Merge pull request #427 from ansible-lockdown/devel

Release to main

.github/workflows/add_repo_issue_to_gh_project.yml

@@ -14,4 +14,4 @@ jobs:
       - uses: actions/add-to-project@main
         with:
           project-url: https://github.com/orgs/ansible-lockdown/projects/1
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.ALD_GH_PROJECT }}

.github/workflows/update_galaxy.yml

@@ -1,19 +0,0 @@
----
-
-    name: update galaxy
-
-    on:
-        push:
-            branches:
-                - main
-    jobs:
-        update_role:
-            runs-on: ubuntu-latest
-            steps:
-                - name: Checkout repo
-                  uses: actions/checkout@v4
-
-                - name: Action Ansible Galaxy Release ${{ github.ref_name }}
-                  uses: ansible-actions/ansible-galaxy-action@main
-                  with:
-                    galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.28.0
+  rev: v8.30.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.9.2
+  rev: v26.1.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +65,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.1  # or higher tag
+  rev: v1.38.0  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

Changelog.md

@@ -1,8 +1,10 @@
 # Changes to rhel9CIS
 
-
 ## 2.0.4 - Based on CIS v2.0.0
 
+- addressed issue #419, thank you @aaronk1
+- addressed issue #418 thank you @bbaassssiiee
+- addressed issue #416 thank you @georgenalen and @bbaassssiiee
 - addressed issue #393 thank you to @fragglexarmy
 - addressed issue #394 thank you to @dbeuker
 - addressed issues #390 and #391 thanks to @polski-g
@@ -11,6 +13,9 @@
 - work flow updates
 - audit logic improvements
 - auditd template 2.19 compatible
+- pre-commit updates
+- #410 thanks to @kpi-nourman
+- #413 thanks to @bbaassssiiee
 
 ## 2.0.3 - Based on CIS v2.0.0
 - addressed issue #387, thank you @fragglexarmy

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

defaults/main.yml

@@ -602,14 +602,7 @@ rhel9cis_crypto_policy_ansiblemanaged: true
 #  -'FUTURE': conservative security level that is believed to withstand any near-term future attacks
 #  -'FIPS': A level that conforms to the FIPS140-2 requirements
 rhel9cis_crypto_policy: 'DEFAULT'
-# This variable contains the value of the crypto policy module(combinations of policies and
-# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
-# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
-#    - 'OSPP'
-#    - 'AD-SUPPORT'
-#    - 'AD-SUPPORT-LEGACY'
-rhel9cis_crypto_policy_module: ''
-## Controls 1.6.x
+## Control 1.6
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
 # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
@@ -802,6 +795,8 @@ rhel9cis_tftp_client: false
 ## Control 3.1.1 - Ensure IPv6 status is identified
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
+# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
+rhel9cis_ipv6_disable_method: "sysctl"
 
 ## Control 3.1.2 - Ensure wireless interfaces are disabled
 # if wireless adapter found allow network manager to be installed

tasks/main.yml

@@ -134,7 +134,7 @@
     - rule_5.4.2.4
   block:
     - name: "Ensure root password is set"
-      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)"
       changed_when: false
       failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
       register: prelim_root_passwd_set

tasks/section_3/cis_3.1.x.yml

@@ -16,15 +16,30 @@
     - rule_3.1.1
     - NIST800-53R5_CM-7
   block:
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.set_fact:
         rhel9cis_sysctl_update: true
         rhel9cis_flush_ipv6_route: true
 
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.debug:
         msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
 
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
+      when: "'kernel' in rhel9cis_ipv6_disable_method"
+      ansible.builtin.command: grubby --info=ALL
+      changed_when: false
+      failed_when: false
+      register: discovered_rhel9cis_3_1_1_ipv6_status
+
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
+      when:
+        - "'kernel' in rhel9cis_ipv6_disable_method"
+        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
+      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
+
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
   when:
     - rhel9cis_rule_3_1_2

tasks/section_5/cis_5.1.x.yml

@@ -431,6 +431,8 @@
     path: "{{ rhel9cis_sshd_config_file }}"
     regexp: (?i)^(#|)\s*MaxStartups
     line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
+    insertbefore: "^Match"
+    firstmatch: true
     validate: sshd -t -f %s
   notify: Restart sshd
 

tasks/section_5/cis_5.3.2.x.yml

@@ -93,10 +93,10 @@
           loop:
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
               after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
               before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "account\\s+required\\s+pam_faillock.so"
               before: "account\\s+required\\s+pam_unix.so"
               line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons
@@ -112,10 +112,10 @@
           loop:
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
               after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
               before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "account\\s+required\\s+pam_faillock.so"
               before: "account\\s+required\\s+pam_unix.so"
               line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons

tasks/section_6/cis_6.2.2.x.yml

@@ -25,7 +25,7 @@
     - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: ^(\s*ForwardToSyslog)
+        regexp: ^(\s*ForwardToSyslog\s*=.*)
         replace: '#\1'
 
 - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@@ -50,7 +50,7 @@
     - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*compress=)
+        regexp: ^(\s*Compress\s*=.*)
         replace: '#\1'
 
 - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@@ -76,5 +76,5 @@
     - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*storage=)
+        regexp: ^(\s*Storage\s*=.*)
         replace: '#\1'

templates/ansible_vars_goss.yml.j2

@@ -206,6 +206,8 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }}
 rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
 rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
 rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
+rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }}
+
 ## Network Kernel Modules
 rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
 rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}

templates/etc/dconf/db/gdm.d/01-banner-message.j2

@@ -4,4 +4,4 @@
 
 [org/gnome/login-screen]
 banner-message-enable=true
-banner-message-text="{{ rhel9cis_warning_banner }}"
+banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}"

templates/etc/sysctl.d/60-disable_ipv6.conf.j2

@@ -4,4 +4,7 @@
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
+{% for interface in ansible_interfaces %}
+net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
+{% endfor %}
 {% endif %}