Merge pull request #432 from ansible-lockdown/devel

Latest main release

.ansible-lint

@@ -1,9 +1,9 @@
 ---
 
-parseable: true
 quiet: true
 skip_list:
   - 'package-latest'
   - 'risky-shell-pipe'
+  - 'var-naming[read-only]'
 use_default_rules: true
 verbosity: 0

.github/workflows/export_badges_private.yml

@@ -12,8 +12,6 @@ on:
   push:
     branches:
       - latest
-  schedule:
-    - cron: '0 */6 * * *'
   workflow_dispatch:
 
 jobs:

.pre-commit-config.yaml

@@ -39,11 +39,13 @@ repos:
   rev: v1.5.0
   hooks:
   - id: detect-secrets
+    name: Detect Secrets test
 
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.30.0
   hooks:
   - id: gitleaks
+    name: Run Gitleaks test
 
 - repo: https://github.com/ansible-community/ansible-lint
   rev: v26.1.1

.yamllint

@@ -1,4 +1,5 @@
 ---
+
 extends: default
 ignore: |
     tests/

Changelog.md

@@ -1,4 +1,81 @@
-# Changes to rhel9CIS
+# Changes to RHEL9CIS
+
+## 2.0.5 - Based on CIS v2.0.0
+
+- QA Fixes
+- .j2 Branding Update
+- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
+- fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml
+- Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis)
+- Fixed broken Changelog link in README.md (case mismatch)
+- Added var-naming[read-only] to ansible-lint skip list for molecule files
+- Bootloader password logic updated with salt and hash options
+- Added passlib dependency documentation for bootloader password hash
+- Updated company title
+- Tidied up comments and variables for bootloader password
+- Removed scheduled tasks
+- Fixed typo thanks to Eugene @Frequentis
+- Unused variable audit: wired up all unused variables, removed legacy references
+- Updated chrony template to use rhel9cis_chrony_server_makestep, rtcsync, and minsources variables instead of hardcoded values
+- Wired up rhel9cis_authselect_custom_profile_create toggle in authselect profile creation task
+- Fixed task 5.3.3.2.7/5.3.3.2.8 mislabeling: separated password quality enforce and root enforce into correct tasks
+- Wired up audit_capture_files_dir in audit_only workflow for file capture to control node
+- Clarified rhel9cis_root_unlock_time documentation for commented-out alternative usage
+- Removed legacy rhel9cis_rule_1_1_10 from molecule converge files and is_container.yml
+- Fixed wrong variable name rhel9cis_unowned_group to rhel9cis_ungrouped_group in tasks/section_7/cis_7.1.x.yml
+- Added rhel9cis_install_network_manager toggle to 3.1.2 wireless interfaces task
+
+## 2.0.4 - Based on CIS v2.0.0
+
+addressed issue #419, thank you @aaronk1
+addressed issue #418 thank you @bbaassssiiee
+Added better sysctl logic to disable IPv6
+Added option to disable IPv6 via sysctl (original method) or via the kernel
+pre-commit updates
+public issue #410 thanks to @kpi-nourman
+public issue #413 thanks to @bbaassssiiee
+Public issues incorporated
+Workflow updates
+Pre-commit updates
+README latest versions
+Audit improvements and max-concurrent option added
+Benchmark version variable in audit template
+fixed typo thanks to @fragglexarmy #393
+fixed typo thanks to @trumbaut #397 & #399
+updated auditd template to be 2.19 compliant
+PR345 thanks to thulium-drake boot password hash - if used needs passlib module
+tidy up tags on tasks/main.yml
+
+## 2.0.3 - Based on CIS v2.0.0
+
+- Thank you @fragglexarmy
+  - addressed Public issue 387
+- Addressed Public issue 382 to improve regex logic on 5.4.2.4
+- Improvement on crypto policy managed controls with var logic
+- Thanks to @polski-g
+  - addressed issue 384
+- update command to shell module on tasks
+- Thanks to @numericillustration
+  - Public PR 380
+  - systemd_service rolled back to systemd for < ansible 2.14
+- Thanks to @bgro and @Kodebach
+  - Public PR 371
+  - updated to user sudo check 5.2.4
+- Thanks to @DianaMariaDDM
+  - Public PR 367
+  - updated several typos
+- Thanks to @polski-g
+  - Public PR 364
+  - gdm section 1.8 improvements
+- Thanks to @chrispipo
+  - Public PR 350
+  - change insert before for rsyslog setting
+- Thanks to @thesmilinglord
+  - public issue 377
+  - change 1.3 from include task to import for tagging
+- Thanks to @Fredouye
+  - public issue 372
+  - allow password with different locale
 
 ## 2.0.4 - Based on CIS v2.0.0
 
@@ -64,7 +141,7 @@
   - updated controls 6.2.10-6.2.14
 - audit
   - steps moved to prelim
-  - update to coipy and archive logic and variables
+  - update to copy and archive logic and variables
 - removed vars not used
 - updated quotes used in mode tasks
 - pre-commit update
@@ -98,7 +175,7 @@
 - lint updates
 - .secrets updated
 - file mode quoted
-- updated 5.6.5 thansk to feedback from S!ghs on discord community
+- updated 5.6.5 thanks to feedback from S!ghs on discord community
 
 ## 1.1.1 - Based on CIS v1.0.0
 
@@ -130,7 +207,7 @@
 ## 1.0.10
 
 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72)
-  - Only run check when paybook user not a superuser
+  - Only run check when playbook user not a superuser
 - fix for 5.5.3 thanks to @nrg-fv
 
 ## 1.0.9
@@ -202,7 +279,7 @@ Jan-2023 release
 
 - updated ansible minimum to 2.10
 - Lint file updates and improvements
-- auditd now shows diff ater initial template added
+- auditd now shows diff after initial template added
 - many control rewritten
 - Many controls moved ID references
 - Audit updates aligned
@@ -227,7 +304,7 @@ Jan-2023 release
 - #209 5.6.5 rewrite umask settings
 - #220 tidy up and align variables
 - #226 Thanks to Thulium-Drake
-  -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases)
+  -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required for auditd to run correctly in some cases)
 
 - #227 thanks to OscarElits
   - chrony files now RH expected locations
@@ -267,9 +344,9 @@ Jan-2023 release
 - not all controls work with rhel8 releases any longer
   - selinux disabled 1.6.1.4
   - logrotate - 4.3.x
-- updated to rhel8cis v2.0 benchamrk requirements
+- updated to rhel8cis v2.0 benchmark requirements
 - removed iptables firewall controls (not valid on rhel9)
-- added more to logrotate 4.3.x - sure to logrotate now a seperate package
+- added more to logrotate 4.3.x - sure to logrotate now a separate package
 - grub path now standard to /boot/grub2/grub.cfg
 - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
 - workflow update
@@ -288,7 +365,7 @@ args:
 ```
 
 - update boolean values to true/false
-- 3.4.2 improved checks for p[ackage presence
+- 3.4.2 improved checks for package presence
 - changed to assert for OS/release and ansible version
 
 ## Initial

README.md

@@ -19,7 +19,6 @@
 
 ## Lint & Pre-Commit Tools 🔧
 
-[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/RHEL9-CIS/devel)
 ![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white)
 ![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white)
 
@@ -49,7 +48,6 @@
 ![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/benchmark-version.json)
 
 [![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)
-[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
 
 ![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/prs.json)
 ![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/issues-closed.json)
@@ -58,9 +56,9 @@
 
 ## Looking for support? 🤝
 
-[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RHEL9-CIS)
+[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9-CIS)
 
-[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RHEL9-CIS)
+[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9-CIS)
 
 ### Community 💬
 
@@ -86,10 +84,10 @@ This role **will make changes to the system** which may have unintended conseque
 
 ## Coming From A Previous Release ⏪
 
-CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release.
+CIS release always contains changes, it is highly recommended to review the new references and available variables. These have changed significantly since ansible-lockdown initial release.
 This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
 
-Further details can be seen in the [Changelog](./ChangeLog.md)
+Further details can be seen in the [Changelog](./Changelog.md)
 
 ---
 
@@ -103,7 +101,7 @@ This is managed using tags:
 - level2-server
 - level2-workstation
 
-The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component.
+The controls found in defaults/main.yml also need to reflect this, as they control the testing that takes place if you are using the audit component.
 
 ---
 ## Requirements ✅
@@ -130,6 +128,9 @@ RHEL Family OS 9
 - python-def
 - libselinux-python
 
+If you are using the option to create your own bootloader hash the ansible controller
+-  passlib
+
 ---
 
 ## Auditing 🔍

defaults/main.yml

@@ -1,5 +1,6 @@
 ---
-# defaults file for rhel9-cis
+
+# defaults file for RHEL9-CIS
 # WARNING:
 # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
 # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
@@ -63,7 +64,7 @@ benchmark: RHEL9-CIS
 # System will reboot if false, can give better audit results
 skip_reboot: true
 
-# default value will change to true but wont reboot if not enabled but will error
+# default value will change to true but won't reboot if not enabled but will error
 change_requires_reboot: false
 
 ###
@@ -93,17 +94,11 @@ audit_max_concurrent: 50
 
 ## Only run Audit do not remediate
 audit_only: false
-### As part of audit_only ###
-# Path to copy the files to will create dir structure in audit_only mode
-audit_capture_files_dir: /some/location to copy to on control node
 #############################
 
-## How to retrieve audit binary(Goss)
+# How to retrieve audit binary
-# Options are 'copy' or 'download' - detailed settings at the bottom of this file
+# Options are copy or download - detailed settings at the bottom of this file
-# - if 'copy':
+# you will need access to either github or the file already downloaded
-#    - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss
-# - if 'download':
-#    - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars
 get_audit_binary_method: download
 
 ## if get_audit_binary_method - copy the following needs to be updated for your environment
@@ -257,9 +252,8 @@ rhel9cis_rule_1_8_8: true
 rhel9cis_rule_1_8_9: true
 rhel9cis_rule_1_8_10: true
 
-## Section 2 Fixes
 # Section 2 rules are controlling Services (Special Purpose Services, and service clients)
-# Configure Server Services
+## Configure Server Services
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
 rhel9cis_rule_2_1_3: true
@@ -400,7 +394,6 @@ rhel9cis_rule_5_3_3_2_4: true
 rhel9cis_rule_5_3_3_2_5: true
 rhel9cis_rule_5_3_3_2_6: true
 rhel9cis_rule_5_3_3_2_7: true
-rhel9cis_rule_5_3_3_2_8: true
 # 5.3.3.3 Configure pam_pwhistory module
 # These are added as part of 5.3.2.4 using jinja2 template
 rhel9cis_rule_5_3_3_3_1: true
@@ -539,7 +532,7 @@ rhel9cis_rule_7_2_9: true
 
 ## Ability to enable debug on mounts to assist in troubleshooting
 # Mount point changes are set based upon facts created in Prelim
-# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
+# these then build the variable and options that are passed to the handler to set the mount point for the controls in section1.
 rhel9cis_debug_mount_data: false
 
 ## Control 1.1.2
@@ -583,14 +576,33 @@ rhel9cis_selinux_pol: targeted
 rhel9cis_selinux_enforce: enforcing
 
 ## Control 1.4.1
-# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
+# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
-# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
+rhel9cis_set_boot_pass: false
-# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
+
+################### bootloader password ############################################################
+#
+# Two options for setting the bootloader password
+#
+# Option 1: Set the bootloader password and salt – requires the passlib Python module
+# to be available on the Ansible controller.
+# Set this value to something secure to have predictable hashes,
+# which will prevent unnecessary changes.
+
+rhel9cis_bootloader_salt: ''
+
+# This variable stores the GRUB bootloader password to be written
+# to the '/boot/grub2/user.cfg' file. The default value must be changed.
+
+rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
+
+# Option 2: Set the bootloader password hash – if the salt value is empty,
+# the password will be set using the variable below.
+# If you are not using the bootloader hash filter, you can set it here
+# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring
+
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
 
-## Control 1.4.1
+######################################################################################################
-# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
-rhel9cis_set_boot_pass: true
 
 ## Controls 1.6.x and Controls 5.1.x
 # This variable governs if current Ansible role should manage system-wide crypto policy.
@@ -902,8 +914,8 @@ rhel9cis_sshd_clientalivecountmax: 3
 # keep the connection alive and prevent it being terminated due to inactivity.
 rhel9cis_sshd_clientaliveinterval: 15
 
-## Control 5.1.10 - Ensure sshd DisableForwarding is enabled
+## Control 5.1.12 - disable forwarding
-# By Default this will also disablex11 forwarding
+# By Default this will also disable X11 forwarding
 # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
 # This variable's value is used in the `/etc/ssh/ssh_config.d/50-redhat.conf` file to
 # disable X11Forwarding. If X11 is required, set this variable's value to `yes`!
@@ -947,14 +959,7 @@ rhel9cis_ssh_maxsessions: 4
 # This variable defines the path and file name of the sudo log file.
 rhel9cis_sudolog_location: "/var/log/sudo.log"
 
-## Control 5.2.4 - Ensure users must provide password for escalation
+## Control 5.2.x - Ensure sudo authentication timeout is configured correctly
-# The following variable specifies a list of users that should not be required to provide a password
-# for escalation. Feel free to edit it according to your needs.
-rhel9cis_sudoers_exclude_nopasswd_list:
-  - ec2-user
-  - vagrant
-
-## Control 5.2.6 - Ensure sudo authentication timeout is configured correctly
 # This variable sets the duration (in minutes) during which a user's authentication credentials
 # are cached after successfully authenticating using "sudo". This allows the user to execute
 # multiple commands with elevated privileges without needing to re-enter their password for each
@@ -994,19 +999,38 @@ rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
 ## Control 5.3.3.1.1 -
 # This variable sets the amount of tries a password can be entered, before a user is locked.
 rhel9cis_pam_faillock_deny: 5
-## Control 5.3.3.2, 5.3.2.2
+
+# - 5.3.3.1.2
 # This variable sets the amount of time a user will be unlocked after the max amount of
 # password failures.
 rhel9cis_pam_faillock_unlock_time: 900
 
-## Control 5.3.3.1.3 - Ensure password failed attempts lockout includes root account
+#####################################################################################################################
-# This variable is used in the task that ensures that even the root account
+# 5.3.3.1.3 | Ensure pam_faillock is configured - root account lockout behavior
-# is included in the password failed attempts lockout measure.
+#
-# The following variable is used in the 'regexp' field. This field is used to find the
+# Controls how root is handled when the failed login threshold is reached.
-# line in the file. If the line matches the regular expression, it will be replaced
+#################### Two mutually exclusive options #################################################################
-# with the line parameter's value.
+#
+#   -> even_deny_root          : Lock root just like any other account
+#   -> root_unlock_time = <n>  : Lock root but auto-unlock after <n> seconds
+#
+# Note: The default value is set to 'even_deny_root' to align with the CIS Benchmark recommendation of locking root
+# identically to regular users when the failed login threshold is reached. If you prefer to have root auto-unlock
+# after a specified time, set 'rhel9cis_pamroot_lock_option' to "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
+# and adjust 'rhel9cis_root_unlock_time' as needed.
+#
+# Set ONE of the following:
+#
+# Option 1: root is locked identically to regular users when the failed login threshold is reached
 rhel9cis_pamroot_lock_option: even_deny_root
 
+# Option 2: root is locked but auto-unlocks after the specified seconds.
+# Seconds before root is automatically unlocked (only used when rhel9cis_pamroot_lock_option includes root_unlock_time)
+rhel9cis_root_unlock_time: 60
+# rhel9cis_pamroot_lock_option: "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
+#
+########################################################################################################################
+
 ## Control 5.3.3.2.1 - Ensure password number of changed characters is configured
 # This variable holds the path to the configuration file that will be created (or overwritten if already existing)
 # in order to implement the 'Ensure password number of changed characters is configured' control.
@@ -1079,14 +1103,9 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con
 # When set to '0', dictionary checks are disabled. CIS states that it shall always be set to '1'.
 rhel9cis_passwd_dictcheck_value: 1
 
-# This variable is used in one of the config files to ensure password quality checking is enforced
+# 5.3.3.2.7 - Ensure password quality is enforced for the root user
+rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf  # pragma: allowlist secret
 rhel9cis_passwd_quality_enforce_value: 1
-
-## Control 5.3.3.2.7 - Ensure password quality is enforced for the root user
-# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
-# in order to implement the 'Ensure password quality is enforced for the root user' control.
-rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf  # pragma: allowlist secret
-# The following variable enforces that the root user must adhere to the same password quality policies as other users.
 rhel9cis_passwd_quality_enforce_root_value: enforce_for_root  # pragma: allowlist secret
 
 ## Control 5.3.3.3.1 - Ensure password history remember is configured
@@ -1126,21 +1145,21 @@ rhel9cis_inactivelock:
   # CIS requires a value of 30 days or less.
   lock_days: 30
 
-## Control 5.4.1.6 - Ensure all users last password change date is in the past
+## Control 5.4.1.x - Ensure all users last password change date is in the past
 # Allow ansible to expire password for account with a last changed date in the future. Setting it
 # to 'false' will just display users in violation, while 'true' will expire those users passwords.
 rhel9cis_futurepwchgdate_autofix: true
 
-## Control 5.4.2.6 - Ensure root user umask is configured
+# 5.4.2.x
-# The following variable specifies the "umask" to configure for the root user.
+
-# The user file-creation mode mask ( umask ) is used to determine the file
+## 5.4.2.5 Root user used
-# permission for newly created directories and files. In Linux, the default
+# Root by default is not used unless setup by user
-# permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for
+# The role will only run certain commands if set to true
-# any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default
+# This allows the ability to skip tasks that may cause an issue
-# Linux permissions by restricting (masking) these permissions. The umask is not
+# With the understanding root has full access
-# simply subtracted, but is processed bitwise. Bits set in the umask are cleared
+rhel9cis_uses_root: false
-# in the resulting file mode. CIS recommends setting 'umask' to '0027' or more
+
-# restrictive.
+## 5.4.2.6 - Ensure root home directory permissions are 750 or more restrictive
 rhel9cis_root_umask: '0027'  # 0027 or more restrictive
 
 ## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
@@ -1157,7 +1176,7 @@ rhel9cis_shell_session_timeout: 900
 # This variable specifies the path of the timeout setting file.
 # (TMOUT setting can be set in multiple files, but only one is required for the
 # rule to pass. Options are:
-# - a file in `/etc/profile.d/` ending in `.s`,
+# - a file in `/etc/profile.d/` ending in `.sh`,
 # - `/etc/profile`, or
 # - `/etc/bash.bashrc`.
 rhel9cis_shell_session_file: /etc/profile.d/tmout.sh
@@ -1185,9 +1204,8 @@ rhel9cis_aide_db_file_age: 1w
 # If AIDE is already setup this variable forces a new database
 # file to be created.
 rhel9cis_aide_db_recreate: false
-# This variable is used to check if there is already an existing database file
+
-# created by AIDE on the target system. If it is not present, the role will generate
+# allows changing the db file; note the config needs to be adjusted too
-# a database file with the same name as the value of this variable.
 rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz
 
 ## Control 6.1.2 - Ensure filesystem integrity is regularly checked
@@ -1217,12 +1235,12 @@ rhel9cis_aide_cron:
   # This variable governs the day of the month when the AIDE cronjob is run.
   # `*` signifies that the job is run on all days; furthermore, specific days
   # can be given in the range `1-31`; several days can be concatenated with a comma.
-  # The specified day(s) can must be in the range  `1-31`.
+  # The specified day(s) must be in the range `1-31`.
   aide_day: '*'
   # This variable governs months when the AIDE cronjob is run.
   # `*` signifies that the job is run in every month; furthermore, specific months
   # can be given in the range `1-12`; several months can be concatenated with commas.
-  # The specified month(s) can must be in the range  `1-12`.
+  # The specified month(s) must be in the range `1-12`.
   aide_month: '*'
   # This variable governs the weekdays, when the AIDE cronjob is run.
   # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
@@ -1262,7 +1280,7 @@ rhel9cis_journald_runtimekeepfree: 100G
 # Current variable governs the settings for log retention(how long the log files will be kept).
 # Thus, it specifies the maximum time to store entries in a single journal
 # file before rotating to the next one. Set to 0 to turn off this feature.
-# The given values is interpreted as seconds, unless suffixed with the units
+# The given value is interpreted as seconds, unless suffixed with the units
 # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
 # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
 # ATTENTION: Uncomment the keyword below when values are set!

filter_plugins/grub_hash.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: grub_hash
+short_description: Generate a GRUB2 password hash
+version_added: 1.0.0
+author: Jeffrey van Pelt (@Thulium-Drake)
+description:
+  - Generate a GRUB2 password hash from the input
+options:
+  _input:
+    description: The desired password for the GRUB bootloader
+    type: string
+    required: true
+  salt:
+    description: The salt used to generate the hash
+    type: string
+    required: false
+  rounds:
+    description: The amount of rounds to run the PBKDF2 function
+    type: int
+    required: false
+"""
+
+EXAMPLES = r"""
+- name: 'Generate hash with defaults'
+  ansible.builtin.debug:
+    msg: "{{ 'mango123!' | grub_hash }}"
+
+- name: 'Generate hash with custom rounds and salt'
+  ansible.builtin.debug:
+    msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
+    # Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
+"""
+
+RETURN = r"""
+_value:
+  description: A GRUB2 password hash
+  type: string
+"""
+
+from ansible.errors import AnsibleFilterError
+import os
+import base64
+from passlib.hash import grub_pbkdf2_sha512
+
+def grub_hash(password, rounds=10000, salt=None):
+    if salt is None:
+        # Generate 64-byte salt if not provided
+        salt = os.urandom(64)
+
+    # Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
+    if not isinstance(salt, bytes):
+        try:
+            salt = salt.encode("utf-8")
+        except AttributeError:
+            raise TypeError("Salt must be a string, not int.")
+
+    # Configure hash generator
+    pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
+    return pbkdf2_generator.hash(password)
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'grub_hash': grub_hash
+        }

handlers/main.yml

@@ -150,7 +150,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
-  notify: Change_requires_reboot
+  notify: Set reboot required
   listen: "Remount /boot/efi"
 
 - name: Reload sysctl
@@ -194,7 +194,7 @@
   ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
   changed_when: true
   notify:
-    - Change_requires_reboot
+    - Set reboot required
     - Restart sshd
 
 - name: Restart firewalld
@@ -255,7 +255,7 @@
   when: discovered_auditd_immutable_check.stdout == '1'
   ansible.builtin.debug:
     msg: "Reboot required for auditd to apply new rules as immutable set"
-  notify: Change_requires_reboot
+  notify: Set reboot required
 
 - name: Stop auditd process
   ansible.builtin.command: systemctl kill auditd
@@ -268,6 +268,6 @@
     state: started
   listen: Restart auditd
 
-- name: Change_requires_reboot
+- name: Set reboot required
   ansible.builtin.set_fact:
     change_requires_reboot: true

meta/main.yml

@@ -1,11 +1,11 @@
 ---
 galaxy_info:
-  author: "MindPoint Group"
+  author: "Ansible-Lockdown"
   description: "Apply the RHEL 9 CIS"
-  company: "MindPoint Group"
+  company: "MindPoint Group - A Tyto Athene Company"
   license: MIT
   role_name: rhel9_cis
-  namespace: mindpointgroup
+  namespace: ansible-lockdown
   min_ansible_version: 2.10.1
   platforms:
     - name: EL

molecule/default/converge.yml

@@ -10,7 +10,6 @@
       system_is_container: true
       rhel9cis_selinux_disable: true
       rhel9cis_rule_5_2_4: false
-      rhel9cis_rule_1_1_10: false
       rhel9cis_firewall: "none"
       rhel9cis_rule_4_1_1_1: false
       rhel9cis_rule_4_1_1_2: false

molecule/wsl/converge.yml

@@ -8,16 +8,15 @@
   vars:
       ansible_user: "{{ lookup('env', 'USER') }}"
       system_is_container: true
-      rhel8cis_selinux_disable: true
+      rhel9cis_selinux_disable: true
       role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-      rhel8cis_rule_5_3_4: false
+      rhel9cis_rule_5_3_4: false
-      rhel8cis_rule_1_1_10: false
+      rhel9cis_rsyslog_ansiblemanaged: false
-      rhel8cis_rsyslog_ansiblemanaged: false
+      rhel9cis_rule_3_4_1_3: false
-      rhel8cis_rule_3_4_1_3: false
+      rhel9cis_rule_3_4_1_4: false
-      rhel8cis_rule_3_4_1_4: false
+      rhel9cis_rule_4_2_1_2: false
-      rhel8cis_rule_4_2_1_2: false
+      rhel9cis_rule_4_2_1_4: false
-      rhel8cis_rule_4_2_1_4: false
+      rhel9cis_rule_5_1_1: false
-      rhel8cis_rule_5_1_1: false
 
   pre_tasks:
   tasks:

site.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Apply ansible-lockdown hardening
-  hosts: all
+  hosts: "{{ hosts | default('all') }}"
   become: true
   roles:
     - role: "{{ playbook_dir }}"

tasks/LE_audit_setup.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: Pre Audit Setup | Set audit package name
   block:
     - name: Pre Audit Setup | Set audit package name | 64bit

tasks/main.yml

@@ -17,9 +17,7 @@
     success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
 
 - name: "Setup rules if container"
-  when:
+  when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
-    - ansible_connection == 'docker' or
-      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
     - container_discovery
     - always
@@ -43,18 +41,18 @@
     fail_msg: "Crypto policy is not a permitted version"
     success_msg: "Crypto policy is a permitted version"
 
-- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
+- name: "Check rhel9cis_bootloader_password variable has been changed"
   when:
     - rhel9cis_set_boot_pass
     - rhel9cis_rule_1_4_1
   tags: always
   ansible.builtin.assert:
-    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
+    that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
-    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
+    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
 
 - name: "Check crypto-policy module input"
   when:
-    - rhel9cis_rule_1_6_1
+    - rhel9cis_crypto_policy_ansiblemanaged
     - rhel9cis_crypto_policy_module | length > 0
   tags:
     - rule_1.6.1
@@ -99,7 +97,7 @@
               or
                 (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
               )
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access"
             success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
 
         - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
@@ -120,8 +118,8 @@
     - name: "Check authselect profile is selected | Check current profile"
       ansible.builtin.command: authselect list
       changed_when: false
-      failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
+      failed_when: prelim_authselect_profile_list.rc not in [ 0, 1 ]
-      register: prelim_authselect_current_profile
+      register: prelim_authselect_profile_list
 
 - name: "Ensure root password is set"
   when: rhel9cis_rule_5_4_2_4
@@ -156,9 +154,7 @@
     file: "{{ ansible_facts.distribution }}.yml"
 
 - name: "Include preliminary steps"
-  tags:
+  tags: prelim_tasks
-    - prelim_tasks
-    - always
   ansible.builtin.import_tasks:
     file: prelim.yml
 

tasks/post.yml

@@ -28,8 +28,7 @@
 
 - name: POST | reboot system if changes require it and not skipped
   when: change_requires_reboot
-  tags:
+  tags: always
-    - always
   vars:
     warn_control_id: Reboot_required
   block:

tasks/prelim.yml

@@ -1,10 +1,12 @@
 ---
 
-# Preliminary tasks that should always be run
+# Preliminary tasks that should always run
-# List users in order to look files inside each home directory
+# List users in order to look up files inside each home directory
 
 - name: "PRELIM | Include audit specific variables"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
+    - setup_audit
   tags:
     - setup_audit
     - run_audit
@@ -12,7 +14,8 @@
     file: audit.yml
 
 - name: "PRELIM | Include pre-remediation audit tasks"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
   tags: run_audit
   ansible.builtin.import_tasks: pre_remediation_audit.yml
 
@@ -92,6 +95,11 @@
     - rhel9cis_rule_1_2_1_1
     - ansible_facts.distribution != 'RedHat'
     - ansible_facts.distribution != 'OracleLinux'
+  tags:
+    - level1-server
+    - level1-workstation
+    - rule_1.2.1.1
+    - gpg
   ansible.builtin.package:
     name: "{{ gpg_key_package }}"
     state: latest
@@ -206,14 +214,15 @@
   block:
     - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
       ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
-      register: discover_wireless_adapters
+      register: prelim_wireless_adapters
       changed_when: false
       check_mode: false
-      failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
+      failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ]
 
     - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present"
       when:
-        - discover_wireless_adapters.rc == 0
+        - rhel9cis_install_network_manager
+        - prelim_wireless_adapters.rc == 0
         - "'NetworkManager' not in ansible_facts.packages"
       ansible.builtin.package:
         name: NetworkManager
@@ -277,8 +286,7 @@
 - name: "PRELIM | PATCH | Create journald config directory"
   when:
     - rhel9cis_syslog == 'journald'
-    - rhel9cis_rule_6_2_1_3 or
+    - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
-      rhel9cis_rule_6_2_1_4
   tags: always
   ansible.builtin.file:
     path: /etc/systemd/journald.conf.d

tasks/section_1/cis_1.1.1.x.yml

@@ -27,8 +27,7 @@
         mode: 'go-rwx'
 
     - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
-      when:
+      when: not system_is_container
-        - not system_is_container
       community.general.modprobe:
         name: cramfs
         state: absent

tasks/section_1/cis_1.1.2.3.x.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
   when:
     - rhel9cis_rule_1_1_2_3_1

tasks/section_1/cis_1.2.2.x.yml

@@ -13,4 +13,4 @@
   ansible.builtin.package:
     name: "*"
     state: latest
-  notify: Change_requires_reboot
+  notify: Set reboot required

tasks/section_1/cis_1.4.x.yml

@@ -13,7 +13,7 @@
     - NIST800-53R5_AC-3
   ansible.builtin.copy:
     dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
     owner: root
     group: root
     mode: 'go-rwx'

tasks/section_3/cis_3.1.x.yml

@@ -38,12 +38,13 @@
       when:
         - "'kernel' in rhel9cis_ipv6_disable_method"
         - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
-      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
+      ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1"
+      changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0
 
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
   when:
     - rhel9cis_rule_3_1_2
-    - discover_wireless_adapters.rc == 0
+    - prelim_wireless_adapters.rc == 0
   tags:
     - level1-server
     - patch

tasks/section_5/cis_5.1.x.yml

@@ -411,6 +411,8 @@
     path: "{{ rhel9cis_sshd_config_file }}"
     regexp: '^(#)?MaxAuthTries \d'
     line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
+    insertbefore: "^Match"
+    firstmatch: true
     validate: sshd -t -f %s
   notify: Restart sshd
 

tasks/section_5/cis_5.3.2.x.yml

@@ -14,7 +14,7 @@
     - rule_5.3.2.1
   block:
     - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
+      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout
       ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
       changed_when: false
       args:

tasks/section_5/cis_5.3.3.2.x.yml

@@ -340,7 +340,7 @@
         - system
       notify: Authselect update
 
-- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
+- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
   when: rhel9cis_rule_5_3_3_2_7
   tags:
     - level1-server
@@ -350,8 +350,8 @@
     - NIST800-53R5_IA-5
     - pam
   ansible.builtin.template:
-    src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2"
+    src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2"
-    dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
+    dest: "/{{ rhel9cis_passwd_quality_enforce_file }}"
     owner: root
     group: root
     mode: 'o-rwx'

tasks/section_5/main.yml

@@ -10,14 +10,12 @@
     file: cis_5.1.x.yml
 
 - name: "SECTION | 5.2 | Configure privilege escalation"
-  when:
+  when: rhel9cis_section5_2
-    - rhel9cis_section5_2
   ansible.builtin.import_tasks:
     file: cis_5.2.x.yml
 
 - name: "SECTION | 5.3"
-  when:
+  when: rhel9cis_section5_3
-    - rhel9cis_section5_3
   block:
     - name: "SECTION | 5.3.1.x | Configure PAM software packages"
       ansible.builtin.import_tasks:
@@ -44,8 +42,7 @@
         file: cis_5.3.3.4.x.yml
 
 - name: "SECTION | 5.4"
-  when:
+  when: rhel9cis_section5_4
-    - rhel9cis_section5_4
   block:
     - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters"
       ansible.builtin.import_tasks:

tasks/section_6/cis_6.2.3.x.yml

@@ -195,7 +195,7 @@
   register: discovered_rsyslog_remote_host
   notify: Restart rsyslog
 
-- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
+- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
   when: rhel9cis_rule_6_2_3_7
   tags:
     - level1-server
@@ -208,7 +208,7 @@
     - NIST800-53R5_AU-12
     - NIST800-53R5_CM-6
   block:
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
       when: not rhel9cis_system_is_log_server
       ansible.builtin.replace:
         path: /etc/rsyslog.conf
@@ -221,7 +221,7 @@
         - '^(module\(load="imtcp"\))'
         - '^(input\(type="imtcp")'
 
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
       when: rhel9cis_system_is_log_server
       ansible.builtin.replace:
         path: /etc/rsyslog.conf

tasks/section_7/cis_7.1.x.yml

@@ -58,7 +58,7 @@
     - level1-server
     - level1-workstation
     - patch
-    - permissionss
+    - permissions
     - rule_7.1.4
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
@@ -254,7 +254,7 @@
       ansible.builtin.file:
         path: "{{ item }}"
         owner: "{{ rhel9cis_unowned_owner }}"
-        group: "{{ rhel9cis_unowned_group }}"
+        group: "{{ rhel9cis_ungrouped_group }}"
       with_items:
         - "{{ discovered_unowned_files_flatten }}"
 

templates/ansible_vars_goss.yml.j2

@@ -1,7 +1,7 @@
 ---
 
 
-# Enable logrunning potential resource intensive tests
+# Enable long running potential resource intensive tests
 run_heavy_tests: {{ audit_run_heavy_tests }}
 
 # Extend default command timeout for longer running tests
@@ -206,7 +206,6 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }}
 rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
 rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
 rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
-rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }}
 
 ## Network Kernel Modules
 rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
@@ -293,7 +292,6 @@ rhel9cis_rule_5_3_3_2_4: {{ rhel9cis_rule_5_3_3_2_4 }}
 rhel9cis_rule_5_3_3_2_5: {{ rhel9cis_rule_5_3_3_2_5 }}
 rhel9cis_rule_5_3_3_2_6: {{ rhel9cis_rule_5_3_3_2_6 }}
 rhel9cis_rule_5_3_3_2_7: {{ rhel9cis_rule_5_3_3_2_7 }}
-rhel9cis_rule_5_3_3_2_8: {{ rhel9cis_rule_5_3_3_2_8 }}
 # 5.3.3.3 Configure pam_pwhistory module
 # This are added as part of 5.3.2.4 using jinja2 template
 rhel9cis_rule_5_3_3_3_1: {{ rhel9cis_rule_5_3_3_3_1 }}
@@ -532,6 +530,8 @@ rhel9cis_bluetooth_mask: {{ rhel9cis_bluetooth_mask }}
 ## 3.1 IPv6 requirement toggle
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
+# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
+rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }}
 
 # 3.3 System network parameters (host only OR host and router)
 # This variable governs whether specific CIS rules

templates/audit/98_auditd_exception.rules.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 
 # This file contains users whose actions are not logged by auditd

templates/audit/99_auditd.rules.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually

templates/etc/aide.conf.d/crypt_audit_procs.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # Audit Tools
 /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512

templates/etc/ansible/compliance_facts.j2

@@ -1,6 +1,4 @@
-# CIS Hardening Carried out
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 [lockdown_details]
 # Benchmark release

templates/etc/chrony.conf.j2

@@ -1,4 +1,4 @@
-{{ ansible_managed | comment }}
+{{ file_managed_by_ansible }}
 
 # Use public servers from the pool.ntp.org project.
 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
@@ -11,17 +11,19 @@ driftfile /var/lib/chrony/drift
 
 # Allow the system clock to be stepped in the first three updates
 # if its offset is larger than 1 second.
-makestep 1.0 3
+makestep {{ rhel9cis_chrony_server_makestep }}
 
+{% if rhel9cis_chrony_server_rtcsync %}
 # Enable kernel synchronization of the real-time clock (RTC).
 rtcsync
+{% endif %}
 
 # Enable hardware timestamping on all interfaces that support it.
 #hwtimestamp *
 
 # Increase the minimum number of selectable sources required to adjust
 # the system clock.
-#minsources 2
+minsources {{ rhel9cis_chrony_server_minsources }}
 
 # Allow NTP client access from local network.
 #allow 192.168.0.0/16

templates/etc/cron.d/aide.cron.j2

@@ -1,7 +1,5 @@
+{{ file_managed_by_ansible }}
 # Run AIDE integrity check
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
 

templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy dropping the SHA1 hash and signature support
 # Carried out as part of CIS Benchmark rule 1.6.3
 

templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable all CBC mode ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.5

templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable Encrypt then MAC
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.7

templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4

templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark control 5.1.6
 

templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark rule 1.6.4
 

templates/etc/dconf/db/00-automount_lock.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount

templates/etc/dconf/db/00-autorun_lock.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never

templates/etc/dconf/db/00-media-automount.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 [org/gnome/desktop/media-handling]
 automount=false

templates/etc/dconf/db/00-media-autorun.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 [org/gnome/desktop/media-handling]
 autorun-never=true

templates/etc/dconf/db/00-screensaver.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 # Specify the dconf path
 [org/gnome/desktop/session]

templates/etc/dconf/db/00-screensaver_lock.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay

templates/etc/dconf/db/gdm.d/01-banner-message.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
+{{ file_managed_by_ansible }}
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 
 [org/gnome/login-screen]
 banner-message-enable=true

templates/etc/logrotate.d/rsyslog_log.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 /var/log/rsyslog/*.log {
     {{ rhel9cis_rsyslog_logrotate_rotated_when }}
     rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}

templates/etc/modprobe.d/modprobe.conf.j2

@@ -1,6 +1,4 @@
-# Disable usage of protocol {{ item }}
+{{ file_managed_by_ansible }}
-# Set by ansible {{ benchmark }} remediation role
+## YOUR CHANGES WILL BE LOST!
-# https://github.com/ansible-lockdown
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
 
 install {{ item }} /bin/true

templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.3 Ensure password complexity is configured
 {% if rhel9cis_passwd_complex_option == 'minclass' %}  # pragma: allowlist secret

templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.6 Ensure password dictionary check is enabled
 dictcheck = {{ rhel9cis_passwd_dictcheck_value }}

templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.1 Ensure password number of changed characters is configured
 difok = {{ rhel9cis_passwd_difok_value }}

templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.2 Ensure minimum password length is configured
 minlen = {{ rhel9cis_passwd_minlen_value }}

templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.5 Ensure password maximum sequential characters is configured
 maxsequence = {{ rhel9cis_passwd_maxsequence_value }}

templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.7 Ensure password quality checking is enforced
 enforcing = {{ rhel9cis_passwd_quality_enforce_value }}

templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.4 Ensure password same consecutive characters is configured
 maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}

templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
-# 5.3.3.2.8 Ensure password quality is enforced for the root user
+# 5.3.3.2.7 Ensure password quality is enforced for the root user
 {{ rhel9cis_passwd_quality_enforce_root_value }}

templates/etc/sysctl.d/60-disable_ipv6.conf.j2

@@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 # IPv6 disable
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}

templates/etc/sysctl.d/60-kernel_sysctl.conf.j2

@@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 {% if rhel9cis_rule_1_5_1 %}
 # Adress space randomise

templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2

@@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 # IPv4 Network sysctl
 {% if rhel9cis_rule_3_3_1 %}

templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2

@@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 # IPv6 Network sysctl
 {% if rhel9cis_ipv6_required %}

templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2

@@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_2_2
 [Journal]
 ForwardToSyslog=no

templates/etc/systemd/journald.conf.d/rotation.conf.j2

@@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_1_3
 [Journal]
 SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}

templates/etc/systemd/journald.conf.d/storage.conf.j2

@@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 [Journal]
 {% if rhel9cis_rule_6_2_2_3 %}
 # Set compress CIS rule 6_2_2_3

templates/etc/systemd/system/tmp.mount.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
@@ -7,7 +8,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+## YOUR CHANGED WILL BE LOST!
 
 [Unit]
 Description=Temporary Directory (/tmp)

vars/OracleLinux.yml

@@ -1,4 +1,5 @@
 ---
+
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"

vars/is_container.yml

@@ -2,7 +2,7 @@
 
 # File to skip controls if container
 # Based on standard image no changes
-# it expected all pkgs required for the container are alreday installed
+# it expected all pkgs required for the container are already installed
 
 ## controls
 
@@ -57,7 +57,6 @@ rhel9cis_rule_1_1_6: false
 rhel9cis_rule_1_1_7: false
 rhel9cis_rule_1_1_8: false
 rhel9cis_rule_1_1_9: false
-rhel9cis_rule_1_1_10: false
 # /var/log
 rhel9cis_rule_1_1_11: false
 # /var/log/audit

vars/main.yml

@@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules:
   - 'NO-SSHWEAKMAC'
   - 'NO-WEAKMAC'
 
+rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
+
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
@@ -39,7 +41,7 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 ## Controls 6.3.3.x - Audit template
 # This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the
 # audit settings are overwritten with the role's template. In order to exclude
-# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above
+# specific rules, you must set the variable of form `rhel9cis_rule_6_3_3_x` above
 # to `false`.
 update_audit_template: false
 
@@ -74,3 +76,10 @@ audit_bins:
   - /sbin/autrace
   - /sbin/auditd
   - /sbin/augenrules
+
+company_title: 'MindPoint Group - A Tyto Athene Company'
+
+file_managed_by_ansible: |-
+  # File managed by ansible as part of {{ benchmark }} benchmark
+  # As part of Ansible-lockdown
+  # Provided by {{ company_title }}