
--- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!

 # IPv6 Network sysctl
 {% if rhel9cis_ipv6_required %}
--- a/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_2_2
 [Journal]
 ForwardToSyslog=no
--- a/templates/etc/systemd/journald.conf.d/rotation.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/rotation.conf.j2
@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_1_3
 [Journal]
 SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}
--- a/templates/etc/systemd/journald.conf.d/storage.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/storage.conf.j2
@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 [Journal]
 {% if rhel9cis_rule_6_2_2_3 %}
 # Set compress CIS rule 6_2_2_3
--- a/templates/etc/systemd/system/tmp.mount.j2
+++ b/templates/etc/systemd/system/tmp.mount.j2
@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
@ -7,7 +8,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+## YOUR CHANGED WILL BE LOST!

 [Unit]
 Description=Temporary Directory (/tmp)
--- a/vars/main.yml
+++ b/vars/main.yml
@ -77,4 +77,9 @@ audit_bins:
  - /sbin/auditd
  - /sbin/augenrules

-company_title: 'Mindpoint Group - A Tyto Athene Company'
+company_title: 'MindPoint Group - A Tyto Athene Company'
+
+file_managed_by_ansible: |-
+  # File managed by ansible as part of {{ benchmark }} benchmark
+  # As part of Ansible-lockdown
+  # Provided by {{ company_title }}