Merge pull request #307 from ansible-lockdown/devel

Updates to benchmark v2.0.0

.gitignore

@@ -46,3 +46,6 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
+
+# Precommit exclusions
+.ansible/

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.23.3
+  rev: v8.24.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.1.2
+  rev: v25.1.3
   hooks:
   - id: ansible-lint
     name: Ansible-lint

README.md

@@ -27,6 +27,7 @@
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
 ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-CIS?label=Pull%20Requests)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
 
 ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License)
 

defaults/main.yml

@@ -923,7 +923,7 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf
 # Options are: minclass or credits
 # ensure only one is selected
 rhel9cis_passwd_complex_option: minclass  # pragma: allowlist secret
-rhel9cis_passwd_minclass: 3
+rhel9cis_passwd_minclass: 4
 # rhel9cis_passwd_complex: credits
 rhel9cis_passwd_dcredit: -1
 rhel9cis_passwd_ucredit: -2
@@ -1100,14 +1100,68 @@ rhel9cis_aide_cron:
 #
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging
-## Control 6.2.3 | Configure rsyslog
-## Control 6.2.1 | Configure journald
-# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation)
-# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best
+## Controls 6.2.1.x | Configure systemd-journald service
+## Controls 6.2.2.x | Configured journald
+## Controls 6.2.3.x | Configure rsyslog
+
+# This variable governs which logging service should be used, choosing between 'rsyslog'
+# or 'journald'(CIS recommendation) will trigger the execution of the associated subsection, as the-best
 # practices are written wholly independent of each other.
 rhel9cis_syslog: journald
 
-## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
+## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
+# Current variable configures the max amount of disk space the logs will use(thus, journal files
+# will not grow without bounds)
+# The variables below related to journald, please set these to your site specific values
+# These variable specifies how much disk space the journal may use up at most
+# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
+# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
+rhel9cis_journald_systemmaxuse: 10M
+## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
+# Current variable configures the amount of disk space to keep free for other uses.
+rhel9cis_journald_systemkeepfree: 100G
+## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
+# This variable configures how much disk space the journal may use up at most.
+# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
+rhel9cis_journald_runtimemaxuse: 10M
+## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
+# This variable configures the actual amount of disk space to keep free
+# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
+rhel9cis_journald_runtimekeepfree: 100G
+## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
+# Current variable governs the settings for log retention(how long the log files will be kept).
+# Thus, it specifies the maximum time to store entries in a single journal
+# file before rotating to the next one. Set to 0 to turn off this feature.
+# The given values is interpreted as seconds, unless suffixed with the units
+# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
+# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
+# ATTENTION: Uncomment the keyword below when values are set!
+rhel9cis_journald_maxfilesec: 1month
+
+## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
+#  URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
+#  number may be specified after a colon (":"), otherwise 19532 will be used by default.
+rhel9cis_journal_upload_url: 192.168.50.42
+## The paths below have the default paths/files, but allow user to create custom paths/filenames
+
+## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+# This variable specifies the path to the private key file used by the remote journal
+# server to authenticate itself to the client. This key is used alongside the server's
+# public certificate to establish secure communication.
+rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
+## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+# This variable specifies the path to the public certificate file of the remote journal
+# server. This certificate is used to verify the authenticity of the remote server.
+rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
+## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+# This variable specifies the path to a file containing one or more public certificates
+# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
+# to validate the authenticity of the remote server's certificate.
+rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
+# ATTENTION: Uncomment the keyword below when values are set!
+
+# Control 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
 # This variable expresses whether the system is used as a log server or not. If set to:
 #  - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts.
 #  - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity
@@ -1155,57 +1209,25 @@ rhel9cis_remote_log_retrycount: 100
 # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
 rhel9cis_remote_log_queuesize: 1000
 
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
-# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
-#  URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
-#  number may be specified after a colon (":"), otherwise 19532 will be used by default.
-rhel9cis_journal_upload_url: 192.168.50.42
-## The paths below have the default paths/files, but allow user to create custom paths/filenames
-
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
-# This variable specifies the path to the private key file used by the remote journal
-# server to authenticate itself to the client. This key is used alongside the server's
-# public certificate to establish secure communication.
-rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
-# This variable specifies the path to the public certificate file of the remote journal
-# server. This certificate is used to verify the authenticity of the remote server.
-rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
-# This variable specifies the path to a file containing one or more public certificates
-# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
-# to validate the authenticity of the remote server's certificate.
-rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
-# ATTENTION: Uncomment the keyword below when values are set!
-
-## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
-# Current variable configures the max amount of disk space the logs will use(thus, journal files
-# will not grow without bounds)
-# The variables below related to journald, please set these to your site specific values
-# These variable specifies how much disk space the journal may use up at most
-# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
-# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
-rhel9cis_journald_systemmaxuse: 10M
-## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
-# Current variable configures the amount of disk space to keep free for other uses.
-rhel9cis_journald_systemkeepfree: 100G
-## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
-# This variable configures how much disk space the journal may use up at most.
-# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
-rhel9cis_journald_runtimemaxuse: 10M
-## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
-# This variable configures the actual amount of disk space to keep free
-# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
-rhel9cis_journald_runtimekeepfree: 100G
-## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
-# Current variable governs the settings for log retention(how long the log files will be kept).
-# Thus, it specifies the maximum time to store entries in a single journal
-# file before rotating to the next one. Set to 0 to turn off this feature.
-# The given values is interpreted as seconds, unless suffixed with the units
-# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
-# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
-# ATTENTION: Uncomment the keyword below when values are set!
-rhel9cis_journald_maxfilesec: 1month
+## Control 6.2.3.8 rsyslog rotate
+# This variable configures whether to set your own rsyslog logrotate setting alternate to logrotate default settings
+# Please refer to logrotate options to match your site requirements
+# This sets when to rotate
+rhel9cis_rsyslog_logrotate_rotated_when: weekly
+# This sets how many rotations of the file to keep
+rhel9cis_rsyslog_logrotate_rotatation_keep: 4
+# This defines whether to set various options or not
+# these are taken from logrotate options
+# Setting
+# true will carry out the setting.
+# false will either set no/not or not add the option
+rhel9cis_rsyslog_logrotate_compress: true
+rhel9cis_rsyslog_logrotate_missingok: true
+rhel9cis_rsyslog_logrotate_notifempty: true
+rhel9cis_rsyslog_logrotate_create: true
+# Extra options that can be added according to rsyslog documentation
+# Uncomment and add the required options e.g. mode owner group
+# rhel9cis_rsyslog_logrotate_create_opts:
 
 ##  Control 6.3.2.1 - Ensure audit_backlog_limit is sufficient
 # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
@@ -1303,3 +1325,8 @@ rhel9cis_suid_sgid_adjust: false
 ## Control 7.1.11 - Ensure no world writable files exist
 # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable.
 rhel9cis_no_world_write_adjust: true
+
+## Control 7.2.9
+# This allows ansible to alter the dot files as per rule if found
+# When set to true this will align with benchmark - can impact a running system if not tested sufficiently
+rhel9cis_dotperm_ansiblemanaged: false

handlers/main.yml

@@ -144,6 +144,15 @@
     state: remounted
   listen: "Remount /var/log/audit"
 
+- name: "Remounting /boot/efi"
+  vars:
+    mount_point: '/boot/efi'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
+    state: remounted
+  notify: Change_requires_reboot
+  listen: "Remount /boot/efi"
+
 - name: Reload sysctl
   ansible.builtin.command: sysctl --system
   changed_when: true

tasks/main.yml

@@ -116,17 +116,11 @@
         fail_msg: "You still have the default name for your authselect profile"
 
     - name: "Check authselect profile is selected | Check current profile"
-      ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
+      ansible.builtin.shell: authselect list
       changed_when: false
       failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
       register: prelim_authselect_current_profile
 
-    - name: "Check authselect profile is selected | Ensure profile name is set"
-      ansible.builtin.assert:
-        that: prelim_authselect_current_profile is defined
-        success_msg: "Authselect is running and profile is selected"
-        fail_msg: Authselect updates have been selected there are issues with profile selection"
-
 - name: "Ensure root password is set"
   when: rhel9cis_rule_5_4_2_4
   tags:

tasks/section_1/cis_1.4.x.yml

@@ -29,7 +29,8 @@
     - rule_1.4.2
     - NIST800-53R5_AC-3
   block:
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
+    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
+      when: rhel9cis_legacy_boot
       ansible.builtin.file:
         path: "/boot/grub2/{{ item.path }}"
         owner: root
@@ -39,6 +40,31 @@
         modification_time: preserve
         access_time: preserve
       loop:
-        - { path: 'grub.cfg', mode: '0700' }
-        - { path: 'grubenv', mode: 'go-rwx' }
-        - { path: 'user.cfg', mode: 'go-rwx' }
+        - { path: 'grub.cfg', mode: 'u-x,go-rwx' }
+        - { path: 'grubenv', mode: 'u-x,go-rwx' }
+        - { path: 'user.cfg', mode: 'u-x,go-rwx' }
+
+    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
+      when: not rhel9cis_legacy_boot
+      vars:
+        efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
+      block:
+        - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
+          ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}'
+          changed_when: false
+          register: discovered_efi_fstab
+
+        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
+          when: item not in discovered_efi_fstab.stdout
+          ansible.builtin.set_fact:
+            efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item  }}"
+          loop: "{{ efi_mount_options }}"
+
+        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
+          when: efi_mount_opts_addition | length > 0
+          ansible.builtin.lineinfile:
+            path: /etc/fstab
+            regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*)
+            line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2
+            backrefs: true
+          notify: Remount /boot/efi

tasks/section_5/cis_5.3.2.x.yml

@@ -14,9 +14,7 @@
     - rule_5.3.2.1
   block:
     - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when:
-        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
-          prelim_authselect_current_profile.stdout is not defined
+      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
       ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
       changed_when: false
       args:

tasks/section_5/cis_5.4.2.x.yml

@@ -190,7 +190,7 @@
     regexp: \s*umask
     line: "umask {{ rhel9cis_root_umask }}"
     create: true
-    mode: 'u+x,go-rwx'
+    mode: 'u-x,go-rwx'
 
 - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
   when:

tasks/section_6/cis_6.2.2.1.x.yml

@@ -17,7 +17,7 @@
     name: systemd-journal-remote
     state: present
 
-- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
+- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-upload authentication is configured"
   when:
     - rhel9cis_rule_6_2_2_1_2
     - not rhel9cis_system_is_log_server
@@ -40,7 +40,7 @@
     - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
     - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
 
-- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
+- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-upload is enabled and active"
   when:
     - not rhel9cis_system_is_log_server
     - rhel9cis_rule_6_2_2_1_3

tasks/section_6/cis_6.2.3.x.yml

@@ -256,8 +256,8 @@
 
     - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
       ansible.builtin.template:
-        src: etc/logrotate.d/rsyslog.conf.j2
-        dest: /etc/logrotate.d/rsyslog.conf
+        src: etc/logrotate.d/rsyslog_log.j2
+        dest: /etc/logrotate.d/rsyslog_log
         owner: root
         group: root
         mode: 'g-wx,o-rwx'

tasks/section_6/cis_6.2.4.1.yml

@@ -8,6 +8,8 @@
     - patch
     - logfiles
     - rule_6.2.4.1
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   block:
     - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files"
       ansible.builtin.shell: find /var/log/ -type f -exec ls {} \;
@@ -15,43 +17,35 @@
       failed_when: false
       register: discovered_logfiles
 
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions SSSD min 660"
       when:
         - discovered_logfiles.stdout_lines | length > 0
-        - ('audit.log' in item or 'journal' in item) or
-          item == '/var/log/secure' or
-          item == '/var/log/syslog' or
-          item == '/var/log/messages' or
-          item == '/var/log/auth.log'
+        - item is match("/var/log/(gdm|sssd)")
       ansible.builtin.file:
         path: "{{ item }}"
-        mode: 'u-x,g-wx,o-rwx'
+        mode: 'ug-x,o-rwx'
       failed_when: discovered_logfile_list.state not in '[ file, absent ]'
       register: discovered_logfile_list
       loop: "{{ discovered_logfiles.stdout_lines }}"
 
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions tmp min 664"
       when:
         - discovered_logfiles.stdout_lines | length > 0
-        - ('anaconda' in item or 'dnf' in item or 'secure' in item  or 'messages' in item or 'hawkey' in item)
-      ansible.builtin.file:
-        path: "{{ item }}"
-        mode: 'u-x,g-x,o-rwx'
-      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
-      register: discovered_logfile_list
-      loop: "{{ discovered_logfiles.stdout_lines }}"
-
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
-      when:
-        - discovered_logfiles.stdout_lines | length > 0
-        - ('sssd' in item or 'lastlog' in item) or
-          item == "/var/log/btmp" or
-          item == "/var/log/utmp" or
-          item == "/var/log/wtmp" or
-          item == "/var/log/lastlog"
+        - item is match("/var/log/((u|b|w)tmp*|lastlog)")
       ansible.builtin.file:
         path: "{{ item }}"
         mode: 'ug-x,o-wx'
       failed_when: discovered_logfile_list.state not in '[ file, absent ]'
       register: discovered_logfile_list
       loop: "{{ discovered_logfiles.stdout_lines }}"
+
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions else all 640"
+      when:
+        - discovered_logfiles.stdout_lines | length > 0
+        - item is not match("/var/log/((u|b|w)tmp*|lastlog|sssd)")
+      ansible.builtin.file:
+        path: "{{ item }}"
+        mode: 'u-x,g-wx,o-rwx'
+      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
+      register: discovered_logfile_list
+      loop: "{{ discovered_logfiles.stdout_lines }}"

tasks/section_6/main.yml

@@ -5,6 +5,7 @@
     file: cis_6.1.x.yml
 
 - name: "SECTION | 6.2.1 | Configure systemd-journald service"
+  when: rhel9cis_syslog == 'journald'
   ansible.builtin.import_tasks:
     file: cis_6.2.1.x.yml
 

tasks/section_7/cis_7.1.x.yml

@@ -169,6 +169,8 @@
     owner: root
     group: root
     mode: 'u-x,go-wx'
+  failed_when: discovered_file_exists.state not in '[ file, absent ]'
+  register: discovered_file_exists
 
 - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
   when:

templates/audit/99_auditd.rules.j2

@@ -23,6 +23,7 @@
 -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
 {% endif %}
 {% if rhel9cis_rule_6_3_3_4 %}
+{% set syscalls = ["adjtimex","settimeofday"]  %}
 {% set arch_syscalls = [] %}
 {% for syscall in syscalls  %}
 {% if syscall in supported_syscalls %}
@@ -31,6 +32,15 @@
 {% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
+{% set syscalls = ["clock_settime"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
+{% endif %}
+{% endfor %}
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if rhel9cis_rule_6_3_3_5 %}
@@ -41,8 +51,8 @@
 {{ arch_syscalls.append(syscall) }}
 {% endif %}
 {% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -169,7 +179,7 @@
 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_18 %}
 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod

templates/etc/logrotate.d/rsyslog.conf.j2

@@ -1,11 +0,0 @@
-/var/log/rsyslog/*.log {
-    {{ rhel9cis_rsyslog_logrotate_rotated }}
-    rotate {{ rhel9cis_rsyslog_logrotate_keep }}
-    {% if rhel9cis_rsyslog_logrotate_compress %}compress{% else %}nocompress{% endif %}
-    {% if rhel9cis_rsyslog_logrotate_missingok %}missingok{% else %}missingok{% endif %}
-    {% if rhel9cis_rsyslog_logrotate_notifempty %}notifempty{% else %}ifempty{% endif %}
-    {% if rhel9cis_rsyslog_logrotate_create %}create {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
-    postrotate
-        /usr/bin/systemctl reload rsyslog.service >/dev/null || true
-    endscript
-}

templates/etc/logrotate.d/rsyslog_log.j2

@@ -0,0 +1,26 @@
+/var/log/rsyslog/*.log {
+    {{ rhel9cis_rsyslog_logrotate_rotated_when }}
+    rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}
+{% if rhel9cis_rsyslog_logrotate_compress %}
+    compress
+{% else %}
+    nocompress
+{% endif %}
+{% if rhel9cis_rsyslog_logrotate_missingok %}
+    missingok
+{% else %}
+    nomissingok
+{% endif %}
+{% if rhel9cis_rsyslog_logrotate_notifempty %}
+    notifempty
+{% else %}
+    ifempty
+{% endif %}
+{% if rhel9cis_rsyslog_logrotate_create %}
+    create{% if rhel9cis_rsyslog_logrotate_create_opts is defined %} {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
+{% endif %}
+
+    postrotate
+        /usr/bin/systemctl reload rsyslog.service >/dev/null || true
+    endscript
+}

vars/main.yml

@@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules:
 warn_control_list: ""
 warn_count: 0
 
+# Default empty values for 1.4.2
+efi_mount_opts_addition: ''
+
 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 
 ## Controls 6.3.3.x - Audit template