Latest fixes updates Feb26

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2026-03-25 22:37:11 +00:00 · 2026-02-12 09:15:05 +00:00 · 2026-02-12 09:15:05 +00:00 · 98e89d8945
commit 98e89d8945
parent 8b160681f5 3cfcf00717
73 changed files with 415 additions and 209 deletions
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@ -1,4 +1,5 @@
 ---
+
 - name: Pre Audit Setup | Set audit package name
  block:
    - name: Pre Audit Setup | Set audit package name | 64bit
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -17,9 +17,7 @@
    success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"

 - name: "Setup rules if container"
-  when:
-    - ansible_connection == 'docker' or
-      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
    - container_discovery
    - always
@ -43,18 +41,18 @@
    fail_msg: "Crypto policy is not a permitted version"
    success_msg: "Crypto policy is a permitted version"

- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
+- name: "Check rhel9cis_bootloader_password variable has been changed"
  when:
    - rhel9cis_set_boot_pass
    - rhel9cis_rule_1_4_1
  tags: always
  ansible.builtin.assert:
-    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
-    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
+    that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
+    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"

 - name: "Check crypto-policy module input"
  when:
-    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_ansiblemanaged
    - rhel9cis_crypto_policy_module | length > 0
  tags:
    - rule_1.6.1
@ -99,7 +97,7 @@
              or
                (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
              )
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access"
            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"

        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
@ -120,8 +118,8 @@
    - name: "Check authselect profile is selected | Check current profile"
      ansible.builtin.command: authselect list
      changed_when: false
-      failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
-      register: prelim_authselect_current_profile
+      failed_when: prelim_authselect_profile_list.rc not in [ 0, 1 ]
+      register: prelim_authselect_profile_list

 - name: "Ensure root password is set"
  when: rhel9cis_rule_5_4_2_4
@ -134,7 +132,7 @@
    - rule_5.4.2.4
  block:
    - name: "Ensure root password is set"
-      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)"
      changed_when: false
      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
      register: prelim_root_passwd_set
@ -156,9 +154,7 @@
    file: "{{ ansible_facts.distribution }}.yml"

 - name: "Include preliminary steps"
-  tags:
-    - prelim_tasks
-    - always
+  tags: prelim_tasks
  ansible.builtin.import_tasks:
    file: prelim.yml

--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -28,8 +28,7 @@

 - name: POST | reboot system if changes require it and not skipped
  when: change_requires_reboot
-  tags:
-    - always
+  tags: always
  vars:
    warn_control_id: Reboot_required
  block:
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -1,10 +1,12 @@
 ---

-# Preliminary tasks that should always be run
-# List users in order to look files inside each home directory
+# Preliminary tasks that should always run
+# List users in order to look up files inside each home directory

 - name: "PRELIM | Include audit specific variables"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
+    - setup_audit
  tags:
    - setup_audit
    - run_audit
@ -12,7 +14,8 @@
    file: audit.yml

 - name: "PRELIM | Include pre-remediation audit tasks"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
  tags: run_audit
  ansible.builtin.import_tasks: pre_remediation_audit.yml

@ -92,6 +95,11 @@
    - rhel9cis_rule_1_2_1_1
    - ansible_facts.distribution != 'RedHat'
    - ansible_facts.distribution != 'OracleLinux'
+  tags:
+    - level1-server
+    - level1-workstation
+    - rule_1.2.1.1
+    - gpg
  ansible.builtin.package:
    name: "{{ gpg_key_package }}"
    state: latest
@ -206,14 +214,15 @@
  block:
    - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
      ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
-      register: discover_wireless_adapters
+      register: prelim_wireless_adapters
      changed_when: false
      check_mode: false
-      failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
+      failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ]

    - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present"
      when:
-        - discover_wireless_adapters.rc == 0
+        - rhel9cis_install_network_manager
+        - prelim_wireless_adapters.rc == 0
        - "'NetworkManager' not in ansible_facts.packages"
      ansible.builtin.package:
        name: NetworkManager
@ -277,8 +286,7 @@
 - name: "PRELIM | PATCH | Create journald config directory"
  when:
    - rhel9cis_syslog == 'journald'
-    - rhel9cis_rule_6_2_1_3 or
-      rhel9cis_rule_6_2_1_4
+    - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
  tags: always
  ansible.builtin.file:
    path: /etc/systemd/journald.conf.d
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@ -27,8 +27,7 @@
        mode: 'go-rwx'

    - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
-      when:
-        - not system_is_container
+      when: not system_is_container
      community.general.modprobe:
        name: cramfs
        state: absent
--- a/tasks/section_1/cis_1.1.2.3.x.yml
+++ b/tasks/section_1/cis_1.1.2.3.x.yml
@ -1,4 +1,5 @@
 ---
+
 - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
  when:
    - rhel9cis_rule_1_1_2_3_1
--- a/tasks/section_1/cis_1.2.2.x.yml
+++ b/tasks/section_1/cis_1.2.2.x.yml
@ -13,4 +13,4 @@
  ansible.builtin.package:
    name: "*"
    state: latest
-  notify: Change_requires_reboot
+  notify: Set reboot required
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -13,7 +13,7 @@
    - NIST800-53R5_AC-3
  ansible.builtin.copy:
    dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
    owner: root
    group: root
    mode: 'go-rwx'
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -16,19 +16,35 @@
    - rule_3.1.1
    - NIST800-53R5_CM-7
  block:
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true

-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"

+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
+      when: "'kernel' in rhel9cis_ipv6_disable_method"
+      ansible.builtin.command: grubby --info=ALL
+      changed_when: false
+      failed_when: false
+      register: discovered_rhel9cis_3_1_1_ipv6_status
+
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
+      when:
+        - "'kernel' in rhel9cis_ipv6_disable_method"
+        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
+      ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1"
+      changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0
+
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  when:
    - rhel9cis_rule_3_1_2
-    - discover_wireless_adapters.rc == 0
+    - prelim_wireless_adapters.rc == 0
  tags:
    - level1-server
    - patch
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -411,6 +411,8 @@
    path: "{{ rhel9cis_sshd_config_file }}"
    regexp: '^(#)?MaxAuthTries \d'
    line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
+    insertbefore: "^Match"
+    firstmatch: true
    validate: sshd -t -f %s
  notify: Restart sshd

--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -14,7 +14,9 @@
    - rule_5.3.2.1
  block:
    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
+      when:
+        - rhel9cis_authselect_custom_profile_create
+        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout
      ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
      changed_when: false
      args:
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -340,7 +340,7 @@
        - system
      notify: Authselect update

- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
+- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
  when: rhel9cis_rule_5_3_3_2_7
  tags:
    - level1-server
@ -350,8 +350,8 @@
    - NIST800-53R5_IA-5
    - pam
  ansible.builtin.template:
-    src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2"
-    dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
+    src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2"
+    dest: "/{{ rhel9cis_passwd_quality_enforce_file }}"
    owner: root
    group: root
    mode: 'o-rwx'
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -179,7 +179,7 @@
            - item.stat.exists
            - item.stat.isdir
            - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp
-            - (item != 'root') and (not rhel9cis_uses_root)
+            - (item != 'root') and (not rhel9cis_uses_root )
          ansible.builtin.file:
            path: "{{ item.stat.path }}"
            state: directory
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -10,14 +10,12 @@
    file: cis_5.1.x.yml

 - name: "SECTION | 5.2 | Configure privilege escalation"
-  when:
-    - rhel9cis_section5_2
+  when: rhel9cis_section5_2
  ansible.builtin.import_tasks:
    file: cis_5.2.x.yml

 - name: "SECTION | 5.3"
-  when:
-    - rhel9cis_section5_3
+  when: rhel9cis_section5_3
  block:
    - name: "SECTION | 5.3.1.x | Configure PAM software packages"
      ansible.builtin.import_tasks:
@ -44,8 +42,7 @@
        file: cis_5.3.3.4.x.yml

 - name: "SECTION | 5.4"
-  when:
-    - rhel9cis_section5_4
+  when: rhel9cis_section5_4
  block:
    - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters"
      ansible.builtin.import_tasks:
--- a/tasks/section_6/cis_6.2.2.x.yml
+++ b/tasks/section_6/cis_6.2.2.x.yml
@ -25,7 +25,7 @@
    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: ^(\s*ForwardToSyslog)
+        regexp: ^(\s*ForwardToSyslog\s*=.*)
        replace: '#\1'

 - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@ -50,7 +50,7 @@
    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*compress=)
+        regexp: ^(\s*Compress\s*=.*)
        replace: '#\1'

 - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@ -76,5 +76,5 @@
    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*storage=)
+        regexp: ^(\s*Storage\s*=.*)
        replace: '#\1'
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -195,7 +195,7 @@
  register: discovered_rsyslog_remote_host
  notify: Restart rsyslog

- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
+- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
  when: rhel9cis_rule_6_2_3_7
  tags:
    - level1-server
@ -208,7 +208,7 @@
    - NIST800-53R5_AU-12
    - NIST800-53R5_CM-6
  block:
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
      when: not rhel9cis_system_is_log_server
      ansible.builtin.replace:
        path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
        - '^(module\(load="imtcp"\))'
        - '^(input\(type="imtcp")'

-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
      when: rhel9cis_system_is_log_server
      ansible.builtin.replace:
        path: /etc/rsyslog.conf
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -58,7 +58,7 @@
    - level1-server
    - level1-workstation
    - patch
-    - permissionss
+    - permissions
    - rule_7.1.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
@ -254,7 +254,7 @@
      ansible.builtin.file:
        path: "{{ item }}"
        owner: "{{ rhel9cis_unowned_owner }}"
-        group: "{{ rhel9cis_unowned_group }}"
+        group: "{{ rhel9cis_ungrouped_group }}"
      with_items:
        - "{{ discovered_unowned_files_flatten }}"