From 309ff4cdd7f86d78989627b19d3703de4fb401ec Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederick.witty@gotyto.com>
Date: Thu, 8 Jan 2026 14:08:35 -0500
Subject: [PATCH 1/4] Fixes from Public Issue 418 and 419 + Lic year

Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
---
 Changelog.md                    | 11 +++++------
 LICENSE                         |  2 +-
 tasks/section_5/cis_5.1.x.yml   |  2 ++
 tasks/section_6/cis_6.2.2.x.yml |  6 +++---
 4 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 2b02fad..c5ef6e1 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,15 +1,14 @@
-# Changes to rhel9CIS
+# Changes to RHEL9CIS
 
-# Based on CIS v2.0.0
+## 2.0.4 - Based on CIS v2.0.0
+
+addressed issue #419, thank you @aaronk1
+addressed issue #418 thank you @bbaassssiiee
 Added better sysctl logic to disable IPv6
 Added option to disable IPv6 via sysctl (original method) or via the kernel
-
-# Based on CIS v2.0.0
 pre-commit udpates
 public issue #410 thanks to @kpi-nourman
 public issue #413 thanks to @bbaassssiiee
-
-# Based on CIS v2.0.0
 Public issues incorporated
 Workflow updates
 Pre-commit updates
diff --git a/LICENSE b/LICENSE
index 7e51eb7..bed11b4 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml
index dc450ea..2b372de 100644
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@@ -411,6 +411,8 @@
     path: "{{ rhel9cis_sshd_config_file }}"
     regexp: '^(#)?MaxAuthTries \d'
     line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
+    insertbefore: "^Match"
+    firstmatch: true
     validate: sshd -t -f %s
   notify: Restart sshd
 
diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml
index fe0f8c4..82302ed 100644
--- a/tasks/section_6/cis_6.2.2.x.yml
+++ b/tasks/section_6/cis_6.2.2.x.yml
@@ -25,7 +25,7 @@
     - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: ^(\s*ForwardToSyslog)
+        regexp: ^(\s*ForwardToSyslog\s*=.*)
         replace: '#\1'
 
 - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@@ -50,7 +50,7 @@
     - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*compress=)
+        regexp: ^(\s*Compress\s*=.*)
         replace: '#\1'
 
 - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@@ -76,5 +76,5 @@
     - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*storage=)
+        regexp: ^(\s*Storage\s*=.*)
         replace: '#\1'

From 10f88cc1a352be365215a7aff6751927382e58f1 Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederick.witty@gotyto.com>
Date: Thu, 8 Jan 2026 14:13:07 -0500
Subject: [PATCH 2/4] update vars to rhel9

Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
---
 molecule/wsl/converge.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/molecule/wsl/converge.yml b/molecule/wsl/converge.yml
index 5128600..1725e67 100644
--- a/molecule/wsl/converge.yml
+++ b/molecule/wsl/converge.yml
@@ -8,16 +8,16 @@
   vars:
       ansible_user: "{{ lookup('env', 'USER') }}"
       system_is_container: true
-      rhel8cis_selinux_disable: true
+      rhel9cis_selinux_disable: true
       role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-      rhel8cis_rule_5_3_4: false
-      rhel8cis_rule_1_1_10: false
-      rhel8cis_rsyslog_ansiblemanaged: false
-      rhel8cis_rule_3_4_1_3: false
-      rhel8cis_rule_3_4_1_4: false
-      rhel8cis_rule_4_2_1_2: false
-      rhel8cis_rule_4_2_1_4: false
-      rhel8cis_rule_5_1_1: false
+      rhel9cis_rule_5_3_4: false
+      rhel9cis_rule_1_1_10: false
+      rhel9cis_rsyslog_ansiblemanaged: false
+      rhel9cis_rule_3_4_1_3: false
+      rhel9cis_rule_3_4_1_4: false
+      rhel9cis_rule_4_2_1_2: false
+      rhel9cis_rule_4_2_1_4: false
+      rhel9cis_rule_5_1_1: false
 
   pre_tasks:
   tasks:

From 173fbd3254d2e74218f8e7edf6b2a91d7d53b008 Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederick.witty@gotyto.com>
Date: Thu, 8 Jan 2026 14:26:24 -0500
Subject: [PATCH 3/4] Linting

Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
---
 defaults/main.yml                 | 2 +-
 tasks/LE_audit_setup.yml          | 1 +
 tasks/section_1/cis_1.1.2.3.x.yml | 1 +
 vars/OracleLinux.yml              | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index b5fcd8c..2fdb1f6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -245,7 +245,7 @@ rhel9cis_rule_1_8_8: true
 rhel9cis_rule_1_8_9: true
 rhel9cis_rule_1_8_10: true
 
-# Section 2 rules are controling Services (Special Purpose Services, and service clients)
+# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
 ## Configure Server Services
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml
index d784dc1..53293e7 100644
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: Pre Audit Setup | Set audit package name
   block:
     - name: Pre Audit Setup | Set audit package name | 64bit
diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml
index 635648d..efb1dc3 100644
--- a/tasks/section_1/cis_1.1.2.3.x.yml
+++ b/tasks/section_1/cis_1.1.2.3.x.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
   when:
     - rhel9cis_rule_1_1_2_3_1
diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml
index 64927cc..f407fa5 100644
--- a/vars/OracleLinux.yml
+++ b/vars/OracleLinux.yml
@@ -1,4 +1,5 @@
 ---
+
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"

From e65df16f6782db76e3a6ade7df0edbf2f638f4c8 Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederick.witty@gotyto.com>
Date: Thu, 8 Jan 2026 14:33:16 -0500
Subject: [PATCH 4/4] Update 3.1.1

Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
---
 tasks/section_3/cis_3.1.x.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
index ff9ec46..7099e55 100644
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@@ -38,7 +38,8 @@
       when:
         - "'kernel' in rhel9cis_ipv6_disable_method"
         - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
-      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
+      ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1"
+      changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0
 
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
   when: