Latest fixes updates Feb26

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2026-03-25 22:37:11 +00:00 · 2026-02-12 09:15:05 +00:00 · 2026-02-12 09:15:05 +00:00 · 98e89d8945
commit 98e89d8945
parent 8b160681f5 3cfcf00717
73 changed files with 415 additions and 209 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,9 +1,9 @@
 ---
 parseable: true
 quiet: true
 skip_list:
  - 'package-latest'
  - 'risky-shell-pipe'
  - 'var-naming[read-only]'
 use_default_rules: true
 verbosity: 0
--- a/.github/workflows/export_badges_private.yml
+++ b/.github/workflows/export_badges_private.yml
@ -12,8 +12,6 @@ on:
  push:
    branches:
      - latest
  schedule:
    - cron: '0 */6 * * *'
  workflow_dispatch:
 jobs:
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -39,11 +39,13 @@ repos:
  rev: v1.5.0
  hooks:
  - id: detect-secrets
    name: Detect Secrets test
 - repo: https://github.com/gitleaks/gitleaks
  rev: v8.29.1
  hooks:
  - id: gitleaks
    name: Run Gitleaks test
 - repo: https://github.com/ansible-community/ansible-lint
  rev: v25.11.0
--- a/.yamllint
+++ b/.yamllint
@ -1,4 +1,5 @@
 ---
 extends: default
 ignore: |
    tests/
--- a/Changelog.md
+++ b/Changelog.md
@ -1,4 +1,81 @@
-# Changes to rhel9CIS
+# Changes to RHEL9CIS
 ## 2.0.5 - Based on CIS v2.0.0
 - QA Fixes
 - .j2 Branding Update
 - Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
 - fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml
 - Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis)
 - Fixed broken Changelog link in README.md (case mismatch)
 - Added var-naming[read-only] to ansible-lint skip list for molecule files
 - Bootloader password logic updated with salt and hash options
 - Added passlib dependency documentation for bootloader password hash
 - Updated company title
 - Tidied up comments and variables for bootloader password
 - Removed scheduled tasks
 - Fixed typo thanks to Eugene @Frequentis
 - Unused variable audit: wired up all unused variables, removed legacy references
 - Updated chrony template to use rhel9cis_chrony_server_makestep, rtcsync, and minsources variables instead of hardcoded values
 - Wired up rhel9cis_authselect_custom_profile_create toggle in authselect profile creation task
 - Fixed task 5.3.3.2.7/5.3.3.2.8 mislabeling: separated password quality enforce and root enforce into correct tasks
 - Wired up audit_capture_files_dir in audit_only workflow for file capture to control node
 - Clarified rhel9cis_root_unlock_time documentation for commented-out alternative usage
 - Removed legacy rhel9cis_rule_1_1_10 from molecule converge files and is_container.yml
 - Fixed wrong variable name rhel9cis_unowned_group to rhel9cis_ungrouped_group in tasks/section_7/cis_7.1.x.yml
 - Added rhel9cis_install_network_manager toggle to 3.1.2 wireless interfaces task
 ## 2.0.4 - Based on CIS v2.0.0
 addressed issue #419, thank you @aaronk1
 addressed issue #418 thank you @bbaassssiiee
 Added better sysctl logic to disable IPv6
 Added option to disable IPv6 via sysctl (original method) or via the kernel
 pre-commit updates
 public issue #410 thanks to @kpi-nourman
 public issue #413 thanks to @bbaassssiiee
 Public issues incorporated
 Workflow updates
 Pre-commit updates
 README latest versions
 Audit improvements and max-concurrent option added
 Benchmark version variable in audit template
 fixed typo thanks to @fragglexarmy #393
 fixed typo thanks to @trumbaut #397 & #399
 updated auditd template to be 2.19 compliant
 PR345 thanks to thulium-drake boot password hash - if used needs passlib module
 tidy up tags on tasks/main.yml
 ## 2.0.3 - Based on CIS v2.0.0
 - Thank you @fragglexarmy
  - addressed Public issue 387
 - Addressed Public issue 382 to improve regex logic on 5.4.2.4
 - Improvement on crypto policy managed controls with var logic
 - Thanks to @polski-g
  - addressed issue 384
 - update command to shell module on tasks
 - Thanks to @numericillustration
  - Public PR 380
  - systemd_service rolled back to systemd for < ansible 2.14
 - Thanks to @bgro and @Kodebach
  - Public PR 371
  - updated to user sudo check 5.2.4
 - Thanks to @DianaMariaDDM
  - Public PR 367
  - updated several typos
 - Thanks to @polski-g
  - Public PR 364
  - gdm section 1.8 improvements
 - Thanks to @chrispipo
  - Public PR 350
  - change insert before for rsyslog setting
 - Thanks to @thesmilinglord
  - public issue 377
  - change 1.3 from include task to import for tagging
 - Thanks to @Fredouye
  - public issue 372
  - allow password with different locale
 ## 2.0.4 - Based on CIS v2.0.0
@ -59,7 +136,7 @@
  - updated controls 6.2.10-6.2.14
 - audit
  - steps moved to prelim
-  - update to coipy and archive logic and variables
+  - update to copy and archive logic and variables
 - removed vars not used
 - updated quotes used in mode tasks
 - pre-commit update
@ -93,7 +170,7 @@
 - lint updates
 - .secrets updated
 - file mode quoted
- updated 5.6.5 thansk to feedback from S!ghs on discord community
+- updated 5.6.5 thanks to feedback from S!ghs on discord community
 ## 1.1.1 - Based on CIS v1.0.0
@ -125,7 +202,7 @@
 ## 1.0.10
 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72)
-  - Only run check when paybook user not a superuser
+  - Only run check when playbook user not a superuser
 - fix for 5.5.3 thanks to @nrg-fv
 ## 1.0.9
@ -197,7 +274,7 @@ Jan-2023 release
 - updated ansible minimum to 2.10
 - Lint file updates and improvements
- auditd now shows diff ater initial template added
+- auditd now shows diff after initial template added
 - many control rewritten
 - Many controls moved ID references
 - Audit updates aligned
@ -222,7 +299,7 @@ Jan-2023 release
 - #209 5.6.5 rewrite umask settings
 - #220 tidy up and align variables
 - #226 Thanks to Thulium-Drake
-  -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases)
+  -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required for auditd to run correctly in some cases)
 - #227 thanks to OscarElits
  - chrony files now RH expected locations
@ -262,9 +339,9 @@ Jan-2023 release
 - not all controls work with rhel8 releases any longer
  - selinux disabled 1.6.1.4
  - logrotate - 4.3.x
- updated to rhel8cis v2.0 benchamrk requirements
+- updated to rhel8cis v2.0 benchmark requirements
 - removed iptables firewall controls (not valid on rhel9)
- added more to logrotate 4.3.x - sure to logrotate now a seperate package
+- added more to logrotate 4.3.x - sure to logrotate now a separate package
 - grub path now standard to /boot/grub2/grub.cfg
 - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
 - workflow update
@ -283,7 +360,7 @@ args:
 ```
 - update boolean values to true/false
- 3.4.2 improved checks for p[ackage presence
+- 3.4.2 improved checks for package presence
 - changed to assert for OS/release and ansible version
 ## Initial
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@ -19,7 +19,6 @@
 ## Lint & Pre-Commit Tools 🔧
 [![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/RHEL9-CIS/devel)
 ![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white)
 ![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white)
@ -49,7 +48,6 @@
 ![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/benchmark-version.json)
 [![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)
 [![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
 ![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/prs.json)
 ![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/issues-closed.json)
@ -58,9 +56,9 @@
 ## Looking for support? 🤝
-[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RHEL9-CIS)
+[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9-CIS)
-[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RHEL9-CIS)
+[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9-CIS)
 ### Community 💬
@ -86,10 +84,10 @@ This role **will make changes to the system** which may have unintended conseque
 ## Coming From A Previous Release ⏪
-CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release.
+CIS release always contains changes, it is highly recommended to review the new references and available variables. These have changed significantly since ansible-lockdown initial release.
 This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
-Further details can be seen in the [Changelog](./ChangeLog.md)
+Further details can be seen in the [Changelog](./Changelog.md)
 ---
@ -103,7 +101,7 @@ This is managed using tags:
 - level2-server
 - level2-workstation
-The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component.
+The controls found in defaults/main.yml also need to reflect this, as they control the testing that takes place if you are using the audit component.
 ---
 ## Requirements ✅
@ -130,6 +128,9 @@ RHEL Family OS 9
 - python-def
 - libselinux-python
 If you are using the option to create your own bootloader hash the ansible controller
 -  passlib
 ---
 ## Auditing 🔍
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,5 +1,6 @@
 ---
-# defaults file for rhel9-cis
+
 # defaults file for RHEL9-CIS
 # WARNING:
 # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
 # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
@ -63,7 +64,7 @@ benchmark: RHEL9-CIS
 # System will reboot if false, can give better audit results
 skip_reboot: true
-# default value will change to true but wont reboot if not enabled but will error
+# default value will change to true but won't reboot if not enabled but will error
 change_requires_reboot: false
 ###
@ -93,17 +94,11 @@ audit_max_concurrent: 50
 ## Only run Audit do not remediate
 audit_only: false
 ### As part of audit_only ###
 # Path to copy the files to will create dir structure in audit_only mode
 audit_capture_files_dir: /some/location to copy to on control node
 #############################
-## How to retrieve audit binary(Goss)
+# How to retrieve audit binary
-# Options are 'copy' or 'download' - detailed settings at the bottom of this file
+# Options are copy or download - detailed settings at the bottom of this file
-# - if 'copy':
+# you will need access to either github or the file already downloaded
 #    - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss
 # - if 'download':
 #    - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars
 get_audit_binary_method: download
 ## if get_audit_binary_method - copy the following needs to be updated for your environment
@ -257,9 +252,8 @@ rhel9cis_rule_1_8_8: true
 rhel9cis_rule_1_8_9: true
 rhel9cis_rule_1_8_10: true
 ## Section 2 Fixes
 # Section 2 rules are controlling Services (Special Purpose Services, and service clients)
-# Configure Server Services
+## Configure Server Services
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
 rhel9cis_rule_2_1_3: true
@ -400,7 +394,6 @@ rhel9cis_rule_5_3_3_2_4: true
 rhel9cis_rule_5_3_3_2_5: true
 rhel9cis_rule_5_3_3_2_6: true
 rhel9cis_rule_5_3_3_2_7: true
 rhel9cis_rule_5_3_3_2_8: true
 # 5.3.3.3 Configure pam_pwhistory module
 # These are added as part of 5.3.2.4 using jinja2 template
 rhel9cis_rule_5_3_3_3_1: true
@ -539,7 +532,7 @@ rhel9cis_rule_7_2_9: true
 ## Ability to enable debug on mounts to assist in troubleshooting
 # Mount point changes are set based upon facts created in Prelim
-# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
+# these then build the variable and options that are passed to the handler to set the mount point for the controls in section1.
 rhel9cis_debug_mount_data: false
 ## Control 1.1.2
@ -583,14 +576,33 @@ rhel9cis_selinux_pol: targeted
 rhel9cis_selinux_enforce: enforcing
 ## Control 1.4.1
-# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
+# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
-# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
+rhel9cis_set_boot_pass: false
-# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
+
 ################### bootloader password ############################################################
 #
 # Two options for setting the bootloader password
 #
 # Option 1: Set the bootloader password and salt – requires the passlib Python module
 # to be available on the Ansible controller.
 # Set this value to something secure to have predictable hashes,
 # which will prevent unnecessary changes.
 rhel9cis_bootloader_salt: ''
 # This variable stores the GRUB bootloader password to be written
 # to the '/boot/grub2/user.cfg' file. The default value must be changed.
 rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
 # Option 2: Set the bootloader password hash – if the salt value is empty,
 # the password will be set using the variable below.
 # If you are not using the bootloader hash filter, you can set it here
 # in encrypted format, e.g. grub.pbkdf2.sha512.hashstring
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
-## Control 1.4.1
+######################################################################################################
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: true
 ## Controls 1.6.x and Controls 5.1.x
 # This variable governs if current Ansible role should manage system-wide crypto policy.
@ -803,6 +815,10 @@ rhel9cis_tftp_client: false
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
 # 3.1.1 Disable IPv6
 # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
 rhel9cis_ipv6_disable_method: "sysctl"
 ## Control 3.1.2 - Ensure wireless interfaces are disabled
 # if wireless adapter found allow network manager to be installed
 rhel9cis_install_network_manager: false
@ -907,8 +923,8 @@ rhel9cis_sshd_clientalivecountmax: 3
 # keep the connection alive and prevent it being terminated due to inactivity.
 rhel9cis_sshd_clientaliveinterval: 15
-## Control 5.1.10 - Ensure sshd DisableForwarding is enabled
+## Control 5.1.12 - disable forwarding
-# By Default this will also disablex11 forwarding
+# By Default this will also disable X11 forwarding
 # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
 # This variable's value is used in the `/etc/ssh/ssh_config.d/50-redhat.conf` file to
 # disable X11Forwarding. If X11 is required, set this variable's value to `yes`!
@ -952,14 +968,7 @@ rhel9cis_ssh_maxsessions: 4
 # This variable defines the path and file name of the sudo log file.
 rhel9cis_sudolog_location: "/var/log/sudo.log"
-## Control 5.2.4 - Ensure users must provide password for escalation
+## Control 5.2.x - Ensure sudo authentication timeout is configured correctly
 # The following variable specifies a list of users that should not be required to provide a password
 # for escalation. Feel free to edit it according to your needs.
 rhel9cis_sudoers_exclude_nopasswd_list:
  - ec2-user
  - vagrant
 ## Control 5.2.6 - Ensure sudo authentication timeout is configured correctly
 # This variable sets the duration (in minutes) during which a user's authentication credentials
 # are cached after successfully authenticating using "sudo". This allows the user to execute
 # multiple commands with elevated privileges without needing to re-enter their password for each
@ -999,19 +1008,38 @@ rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
 ## Control 5.3.3.1.1 -
 # This variable sets the amount of tries a password can be entered, before a user is locked.
 rhel9cis_pam_faillock_deny: 5
-## Control 5.3.3.2, 5.3.2.2
+
 # - 5.3.3.1.2
 # This variable sets the amount of time a user will be unlocked after the max amount of
 # password failures.
 rhel9cis_pam_faillock_unlock_time: 900
-## Control 5.3.3.1.3 - Ensure password failed attempts lockout includes root account
+#####################################################################################################################
-# This variable is used in the task that ensures that even the root account
+# 5.3.3.1.3 | Ensure pam_faillock is configured - root account lockout behavior
-# is included in the password failed attempts lockout measure.
+#
-# The following variable is used in the 'regexp' field. This field is used to find the
+# Controls how root is handled when the failed login threshold is reached.
-# line in the file. If the line matches the regular expression, it will be replaced
+#################### Two mutually exclusive options #################################################################
-# with the line parameter's value.
+#
 #   -> even_deny_root          : Lock root just like any other account
 #   -> root_unlock_time = <n>  : Lock root but auto-unlock after <n> seconds
 #
 # Note: The default value is set to 'even_deny_root' to align with the CIS Benchmark recommendation of locking root
 # identically to regular users when the failed login threshold is reached. If you prefer to have root auto-unlock
 # after a specified time, set 'rhel9cis_pamroot_lock_option' to "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
 # and adjust 'rhel9cis_root_unlock_time' as needed.
 #
 # Set ONE of the following:
 #
 # Option 1: root is locked identically to regular users when the failed login threshold is reached
 rhel9cis_pamroot_lock_option: even_deny_root
 # Option 2: root is locked but auto-unlocks after the specified seconds.
 # Seconds before root is automatically unlocked (only used when rhel9cis_pamroot_lock_option includes root_unlock_time)
 rhel9cis_root_unlock_time: 60
 # rhel9cis_pamroot_lock_option: "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
 #
 ########################################################################################################################
 ## Control 5.3.3.2.1 - Ensure password number of changed characters is configured
 # This variable holds the path to the configuration file that will be created (or overwritten if already existing)
 # in order to implement the 'Ensure password number of changed characters is configured' control.
@ -1084,14 +1112,9 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con
 # When set to '0', dictionary checks are disabled. CIS states that it shall always be set to '1'.
 rhel9cis_passwd_dictcheck_value: 1
-# This variable is used in one of the config files to ensure password quality checking is enforced
+# 5.3.3.2.7 - Ensure password quality is enforced for the root user
 rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf  # pragma: allowlist secret
 rhel9cis_passwd_quality_enforce_value: 1
 ## Control 5.3.3.2.7 - Ensure password quality is enforced for the root user
 # This variable holds the path to the configuration file that will be created (or overwritten if already existing)
 # in order to implement the 'Ensure password quality is enforced for the root user' control.
 rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf  # pragma: allowlist secret
 # The following variable enforces that the root user must adhere to the same password quality policies as other users.
 rhel9cis_passwd_quality_enforce_root_value: enforce_for_root  # pragma: allowlist secret
 ## Control 5.3.3.3.1 - Ensure password history remember is configured
@ -1131,21 +1154,21 @@ rhel9cis_inactivelock:
  # CIS requires a value of 30 days or less.
  lock_days: 30
-## Control 5.4.1.6 - Ensure all users last password change date is in the past
+## Control 5.4.1.x - Ensure all users last password change date is in the past
 # Allow ansible to expire password for account with a last changed date in the future. Setting it
 # to 'false' will just display users in violation, while 'true' will expire those users passwords.
 rhel9cis_futurepwchgdate_autofix: true
-## Control 5.4.2.6 - Ensure root user umask is configured
+# 5.4.2.x
-# The following variable specifies the "umask" to configure for the root user.
+
-# The user file-creation mode mask ( umask ) is used to determine the file
+## 5.4.2.5 Root user used
-# permission for newly created directories and files. In Linux, the default
+# Root by default is not used unless setup by user
-# permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for
+# The role will only run certain commands if set to true
-# any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default
+# This allows the ability to skip tasks that may cause an issue
-# Linux permissions by restricting (masking) these permissions. The umask is not
+# With the understanding root has full access
-# simply subtracted, but is processed bitwise. Bits set in the umask are cleared
+rhel9cis_uses_root: false
-# in the resulting file mode. CIS recommends setting 'umask' to '0027' or more
+
-# restrictive.
+## 5.4.2.6 - Ensure root home directory permissions are 750 or more restrictive
 rhel9cis_root_umask: '0027'  # 0027 or more restrictive
 ## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
@ -1162,7 +1185,7 @@ rhel9cis_shell_session_timeout: 900
 # This variable specifies the path of the timeout setting file.
 # (TMOUT setting can be set in multiple files, but only one is required for the
 # rule to pass. Options are:
-# - a file in `/etc/profile.d/` ending in `.s`,
+# - a file in `/etc/profile.d/` ending in `.sh`,
 # - `/etc/profile`, or
 # - `/etc/bash.bashrc`.
 rhel9cis_shell_session_file: /etc/profile.d/tmout.sh
@ -1190,9 +1213,8 @@ rhel9cis_aide_db_file_age: 1w
 # If AIDE is already setup this variable forces a new database
 # file to be created.
 rhel9cis_aide_db_recreate: false
-# This variable is used to check if there is already an existing database file
+
-# created by AIDE on the target system. If it is not present, the role will generate
+# allows changing the db file; note the config needs to be adjusted too
 # a database file with the same name as the value of this variable.
 rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz
 ## Control 6.1.2 - Ensure filesystem integrity is regularly checked
@ -1222,12 +1244,12 @@ rhel9cis_aide_cron:
  # This variable governs the day of the month when the AIDE cronjob is run.
  # `*` signifies that the job is run on all days; furthermore, specific days
  # can be given in the range `1-31`; several days can be concatenated with a comma.
-  # The specified day(s) can must be in the range  `1-31`.
+  # The specified day(s) must be in the range `1-31`.
  aide_day: '*'
  # This variable governs months when the AIDE cronjob is run.
  # `*` signifies that the job is run in every month; furthermore, specific months
  # can be given in the range `1-12`; several months can be concatenated with commas.
-  # The specified month(s) can must be in the range  `1-12`.
+  # The specified month(s) must be in the range `1-12`.
  aide_month: '*'
  # This variable governs the weekdays, when the AIDE cronjob is run.
  # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
@ -1267,7 +1289,7 @@ rhel9cis_journald_runtimekeepfree: 100G
 # Current variable governs the settings for log retention(how long the log files will be kept).
 # Thus, it specifies the maximum time to store entries in a single journal
 # file before rotating to the next one. Set to 0 to turn off this feature.
-# The given values is interpreted as seconds, unless suffixed with the units
+# The given value is interpreted as seconds, unless suffixed with the units
 # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
 # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
 # ATTENTION: Uncomment the keyword below when values are set!
--- a/filter_plugins/grub_hash.py
+++ b/filter_plugins/grub_hash.py
@ -0,0 +1,73 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import annotations
 DOCUMENTATION = r"""
 name: grub_hash
 short_description: Generate a GRUB2 password hash
 version_added: 1.0.0
 author: Jeffrey van Pelt (@Thulium-Drake)
 description:
  - Generate a GRUB2 password hash from the input
 options:
  _input:
    description: The desired password for the GRUB bootloader
    type: string
    required: true
  salt:
    description: The salt used to generate the hash
    type: string
    required: false
  rounds:
    description: The amount of rounds to run the PBKDF2 function
    type: int
    required: false
 """
 EXAMPLES = r"""
 - name: 'Generate hash with defaults'
  ansible.builtin.debug:
    msg: "{{ 'mango123!' | grub_hash }}"
 - name: 'Generate hash with custom rounds and salt'
  ansible.builtin.debug:
    msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
    # Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
 """
 RETURN = r"""
 _value:
  description: A GRUB2 password hash
  type: string
 """
 from ansible.errors import AnsibleFilterError
 import os
 import base64
 from passlib.hash import grub_pbkdf2_sha512
 def grub_hash(password, rounds=10000, salt=None):
    if salt is None:
        # Generate 64-byte salt if not provided
        salt = os.urandom(64)
    # Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
    if not isinstance(salt, bytes):
        try:
            salt = salt.encode("utf-8")
        except AttributeError:
            raise TypeError("Salt must be a string, not int.")
    # Configure hash generator
    pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
    return pbkdf2_generator.hash(password)
 class FilterModule(object):
    def filters(self):
        return {
            'grub_hash': grub_hash
        }
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -150,7 +150,7 @@
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
-  notify: Change_requires_reboot
+  notify: Set reboot required
  listen: "Remount /boot/efi"
 - name: Reload sysctl
@ -194,7 +194,7 @@
  ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
  changed_when: true
  notify:
-    - Change_requires_reboot
+    - Set reboot required
    - Restart sshd
 - name: Restart firewalld
@ -255,7 +255,7 @@
  when: discovered_auditd_immutable_check.stdout == '1'
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
-  notify: Change_requires_reboot
+  notify: Set reboot required
 - name: Stop auditd process
  ansible.builtin.command: systemctl kill auditd
@ -268,6 +268,6 @@
    state: started
  listen: Restart auditd
- name: Change_requires_reboot
+- name: Set reboot required
  ansible.builtin.set_fact:
    change_requires_reboot: true
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,11 +1,11 @@
 ---
 galaxy_info:
-  author: "MindPoint Group"
+  author: "Ansible-Lockdown"
  description: "Apply the RHEL 9 CIS"
-  company: "MindPoint Group"
+  company: "MindPoint Group - A Tyto Athene Company"
  license: MIT
  role_name: rhel9_cis
-  namespace: mindpointgroup
+  namespace: ansible-lockdown
  min_ansible_version: 2.10.1
  platforms:
    - name: EL
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -10,7 +10,6 @@
      system_is_container: true
      rhel9cis_selinux_disable: true
      rhel9cis_rule_5_2_4: false
      rhel9cis_rule_1_1_10: false
      rhel9cis_firewall: "none"
      rhel9cis_rule_4_1_1_1: false
      rhel9cis_rule_4_1_1_2: false
--- a/molecule/wsl/converge.yml
+++ b/molecule/wsl/converge.yml
@ -8,16 +8,15 @@
  vars:
      ansible_user: "{{ lookup('env', 'USER') }}"
      system_is_container: true
-      rhel8cis_selinux_disable: true
+      rhel9cis_selinux_disable: true
      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-      rhel8cis_rule_5_3_4: false
+      rhel9cis_rule_5_3_4: false
-      rhel8cis_rule_1_1_10: false
+      rhel9cis_rsyslog_ansiblemanaged: false
-      rhel8cis_rsyslog_ansiblemanaged: false
+      rhel9cis_rule_3_4_1_3: false
-      rhel8cis_rule_3_4_1_3: false
+      rhel9cis_rule_3_4_1_4: false
-      rhel8cis_rule_3_4_1_4: false
+      rhel9cis_rule_4_2_1_2: false
-      rhel8cis_rule_4_2_1_2: false
+      rhel9cis_rule_4_2_1_4: false
-      rhel8cis_rule_4_2_1_4: false
+      rhel9cis_rule_5_1_1: false
      rhel8cis_rule_5_1_1: false
  pre_tasks:
  tasks:
--- a/site.yml
+++ b/site.yml
@ -1,7 +1,7 @@
 ---
 - name: Apply ansible-lockdown hardening
-  hosts: all
+  hosts: "{{ hosts | default('all') }}"
  become: true
  roles:
    - role: "{{ playbook_dir }}"
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@ -1,4 +1,5 @@
 ---
 - name: Pre Audit Setup | Set audit package name
  block:
    - name: Pre Audit Setup | Set audit package name | 64bit
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -17,9 +17,7 @@
    success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
 - name: "Setup rules if container"
-  when:
+  when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
    - ansible_connection == 'docker' or
      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
    - container_discovery
    - always
@ -43,18 +41,18 @@
    fail_msg: "Crypto policy is not a permitted version"
    success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
+- name: "Check rhel9cis_bootloader_password variable has been changed"
  when:
    - rhel9cis_set_boot_pass
    - rhel9cis_rule_1_4_1
  tags: always
  ansible.builtin.assert:
-    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
+    that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
-    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
+    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
 - name: "Check crypto-policy module input"
  when:
-    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_ansiblemanaged
    - rhel9cis_crypto_policy_module | length > 0
  tags:
    - rule_1.6.1
@ -99,7 +97,7 @@
              or
                (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
              )
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access"
            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
@ -120,8 +118,8 @@
    - name: "Check authselect profile is selected | Check current profile"
      ansible.builtin.command: authselect list
      changed_when: false
-      failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
+      failed_when: prelim_authselect_profile_list.rc not in [ 0, 1 ]
-      register: prelim_authselect_current_profile
+      register: prelim_authselect_profile_list
 - name: "Ensure root password is set"
  when: rhel9cis_rule_5_4_2_4
@ -134,7 +132,7 @@
    - rule_5.4.2.4
  block:
    - name: "Ensure root password is set"
-      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)"
      changed_when: false
      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
      register: prelim_root_passwd_set
@ -156,9 +154,7 @@
    file: "{{ ansible_facts.distribution }}.yml"
 - name: "Include preliminary steps"
-  tags:
+  tags: prelim_tasks
    - prelim_tasks
    - always
  ansible.builtin.import_tasks:
    file: prelim.yml
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -28,8 +28,7 @@
 - name: POST | reboot system if changes require it and not skipped
  when: change_requires_reboot
-  tags:
+  tags: always
    - always
  vars:
    warn_control_id: Reboot_required
  block:
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -1,10 +1,12 @@
 ---
-# Preliminary tasks that should always be run
+# Preliminary tasks that should always run
-# List users in order to look files inside each home directory
+# List users in order to look up files inside each home directory
 - name: "PRELIM | Include audit specific variables"
-  when: run_audit or audit_only or setup_audit
+  when:
    - run_audit or audit_only
    - setup_audit
  tags:
    - setup_audit
    - run_audit
@ -12,7 +14,8 @@
    file: audit.yml
 - name: "PRELIM | Include pre-remediation audit tasks"
-  when: run_audit or audit_only or setup_audit
+  when:
    - run_audit or audit_only
  tags: run_audit
  ansible.builtin.import_tasks: pre_remediation_audit.yml
@ -92,6 +95,11 @@
    - rhel9cis_rule_1_2_1_1
    - ansible_facts.distribution != 'RedHat'
    - ansible_facts.distribution != 'OracleLinux'
  tags:
    - level1-server
    - level1-workstation
    - rule_1.2.1.1
    - gpg
  ansible.builtin.package:
    name: "{{ gpg_key_package }}"
    state: latest
@ -206,14 +214,15 @@
  block:
    - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
      ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
-      register: discover_wireless_adapters
+      register: prelim_wireless_adapters
      changed_when: false
      check_mode: false
-      failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
+      failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ]
    - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present"
      when:
-        - discover_wireless_adapters.rc == 0
+        - rhel9cis_install_network_manager
        - prelim_wireless_adapters.rc == 0
        - "'NetworkManager' not in ansible_facts.packages"
      ansible.builtin.package:
        name: NetworkManager
@ -277,8 +286,7 @@
 - name: "PRELIM | PATCH | Create journald config directory"
  when:
    - rhel9cis_syslog == 'journald'
-    - rhel9cis_rule_6_2_1_3 or
+    - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
      rhel9cis_rule_6_2_1_4
  tags: always
  ansible.builtin.file:
    path: /etc/systemd/journald.conf.d
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@ -27,8 +27,7 @@
        mode: 'go-rwx'
    - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: cramfs
        state: absent
--- a/tasks/section_1/cis_1.1.2.3.x.yml
+++ b/tasks/section_1/cis_1.1.2.3.x.yml
@ -1,4 +1,5 @@
 ---
 - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
  when:
    - rhel9cis_rule_1_1_2_3_1
--- a/tasks/section_1/cis_1.2.2.x.yml
+++ b/tasks/section_1/cis_1.2.2.x.yml
@ -13,4 +13,4 @@
  ansible.builtin.package:
    name: "*"
    state: latest
-  notify: Change_requires_reboot
+  notify: Set reboot required
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -13,7 +13,7 @@
    - NIST800-53R5_AC-3
  ansible.builtin.copy:
    dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
    owner: root
    group: root
    mode: 'go-rwx'
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -16,19 +16,35 @@
    - rule_3.1.1
    - NIST800-53R5_CM-7
  block:
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
      when: "'kernel' in rhel9cis_ipv6_disable_method"
      ansible.builtin.command: grubby --info=ALL
      changed_when: false
      failed_when: false
      register: discovered_rhel9cis_3_1_1_ipv6_status
    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
      when:
        - "'kernel' in rhel9cis_ipv6_disable_method"
        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
      ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1"
      changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  when:
    - rhel9cis_rule_3_1_2
-    - discover_wireless_adapters.rc == 0
+    - prelim_wireless_adapters.rc == 0
  tags:
    - level1-server
    - patch
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -411,6 +411,8 @@
    path: "{{ rhel9cis_sshd_config_file }}"
    regexp: '^(#)?MaxAuthTries \d'
    line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
    insertbefore: "^Match"
    firstmatch: true
    validate: sshd -t -f %s
  notify: Restart sshd
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -14,7 +14,9 @@
    - rule_5.3.2.1
  block:
    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
+      when:
        - rhel9cis_authselect_custom_profile_create
        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout
      ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
      changed_when: false
      args:
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -340,7 +340,7 @@
        - system
      notify: Authselect update
- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
+- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
  when: rhel9cis_rule_5_3_3_2_7
  tags:
    - level1-server
@ -350,8 +350,8 @@
    - NIST800-53R5_IA-5
    - pam
  ansible.builtin.template:
-    src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2"
+    src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2"
-    dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
+    dest: "/{{ rhel9cis_passwd_quality_enforce_file }}"
    owner: root
    group: root
    mode: 'o-rwx'
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -10,14 +10,12 @@
    file: cis_5.1.x.yml
 - name: "SECTION | 5.2 | Configure privilege escalation"
-  when:
+  when: rhel9cis_section5_2
    - rhel9cis_section5_2
  ansible.builtin.import_tasks:
    file: cis_5.2.x.yml
 - name: "SECTION | 5.3"
-  when:
+  when: rhel9cis_section5_3
    - rhel9cis_section5_3
  block:
    - name: "SECTION | 5.3.1.x | Configure PAM software packages"
      ansible.builtin.import_tasks:
@ -44,8 +42,7 @@
        file: cis_5.3.3.4.x.yml
 - name: "SECTION | 5.4"
-  when:
+  when: rhel9cis_section5_4
    - rhel9cis_section5_4
  block:
    - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters"
      ansible.builtin.import_tasks:
--- a/tasks/section_6/cis_6.2.2.x.yml
+++ b/tasks/section_6/cis_6.2.2.x.yml
@ -25,7 +25,7 @@
    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: ^(\s*ForwardToSyslog)
+        regexp: ^(\s*ForwardToSyslog\s*=.*)
        replace: '#\1'
 - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@ -50,7 +50,7 @@
    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*compress=)
+        regexp: ^(\s*Compress\s*=.*)
        replace: '#\1'
 - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@ -76,5 +76,5 @@
    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*storage=)
+        regexp: ^(\s*Storage\s*=.*)
        replace: '#\1'
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -195,7 +195,7 @@
  register: discovered_rsyslog_remote_host
  notify: Restart rsyslog
- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
+- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
  when: rhel9cis_rule_6_2_3_7
  tags:
    - level1-server
@ -208,7 +208,7 @@
    - NIST800-53R5_AU-12
    - NIST800-53R5_CM-6
  block:
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
      when: not rhel9cis_system_is_log_server
      ansible.builtin.replace:
        path: /etc/rsyslog.conf
@ -221,7 +221,7 @@
        - '^(module\(load="imtcp"\))'
        - '^(input\(type="imtcp")'
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
      when: rhel9cis_system_is_log_server
      ansible.builtin.replace:
        path: /etc/rsyslog.conf
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -58,7 +58,7 @@
    - level1-server
    - level1-workstation
    - patch
-    - permissionss
+    - permissions
    - rule_7.1.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
@ -254,7 +254,7 @@
      ansible.builtin.file:
        path: "{{ item }}"
        owner: "{{ rhel9cis_unowned_owner }}"
-        group: "{{ rhel9cis_unowned_group }}"
+        group: "{{ rhel9cis_ungrouped_group }}"
      with_items:
        - "{{ discovered_unowned_files_flatten }}"
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -1,7 +1,7 @@
 ---
-# Enable logrunning potential resource intensive tests
+# Enable long running potential resource intensive tests
 run_heavy_tests: {{ audit_run_heavy_tests }}
 # Extend default command timeout for longer running tests
@ -206,6 +206,7 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }}
 rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
 rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
 rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
 ## Network Kernel Modules
 rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
 rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
@ -291,7 +292,6 @@ rhel9cis_rule_5_3_3_2_4: {{ rhel9cis_rule_5_3_3_2_4 }}
 rhel9cis_rule_5_3_3_2_5: {{ rhel9cis_rule_5_3_3_2_5 }}
 rhel9cis_rule_5_3_3_2_6: {{ rhel9cis_rule_5_3_3_2_6 }}
 rhel9cis_rule_5_3_3_2_7: {{ rhel9cis_rule_5_3_3_2_7 }}
 rhel9cis_rule_5_3_3_2_8: {{ rhel9cis_rule_5_3_3_2_8 }}
 # 5.3.3.3 Configure pam_pwhistory module
 # This are added as part of 5.3.2.4 using jinja2 template
 rhel9cis_rule_5_3_3_3_1: {{ rhel9cis_rule_5_3_3_3_1 }}
@ -530,6 +530,8 @@ rhel9cis_bluetooth_mask: {{ rhel9cis_bluetooth_mask }}
 ## 3.1 IPv6 requirement toggle
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
 # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
 rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }}
 # 3.3 System network parameters (host only OR host and router)
 # This variable governs whether specific CIS rules
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # This file contains users whose actions are not logged by auditd
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
--- a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2
+++ b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # Audit Tools
 /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
--- a/templates/etc/ansible/compliance_facts.j2
+++ b/templates/etc/ansible/compliance_facts.j2
@ -1,6 +1,4 @@
-# CIS Hardening Carried out
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 [lockdown_details]
 # Benchmark release
--- a/templates/etc/chrony.conf.j2
+++ b/templates/etc/chrony.conf.j2
@ -1,4 +1,4 @@
-{{ ansible_managed | comment }}
+{{ file_managed_by_ansible }}
 # Use public servers from the pool.ntp.org project.
 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
@ -11,17 +11,19 @@ driftfile /var/lib/chrony/drift
 # Allow the system clock to be stepped in the first three updates
 # if its offset is larger than 1 second.
-makestep 1.0 3
+makestep {{ rhel9cis_chrony_server_makestep }}
 {% if rhel9cis_chrony_server_rtcsync %}
 # Enable kernel synchronization of the real-time clock (RTC).
 rtcsync
 {% endif %}
 # Enable hardware timestamping on all interfaces that support it.
 #hwtimestamp *
 # Increase the minimum number of selectable sources required to adjust
 # the system clock.
-#minsources 2
+minsources {{ rhel9cis_chrony_server_minsources }}
 # Allow NTP client access from local network.
 #allow 192.168.0.0/16
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,7 +1,5 @@
 {{ file_managed_by_ansible }}
 # Run AIDE integrity check
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
--- a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # This is a subpolicy dropping the SHA1 hash and signature support
 # Carried out as part of CIS Benchmark rule 1.6.3
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # This is a subpolicy to disable all CBC mode ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.5
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # This is a subpolicy to disable Encrypt then MAC
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.7
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark control 5.1.6
--- a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark rule 1.6.4
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/desktop/media-handling]
 automount=false
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/desktop/media-handling]
 autorun-never=true
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 # Specify the dconf path
 [org/gnome/desktop/session]
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
 # Added as part of ansible-lockdown CIS baseline
 # provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/login-screen]
 banner-message-enable=true
--- a/templates/etc/logrotate.d/rsyslog_log.j2
+++ b/templates/etc/logrotate.d/rsyslog_log.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 /var/log/rsyslog/*.log {
    {{ rhel9cis_rsyslog_logrotate_rotated_when }}
    rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}
--- a/templates/etc/modprobe.d/modprobe.conf.j2
+++ b/templates/etc/modprobe.d/modprobe.conf.j2
@ -1,6 +1,4 @@
-# Disable usage of protocol {{ item }}
+{{ file_managed_by_ansible }}
-# Set by ansible {{ benchmark }} remediation role
+## YOUR CHANGES WILL BE LOST!
 # https://github.com/ansible-lockdown
 ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
 install {{ item }} /bin/true
--- a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.3 Ensure password complexity is configured
 {% if rhel9cis_passwd_complex_option == 'minclass' %}  # pragma: allowlist secret
--- a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.6 Ensure password dictionary check is enabled
 dictcheck = {{ rhel9cis_passwd_dictcheck_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.1 Ensure password number of changed characters is configured
 difok = {{ rhel9cis_passwd_difok_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.2 Ensure minimum password length is configured
 minlen = {{ rhel9cis_passwd_minlen_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.5 Ensure password maximum sequential characters is configured
 maxsequence = {{ rhel9cis_passwd_maxsequence_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.7 Ensure password quality checking is enforced
 enforcing = {{ rhel9cis_passwd_quality_enforce_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.4 Ensure password same consecutive characters is configured
 maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}
--- a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
+++ b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 # CIS Configurations
-# 5.3.3.2.8 Ensure password quality is enforced for the root user
+# 5.3.3.2.7 Ensure password quality is enforced for the root user
 {{ rhel9cis_passwd_quality_enforce_root_value }}
--- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
+++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
@ -1,7 +1,11 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
 ## YOUR CHANGES WILL BE LOST!
 # IPv6 disable
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 {% for interface in ansible_interfaces %}
 net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
 {% endfor %}
 {% endif %}
--- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
 ## YOUR CHANGES WILL BE LOST!
 {% if rhel9cis_rule_1_5_1 %}
 # Adress space randomise
--- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
 ## YOUR CHANGES WILL BE LOST!
 # IPv4 Network sysctl
 {% if rhel9cis_rule_3_3_1 %}
--- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
 ## YOUR CHANGES WILL BE LOST!
 # IPv6 Network sysctl
 {% if rhel9cis_ipv6_required %}
--- a/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_2_2
 [Journal]
 ForwardToSyslog=no
--- a/templates/etc/systemd/journald.conf.d/rotation.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/rotation.conf.j2
@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_1_3
 [Journal]
 SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}
--- a/templates/etc/systemd/journald.conf.d/storage.conf.j2
+++ b/templates/etc/systemd/journald.conf.d/storage.conf.j2
@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 [Journal]
 {% if rhel9cis_rule_6_2_2_3 %}
 # Set compress CIS rule 6_2_2_3
--- a/templates/etc/systemd/system/tmp.mount.j2
+++ b/templates/etc/systemd/system/tmp.mount.j2
@ -1,3 +1,4 @@
 {{ file_managed_by_ansible }}
 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
@ -7,7 +8,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+## YOUR CHANGED WILL BE LOST!
 [Unit]
 Description=Temporary Directory (/tmp)
--- a/vars/OracleLinux.yml
+++ b/vars/OracleLinux.yml
@ -1,4 +1,5 @@
 ---
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"
--- a/vars/is_container.yml
+++ b/vars/is_container.yml
@ -2,7 +2,7 @@
 # File to skip controls if container
 # Based on standard image no changes
-# it expected all pkgs required for the container are alreday installed
+# it expected all pkgs required for the container are already installed
 ## controls
@ -57,7 +57,6 @@ rhel9cis_rule_1_1_6: false
 rhel9cis_rule_1_1_7: false
 rhel9cis_rule_1_1_8: false
 rhel9cis_rule_1_1_9: false
 rhel9cis_rule_1_1_10: false
 # /var/log
 rhel9cis_rule_1_1_11: false
 # /var/log/audit
--- a/vars/main.yml
+++ b/vars/main.yml
@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules:
  - 'NO-SSHWEAKMAC'
  - 'NO-WEAKMAC'
 rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
@ -39,7 +41,7 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 ## Controls 6.3.3.x - Audit template
 # This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the
 # audit settings are overwritten with the role's template. In order to exclude
-# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above
+# specific rules, you must set the variable of form `rhel9cis_rule_6_3_3_x` above
 # to `false`.
 update_audit_template: false
@ -74,3 +76,10 @@ audit_bins:
  - /sbin/autrace
  - /sbin/auditd
  - /sbin/augenrules
 company_title: 'MindPoint Group - A Tyto Athene Company'
 file_managed_by_ansible: |-
  # File managed by ansible as part of {{ benchmark }} benchmark
  # As part of Ansible-lockdown
  # Provided by {{ company_title }}