Merge pull request #307 from ansible-lockdown/devel

Updates to benchmark v2.0.0
2025-12-24 22:23:06 +00:00 · 2025-03-18 09:22:32 +00:00 · 2025-03-18 09:22:32 +00:00 · 3d502efaef
commit 3d502efaef
parent f4a0bca52a ec30606e5c
18 changed files with 199 additions and 116 deletions
--- a/.gitignore
+++ b/.gitignore
@ -46,3 +46,6 @@ benchparse/
 # GitHub Action/Workflow files
 .github/
 # Precommit exclusions
 .ansible/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -41,12 +41,12 @@ repos:
  - id: detect-secrets
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.23.3
+  rev: v8.24.0
  hooks:
  - id: gitleaks
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.1.2
+  rev: v25.1.3
  hooks:
  - id: ansible-lint
    name: Ansible-lint
--- a/README.md
+++ b/README.md
@ -27,6 +27,7 @@
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
 ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-CIS?label=Pull%20Requests)
 [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
 ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License)
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -923,7 +923,7 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf
 # Options are: minclass or credits
 # ensure only one is selected
 rhel9cis_passwd_complex_option: minclass  # pragma: allowlist secret
-rhel9cis_passwd_minclass: 3
+rhel9cis_passwd_minclass: 4
 # rhel9cis_passwd_complex: credits
 rhel9cis_passwd_dcredit: -1
 rhel9cis_passwd_ucredit: -2
@ -1100,14 +1100,68 @@ rhel9cis_aide_cron:
 #
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging
-## Control 6.2.3 | Configure rsyslog
+## Controls 6.2.1.x | Configure systemd-journald service
-## Control 6.2.1 | Configure journald
+## Controls 6.2.2.x | Configured journald
-# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation)
+## Controls 6.2.3.x | Configure rsyslog
-# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best
+
 # This variable governs which logging service should be used, choosing between 'rsyslog'
 # or 'journald'(CIS recommendation) will trigger the execution of the associated subsection, as the-best
 # practices are written wholly independent of each other.
 rhel9cis_syslog: journald
-## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
+## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # Current variable configures the max amount of disk space the logs will use(thus, journal files
 # will not grow without bounds)
 # The variables below related to journald, please set these to your site specific values
 # These variable specifies how much disk space the journal may use up at most
 # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
 # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
 rhel9cis_journald_systemmaxuse: 10M
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # Current variable configures the amount of disk space to keep free for other uses.
 rhel9cis_journald_systemkeepfree: 100G
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # This variable configures how much disk space the journal may use up at most.
 # Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
 rhel9cis_journald_runtimemaxuse: 10M
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # This variable configures the actual amount of disk space to keep free
 # Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
 rhel9cis_journald_runtimekeepfree: 100G
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # Current variable governs the settings for log retention(how long the log files will be kept).
 # Thus, it specifies the maximum time to store entries in a single journal
 # file before rotating to the next one. Set to 0 to turn off this feature.
 # The given values is interpreted as seconds, unless suffixed with the units
 # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
 # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
 # ATTENTION: Uncomment the keyword below when values are set!
 rhel9cis_journald_maxfilesec: 1month
 ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
 # 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
 #  URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
 #  number may be specified after a colon (":"), otherwise 19532 will be used by default.
 rhel9cis_journal_upload_url: 192.168.50.42
 ## The paths below have the default paths/files, but allow user to create custom paths/filenames
 ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
 # This variable specifies the path to the private key file used by the remote journal
 # server to authenticate itself to the client. This key is used alongside the server's
 # public certificate to establish secure communication.
 rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
 ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
 # This variable specifies the path to the public certificate file of the remote journal
 # server. This certificate is used to verify the authenticity of the remote server.
 rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
 ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
 # This variable specifies the path to a file containing one or more public certificates
 # of certificate authorities (CAs) that the client trusts. These trusted certificates are used
 # to validate the authenticity of the remote server's certificate.
 rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
 # ATTENTION: Uncomment the keyword below when values are set!
 # Control 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
 # This variable expresses whether the system is used as a log server or not. If set to:
 #  - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts.
 #  - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity
@ -1155,57 +1209,25 @@ rhel9cis_remote_log_retrycount: 100
 # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
 rhel9cis_remote_log_queuesize: 1000
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+## Control 6.2.3.8 rsyslog rotate
-# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
+# This variable configures whether to set your own rsyslog logrotate setting alternate to logrotate default settings
-#  URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
+# Please refer to logrotate options to match your site requirements
-#  number may be specified after a colon (":"), otherwise 19532 will be used by default.
+# This sets when to rotate
-rhel9cis_journal_upload_url: 192.168.50.42
+rhel9cis_rsyslog_logrotate_rotated_when: weekly
-## The paths below have the default paths/files, but allow user to create custom paths/filenames
+# This sets how many rotations of the file to keep
-
+rhel9cis_rsyslog_logrotate_rotatation_keep: 4
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+# This defines whether to set various options or not
-# This variable specifies the path to the private key file used by the remote journal
+# these are taken from logrotate options
-# server to authenticate itself to the client. This key is used alongside the server's
+# Setting
-# public certificate to establish secure communication.
+# true will carry out the setting.
-rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
+# false will either set no/not or not add the option
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+rhel9cis_rsyslog_logrotate_compress: true
-# This variable specifies the path to the public certificate file of the remote journal
+rhel9cis_rsyslog_logrotate_missingok: true
-# server. This certificate is used to verify the authenticity of the remote server.
+rhel9cis_rsyslog_logrotate_notifempty: true
-rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
+rhel9cis_rsyslog_logrotate_create: true
-## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
+# Extra options that can be added according to rsyslog documentation
-# This variable specifies the path to a file containing one or more public certificates
+# Uncomment and add the required options e.g. mode owner group
-# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
+# rhel9cis_rsyslog_logrotate_create_opts:
 # to validate the authenticity of the remote server's certificate.
 rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
 # ATTENTION: Uncomment the keyword below when values are set!
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # Current variable configures the max amount of disk space the logs will use(thus, journal files
 # will not grow without bounds)
 # The variables below related to journald, please set these to your site specific values
 # These variable specifies how much disk space the journal may use up at most
 # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
 # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
 rhel9cis_journald_systemmaxuse: 10M
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # Current variable configures the amount of disk space to keep free for other uses.
 rhel9cis_journald_systemkeepfree: 100G
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # This variable configures how much disk space the journal may use up at most.
 # Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
 rhel9cis_journald_runtimemaxuse: 10M
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # This variable configures the actual amount of disk space to keep free
 # Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
 rhel9cis_journald_runtimekeepfree: 100G
 ## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
 # Current variable governs the settings for log retention(how long the log files will be kept).
 # Thus, it specifies the maximum time to store entries in a single journal
 # file before rotating to the next one. Set to 0 to turn off this feature.
 # The given values is interpreted as seconds, unless suffixed with the units
 # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
 # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
 # ATTENTION: Uncomment the keyword below when values are set!
 rhel9cis_journald_maxfilesec: 1month
 ##  Control 6.3.2.1 - Ensure audit_backlog_limit is sufficient
 # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
@ -1303,3 +1325,8 @@ rhel9cis_suid_sgid_adjust: false
 ## Control 7.1.11 - Ensure no world writable files exist
 # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable.
 rhel9cis_no_world_write_adjust: true
 ## Control 7.2.9
 # This allows ansible to alter the dot files as per rule if found
 # When set to true this will align with benchmark - can impact a running system if not tested sufficiently
 rhel9cis_dotperm_ansiblemanaged: false
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -144,6 +144,15 @@
    state: remounted
  listen: "Remount /var/log/audit"
 - name: "Remounting /boot/efi"
  vars:
    mount_point: '/boot/efi'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  notify: Change_requires_reboot
  listen: "Remount /boot/efi"
 - name: Reload sysctl
  ansible.builtin.command: sysctl --system
  changed_when: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -116,17 +116,11 @@
        fail_msg: "You still have the default name for your authselect profile"
    - name: "Check authselect profile is selected | Check current profile"
-      ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
+      ansible.builtin.shell: authselect list
      changed_when: false
      failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
      register: prelim_authselect_current_profile
    - name: "Check authselect profile is selected | Ensure profile name is set"
      ansible.builtin.assert:
        that: prelim_authselect_current_profile is defined
        success_msg: "Authselect is running and profile is selected"
        fail_msg: Authselect updates have been selected there are issues with profile selection"
 - name: "Ensure root password is set"
  when: rhel9cis_rule_5_4_2_4
  tags:
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -29,7 +29,8 @@
    - rule_1.4.2
    - NIST800-53R5_AC-3
  block:
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
+    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
      when: rhel9cis_legacy_boot
      ansible.builtin.file:
        path: "/boot/grub2/{{ item.path }}"
        owner: root
@ -39,6 +40,31 @@
        modification_time: preserve
        access_time: preserve
      loop:
-        - { path: 'grub.cfg', mode: '0700' }
+        - { path: 'grub.cfg', mode: 'u-x,go-rwx' }
-        - { path: 'grubenv', mode: 'go-rwx' }
+        - { path: 'grubenv', mode: 'u-x,go-rwx' }
-        - { path: 'user.cfg', mode: 'go-rwx' }
+        - { path: 'user.cfg', mode: 'u-x,go-rwx' }
    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
      when: not rhel9cis_legacy_boot
      vars:
        efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
      block:
        - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
          ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}'
          changed_when: false
          register: discovered_efi_fstab
        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
          when: item not in discovered_efi_fstab.stdout
          ansible.builtin.set_fact:
            efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item  }}"
          loop: "{{ efi_mount_options }}"
        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
          when: efi_mount_opts_addition | length > 0
          ansible.builtin.lineinfile:
            path: /etc/fstab
            regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*)
            line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2
            backrefs: true
          notify: Remount /boot/efi
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -14,9 +14,7 @@
    - rule_5.3.2.1
  block:
    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when:
+      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
          prelim_authselect_current_profile.stdout is not defined
      ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
      changed_when: false
      args:
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -190,7 +190,7 @@
    regexp: \s*umask
    line: "umask {{ rhel9cis_root_umask }}"
    create: true
-    mode: 'u+x,go-rwx'
+    mode: 'u-x,go-rwx'
 - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
  when:
--- a/tasks/section_6/cis_6.2.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.2.1.x.yml
@ -17,7 +17,7 @@
    name: systemd-journal-remote
    state: present
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
+- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-upload authentication is configured"
  when:
    - rhel9cis_rule_6_2_2_1_2
    - not rhel9cis_system_is_log_server
@ -40,7 +40,7 @@
    - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
    - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
+- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-upload is enabled and active"
  when:
    - not rhel9cis_system_is_log_server
    - rhel9cis_rule_6_2_2_1_3
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -256,8 +256,8 @@
    - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
      ansible.builtin.template:
-        src: etc/logrotate.d/rsyslog.conf.j2
+        src: etc/logrotate.d/rsyslog_log.j2
-        dest: /etc/logrotate.d/rsyslog.conf
+        dest: /etc/logrotate.d/rsyslog_log
        owner: root
        group: root
        mode: 'g-wx,o-rwx'
--- a/tasks/section_6/cis_6.2.4.1.yml
+++ b/tasks/section_6/cis_6.2.4.1.yml
@ -8,6 +8,8 @@
    - patch
    - logfiles
    - rule_6.2.4.1
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  block:
    - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files"
      ansible.builtin.shell: find /var/log/ -type f -exec ls {} \;
@ -15,43 +17,35 @@
      failed_when: false
      register: discovered_logfiles
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions SSSD min 660"
      when:
        - discovered_logfiles.stdout_lines | length > 0
-        - ('audit.log' in item or 'journal' in item) or
+        - item is match("/var/log/(gdm|sssd)")
          item == '/var/log/secure' or
          item == '/var/log/syslog' or
          item == '/var/log/messages' or
          item == '/var/log/auth.log'
      ansible.builtin.file:
        path: "{{ item }}"
-        mode: 'u-x,g-wx,o-rwx'
+        mode: 'ug-x,o-rwx'
      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
      register: discovered_logfile_list
      loop: "{{ discovered_logfiles.stdout_lines }}"
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions tmp min 664"
      when:
        - discovered_logfiles.stdout_lines | length > 0
-        - ('anaconda' in item or 'dnf' in item or 'secure' in item  or 'messages' in item or 'hawkey' in item)
+        - item is match("/var/log/((u|b|w)tmp*|lastlog)")
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'u-x,g-x,o-rwx'
      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
      register: discovered_logfile_list
      loop: "{{ discovered_logfiles.stdout_lines }}"
    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
      when:
        - discovered_logfiles.stdout_lines | length > 0
        - ('sssd' in item or 'lastlog' in item) or
          item == "/var/log/btmp" or
          item == "/var/log/utmp" or
          item == "/var/log/wtmp" or
          item == "/var/log/lastlog"
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'ug-x,o-wx'
      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
      register: discovered_logfile_list
      loop: "{{ discovered_logfiles.stdout_lines }}"
    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions else all 640"
      when:
        - discovered_logfiles.stdout_lines | length > 0
        - item is not match("/var/log/((u|b|w)tmp*|lastlog|sssd)")
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'u-x,g-wx,o-rwx'
      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
      register: discovered_logfile_list
      loop: "{{ discovered_logfiles.stdout_lines }}"
--- a/tasks/section_6/main.yml
+++ b/tasks/section_6/main.yml
@ -5,6 +5,7 @@
    file: cis_6.1.x.yml
 - name: "SECTION | 6.2.1 | Configure systemd-journald service"
  when: rhel9cis_syslog == 'journald'
  ansible.builtin.import_tasks:
    file: cis_6.2.1.x.yml
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -169,6 +169,8 @@
    owner: root
    group: root
    mode: 'u-x,go-wx'
  failed_when: discovered_file_exists.state not in '[ file, absent ]'
  register: discovered_file_exists
 - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
  when:
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -23,6 +23,7 @@
 -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
 {% endif %}
 {% if rhel9cis_rule_6_3_3_4 %}
 {% set syscalls = ["adjtimex","settimeofday"]  %}
 {% set arch_syscalls = [] %}
 {% for syscall in syscalls  %}
 {% if syscall in supported_syscalls %}
@ -31,6 +32,15 @@
 {% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
 {% set syscalls = ["clock_settime"] %}
 {% set arch_syscalls = [] %}
 {% for syscall in syscalls  %}
 {% if syscall in supported_syscalls %}
 {{ arch_syscalls.append(syscall) }}
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
 {% endif %}
 {% endfor %}
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if rhel9cis_rule_6_3_3_5 %}
@ -41,8 +51,8 @@
 {{ arch_syscalls.append(syscall) }}
 {% endif %}
 {% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@ -169,7 +179,7 @@
 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_17 %}
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_18 %}
 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod
--- a/templates/etc/logrotate.d/rsyslog.conf.j2
+++ b/templates/etc/logrotate.d/rsyslog.conf.j2
@ -1,11 +0,0 @@
 /var/log/rsyslog/*.log {
    {{ rhel9cis_rsyslog_logrotate_rotated }}
    rotate {{ rhel9cis_rsyslog_logrotate_keep }}
    {% if rhel9cis_rsyslog_logrotate_compress %}compress{% else %}nocompress{% endif %}
    {% if rhel9cis_rsyslog_logrotate_missingok %}missingok{% else %}missingok{% endif %}
    {% if rhel9cis_rsyslog_logrotate_notifempty %}notifempty{% else %}ifempty{% endif %}
    {% if rhel9cis_rsyslog_logrotate_create %}create {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
    postrotate
        /usr/bin/systemctl reload rsyslog.service >/dev/null || true
    endscript
 }
--- a/templates/etc/logrotate.d/rsyslog_log.j2
+++ b/templates/etc/logrotate.d/rsyslog_log.j2
@ -0,0 +1,26 @@
 /var/log/rsyslog/*.log {
    {{ rhel9cis_rsyslog_logrotate_rotated_when }}
    rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}
 {% if rhel9cis_rsyslog_logrotate_compress %}
    compress
 {% else %}
    nocompress
 {% endif %}
 {% if rhel9cis_rsyslog_logrotate_missingok %}
    missingok
 {% else %}
    nomissingok
 {% endif %}
 {% if rhel9cis_rsyslog_logrotate_notifempty %}
    notifempty
 {% else %}
    ifempty
 {% endif %}
 {% if rhel9cis_rsyslog_logrotate_create %}
    create{% if rhel9cis_rsyslog_logrotate_create_opts is defined %} {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
 {% endif %}
    postrotate
        /usr/bin/systemctl reload rsyslog.service >/dev/null || true
    endscript
 }
--- a/vars/main.yml
+++ b/vars/main.yml
@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules:
 warn_control_list: ""
 warn_count: 0
 # Default empty values for 1.4.2
 efi_mount_opts_addition: ''
 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 ## Controls 6.3.3.x - Audit template