From 4c41656a3b642c3ba620b4df5eaafd7f3f382f7b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 23 Oct 2025 08:28:06 -0400 Subject: [PATCH 01/21] .github standardization Signed-off-by: Frederick Witty --- .../add_repo_issue_to_gh_project.yml | 2 +- .github/workflows/update_galaxy.yml | 19 ------------------- 2 files changed, 1 insertion(+), 20 deletions(-) delete mode 100644 .github/workflows/update_galaxy.yml diff --git a/.github/workflows/add_repo_issue_to_gh_project.yml b/.github/workflows/add_repo_issue_to_gh_project.yml index 4a056eb..80d7344 100644 --- a/.github/workflows/add_repo_issue_to_gh_project.yml +++ b/.github/workflows/add_repo_issue_to_gh_project.yml @@ -14,4 +14,4 @@ jobs: - uses: actions/add-to-project@main with: project-url: https://github.com/orgs/ansible-lockdown/projects/1 - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.ALD_GH_PROJECT }} diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml deleted file mode 100644 index b6ee6a1..0000000 --- a/.github/workflows/update_galaxy.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - - name: update galaxy - - on: - push: - branches: - - main - jobs: - update_role: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 - - - name: Action Ansible Galaxy Release ${{ github.ref_name }} - uses: ansible-actions/ansible-galaxy-action@main - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From 0ec943073cad7d805b08cdbc11bf8c925e2611ae Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 17:45:49 +0000 Subject: [PATCH 02/21] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.28.0 → v8.29.0](https://github.com/gitleaks/gitleaks/compare/v8.28.0...v8.29.0) - [github.com/ansible-community/ansible-lint: v25.9.2 → v25.11.0](https://github.com/ansible-community/ansible-lint/compare/v25.9.2...v25.11.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0091b2a..4aa6519 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.28.0 + rev: v8.29.0 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.9.2 + rev: v25.11.0 hooks: - id: ansible-lint name: Ansible-lint From 539ac4f5cc6b1646ed18343d6915dbef60c894d8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 24 Nov 2025 17:42:03 +0000 Subject: [PATCH 03/21] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.29.0 → v8.29.1](https://github.com/gitleaks/gitleaks/compare/v8.29.0...v8.29.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4aa6519..9d80577 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.29.0 + rev: v8.29.1 hooks: - id: gitleaks From 72602c63fade97c61e2845f3beae665d98580f1e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Nov 2025 09:28:00 +0000 Subject: [PATCH 04/21] add fix provided by @kpi-nourman via discord community Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index 901e9e0..ec42bfc 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -4,4 +4,4 @@ [org/gnome/login-screen] banner-message-enable=true -banner-message-text="{{ rhel9cis_warning_banner }}" +banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}" From 52452b1e3c71d6fbb427edbc477234174420df16 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Nov 2025 14:51:43 +0000 Subject: [PATCH 05/21] issues 413 addressed thansk to @bbaassssiiee Signed-off-by: Mark Bolwell --- Changelog.md | 4 +++- tasks/main.yml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 737f860..ac9c3b6 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,5 @@ # Changes to rhel9CIS - ## 2.0.4 - Based on CIS v2.0.0 - addressed issue #393 thank you to @fragglexarmy @@ -11,6 +10,9 @@ - work flow updates - audit logic improvements - auditd template 2.19 compatible +- pre-commit updates +- #410 thanks to @kpi-nourman +- #413 thanks to @bbaassssiiee ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy diff --git a/tasks/main.yml b/tasks/main.yml index 760ee1b..6f97141 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,7 +134,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(\*LOCK\*|Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set From 571711f11e0d8a988fee79a2f24eaf918768add4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Dec 2025 10:23:25 +0000 Subject: [PATCH 06/21] updated with correct fix thanks to @bbaassssiiee Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6f97141..4d1887d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,7 +134,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(\*LOCK\*|Password set|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set From 322404a6921f2709b4066e3745c7dc5d181314e3 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 17:41:29 +0000 Subject: [PATCH 07/21] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.29.1 → v8.30.0](https://github.com/gitleaks/gitleaks/compare/v8.29.1...v8.30.0) - [github.com/ansible-community/ansible-lint: v25.11.0 → v25.12.1](https://github.com/ansible-community/ansible-lint/compare/v25.11.0...v25.12.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9d80577..255180a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.29.1 + rev: v8.30.0 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.11.0 + rev: v25.12.1 hooks: - id: ansible-lint name: Ansible-lint From 62989d258b5af00fd190299d002b95635e9b8284 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 19 Dec 2025 16:31:37 -0500 Subject: [PATCH 08/21] added fix to issue #416 Signed-off-by: George Nalen --- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index bdded40..b4b5318 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -4,4 +4,7 @@ {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 +{% for interface in ansible_interfaces %} +net.ipv6.conf.{{ interface }}.disable_ipv6 = 1 +{% endfor %} {% endif %} From f15407dcb4307da63607bc952e89f1578f648435 Mon Sep 17 00:00:00 2001 From: bol7742 <102948121+bol7742@users.noreply.github.com> Date: Mon, 22 Dec 2025 11:28:49 +0100 Subject: [PATCH 09/21] fix: make 5.3.2.2 idempotent with 5.3.3.1.1 Signed-off-by: bol7742 <102948121+bol7742@users.noreply.github.com> --- tasks/section_5/cis_5.3.2.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 6e1919c..5dd4352 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -93,10 +93,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons @@ -112,10 +112,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons From 96474159ab282aad770e038870fad2d5cfacec69 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 17:33:38 +0000 Subject: [PATCH 10/21] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.12.1 → v25.12.2](https://github.com/ansible-community/ansible-lint/compare/v25.12.1...v25.12.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 255180a..dbc1d7e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.12.1 + rev: v25.12.2 hooks: - id: ansible-lint name: Ansible-lint From beb3bfdc94ea94903bb82a3cba0d89d84c7ce60f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 22 Dec 2025 16:35:08 -0500 Subject: [PATCH 11/21] added option for sysctl or kernel for disabling IPv6 Signed-off-by: George Nalen --- defaults/main.yml | 2 ++ tasks/section_3/cis_3.1.x.yml | 19 +++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fbe81eb..2ad3eb2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -802,6 +802,8 @@ rhel9cis_tftp_client: false ## Control 3.1.1 - Ensure IPv6 status is identified # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true +# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel +rhel9cis_ipv6_disable: "sysctl" ## Control 3.1.2 - Ensure wireless interfaces are disabled # if wireless adapter found allow network manager to be installed diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index a20c0e9..6cd73f3 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -16,14 +16,29 @@ - rule_3.1.1 - NIST800-53R5_CM-7 block: - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" + - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Set vars for sysctl template" + when: "'sysctl' in rhel9cis_ipv6_disable_method" ansible.builtin.set_fact: rhel9cis_sysctl_update: true rhel9cis_flush_ipv6_route: true - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable via sysctl template" + when: "'sysctl' in rhel9cis_ipv6_disable_method" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" + + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Find IPv6 status" + when: "'kernel' in rhel9cis_ipv6_disable_method" + ansible.builtin.command: grubby --info=ALL + changed_when: false + failed_when: false + register: discovered_rhel9cis_3_1_1_ipv6_status + + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel" + when: + - "'kernel' in rhel9cis_ipv6_disable_method" + - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout" + ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" when: From 2b7c8293b83667c853b44df0bd2bf38217695401 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 22 Dec 2025 16:56:24 -0500 Subject: [PATCH 12/21] fixed linting issue Signed-off-by: George Nalen --- tasks/section_3/cis_3.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 6cd73f3..0c9c374 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -26,7 +26,7 @@ when: "'sysctl' in rhel9cis_ipv6_disable_method" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Find IPv6 status" when: "'kernel' in rhel9cis_ipv6_disable_method" ansible.builtin.command: grubby --info=ALL From d9927f005bc09bd172c94d51096cfe2a68e386af Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 23 Dec 2025 08:42:28 -0500 Subject: [PATCH 13/21] fixed typo in disable method var Signed-off-by: George Nalen --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2ad3eb2..f620a72 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -803,7 +803,7 @@ rhel9cis_tftp_client: false # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel -rhel9cis_ipv6_disable: "sysctl" +rhel9cis_ipv6_disable_method: "sysctl" ## Control 3.1.2 - Ensure wireless interfaces are disabled # if wireless adapter found allow network manager to be installed From 29a48f7f4cc0c794760a0f1b4a8da2c92ac7d35d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 23 Dec 2025 09:04:42 -0500 Subject: [PATCH 14/21] updated name info for tasks related to 3.1.1 Signed-off-by: George Nalen --- tasks/section_3/cis_3.1.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 0c9c374..ff9ec46 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -16,18 +16,18 @@ - rule_3.1.1 - NIST800-53R5_CM-7 block: - - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Set vars for sysctl template" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template" when: "'sysctl' in rhel9cis_ipv6_disable_method" ansible.builtin.set_fact: rhel9cis_sysctl_update: true rhel9cis_flush_ipv6_route: true - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable via sysctl template" + - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info" when: "'sysctl' in rhel9cis_ipv6_disable_method" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Find IPv6 status" + - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status" when: "'kernel' in rhel9cis_ipv6_disable_method" ansible.builtin.command: grubby --info=ALL changed_when: false From 76cd8c7cb38c81c64af80ffdb47b23ffe6f5d833 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 29 Dec 2025 09:43:28 +0000 Subject: [PATCH 15/21] Tidy up wording regarding crypto policy modules thanks to @kpi-nourman #414 Signed-off-by: Mark Bolwell --- defaults/main.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fbe81eb..fbedbd4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -602,14 +602,7 @@ rhel9cis_crypto_policy_ansiblemanaged: true # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# This variable contains the value of the crypto policy module(combinations of policies and -# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, -# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: -# - 'OSPP' -# - 'AD-SUPPORT' -# - 'AD-SUPPORT-LEGACY' -rhel9cis_crypto_policy_module: '' -## Controls 1.6.x +## Control 1.6 # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable. From fefd2c94b29c48acf04011c54d4c7150e9492a68 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 30 Dec 2025 08:17:57 -0500 Subject: [PATCH 16/21] Update ansible_vars_goss with var rhel9cis_ipv6_disable_method Signed-off-by: Frederick Witty --- templates/ansible_vars_goss.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index cbaa125..3c53c72 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -206,6 +206,8 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }} rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} +rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }} + ## Network Kernel Modules rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} From 5d1143ff879e8c5bbdaa11044700408daee61c5a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 30 Dec 2025 08:21:47 -0500 Subject: [PATCH 17/21] Update changelog Signed-off-by: Frederick Witty --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index ac9c3b6..429faa0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## 2.0.4 - Based on CIS v2.0.0 +- addressed issue #416 thank you @georgenalen and @bbaassssiiee - addressed issue #393 thank you to @fragglexarmy - addressed issue #394 thank you to @dbeuker - addressed issues #390 and #391 thanks to @polski-g From 87cd0f3eb5096aa3e5d195f7806c60816524bad5 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 8 Jan 2026 09:40:08 -0500 Subject: [PATCH 18/21] fix for #418 and update Lic year Signed-off-by: Frederick Witty --- Changelog.md | 1 + LICENSE | 2 +- tasks/section_6/cis_6.2.2.x.yml | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index 429faa0..3871be2 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## 2.0.4 - Based on CIS v2.0.0 +- addressed issue #418 thank you @bbaassssiiee - addressed issue #416 thank you @georgenalen and @bbaassssiiee - addressed issue #393 thank you to @fragglexarmy - addressed issue #394 thank you to @dbeuker diff --git a/LICENSE b/LICENSE index 7e51eb7..bed11b4 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index fe0f8c4..82302ed 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -25,7 +25,7 @@ - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(\s*ForwardToSyslog) + regexp: ^(\s*ForwardToSyslog\s*=.*) replace: '#\1' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" @@ -50,7 +50,7 @@ - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: (?i)(\s*compress=) + regexp: ^(\s*Compress\s*=.*) replace: '#\1' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" @@ -76,5 +76,5 @@ - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: (?i)(\s*storage=) + regexp: ^(\s*Storage\s*=.*) replace: '#\1' From 22a9b085d77b20893623d8fa7935ff45e1a62165 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 8 Jan 2026 12:23:40 -0500 Subject: [PATCH 19/21] fix for #419, thank you @aaronk1 Signed-off-by: Frederick Witty --- tasks/section_5/cis_5.1.x.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index dc450ea..9600a1c 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -431,6 +431,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: (?i)^(#|)\s*MaxStartups line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd From 02132181e69d5600c00142a556a3f6a44a207883 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 8 Jan 2026 12:24:44 -0500 Subject: [PATCH 20/21] update changelog Signed-off-by: Frederick Witty --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 3871be2..70c3d00 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## 2.0.4 - Based on CIS v2.0.0 +- addressed issue #419, thank you @aaronk1 - addressed issue #418 thank you @bbaassssiiee - addressed issue #416 thank you @georgenalen and @bbaassssiiee - addressed issue #393 thank you to @fragglexarmy From c1f4b780bea107cbe7c7369c2b3c59ac97f920b0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 19 Jan 2026 17:44:50 +0000 Subject: [PATCH 21/21] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.12.2 → v26.1.1](https://github.com/ansible-community/ansible-lint/compare/v25.12.2...v26.1.1) - [github.com/adrienverge/yamllint.git: v1.37.1 → v1.38.0](https://github.com/adrienverge/yamllint.git/compare/v1.37.1...v1.38.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dbc1d7e..2ff7b79 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.12.2 + rev: v26.1.1 hooks: - id: ansible-lint name: Ansible-lint @@ -65,7 +65,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.37.1 # or higher tag + rev: v1.38.0 # or higher tag hooks: - id: yamllint name: Check YAML Lint