Merge pull request #57 from ansible-lockdown/2026Jan_Updates

2026 Jan Updates: Public Issue fixes, Lic Year and Linting
2026-03-25 14:27:12 +00:00 · 2026-01-08 16:41:35 -05:00 · 2026-01-08 16:41:35 -05:00 · 6b986a7352
commit 6b986a7352
parent fb74617694 e65df16f67
10 changed files with 26 additions and 21 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -1,15 +1,14 @@
-# Changes to rhel9CIS
+# Changes to RHEL9CIS
-# Based on CIS v2.0.0
+## 2.0.4 - Based on CIS v2.0.0
 addressed issue #419, thank you @aaronk1
 addressed issue #418 thank you @bbaassssiiee
 Added better sysctl logic to disable IPv6
 Added option to disable IPv6 via sysctl (original method) or via the kernel
 # Based on CIS v2.0.0
 pre-commit udpates
 public issue #410 thanks to @kpi-nourman
 public issue #413 thanks to @bbaassssiiee
 # Based on CIS v2.0.0
 Public issues incorporated
 Workflow updates
 Pre-commit updates
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -245,7 +245,7 @@ rhel9cis_rule_1_8_8: true
 rhel9cis_rule_1_8_9: true
 rhel9cis_rule_1_8_10: true
-# Section 2 rules are controling Services (Special Purpose Services, and service clients)
+# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
 ## Configure Server Services
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
--- a/molecule/wsl/converge.yml
+++ b/molecule/wsl/converge.yml
@ -8,16 +8,16 @@
  vars:
      ansible_user: "{{ lookup('env', 'USER') }}"
      system_is_container: true
-      rhel8cis_selinux_disable: true
+      rhel9cis_selinux_disable: true
      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-      rhel8cis_rule_5_3_4: false
+      rhel9cis_rule_5_3_4: false
-      rhel8cis_rule_1_1_10: false
+      rhel9cis_rule_1_1_10: false
-      rhel8cis_rsyslog_ansiblemanaged: false
+      rhel9cis_rsyslog_ansiblemanaged: false
-      rhel8cis_rule_3_4_1_3: false
+      rhel9cis_rule_3_4_1_3: false
-      rhel8cis_rule_3_4_1_4: false
+      rhel9cis_rule_3_4_1_4: false
-      rhel8cis_rule_4_2_1_2: false
+      rhel9cis_rule_4_2_1_2: false
-      rhel8cis_rule_4_2_1_4: false
+      rhel9cis_rule_4_2_1_4: false
-      rhel8cis_rule_5_1_1: false
+      rhel9cis_rule_5_1_1: false
  pre_tasks:
  tasks:
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@ -1,4 +1,5 @@
 ---
 - name: Pre Audit Setup | Set audit package name
  block:
    - name: Pre Audit Setup | Set audit package name | 64bit
--- a/tasks/section_1/cis_1.1.2.3.x.yml
+++ b/tasks/section_1/cis_1.1.2.3.x.yml
@ -1,4 +1,5 @@
 ---
 - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
  when:
    - rhel9cis_rule_1_1_2_3_1
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -38,7 +38,8 @@
      when:
        - "'kernel' in rhel9cis_ipv6_disable_method"
        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
-      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
+      ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1"
      changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  when:
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -411,6 +411,8 @@
    path: "{{ rhel9cis_sshd_config_file }}"
    regexp: '^(#)?MaxAuthTries \d'
    line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
    insertbefore: "^Match"
    firstmatch: true
    validate: sshd -t -f %s
  notify: Restart sshd
--- a/tasks/section_6/cis_6.2.2.x.yml
+++ b/tasks/section_6/cis_6.2.2.x.yml
@ -25,7 +25,7 @@
    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: ^(\s*ForwardToSyslog)
+        regexp: ^(\s*ForwardToSyslog\s*=.*)
        replace: '#\1'
 - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@ -50,7 +50,7 @@
    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*compress=)
+        regexp: ^(\s*Compress\s*=.*)
        replace: '#\1'
 - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@ -76,5 +76,5 @@
    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*storage=)
+        regexp: ^(\s*Storage\s*=.*)
        replace: '#\1'
--- a/vars/OracleLinux.yml
+++ b/vars/OracleLinux.yml
@ -1,4 +1,5 @@
 ---
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"