From dc570e8b53ab24717917da3a9c18b3641f05fe43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 25 Nov 2025 09:29:56 +0000 Subject: [PATCH 1/5] add fix provided by @kpi-nourman via discord community Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index 901e9e0..ec42bfc 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -4,4 +4,4 @@ [org/gnome/login-screen] banner-message-enable=true -banner-message-text="{{ rhel9cis_warning_banner }}" +banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}" From 32a3473ddc84e3a55b3c4eccab0bb7f19c750263 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Nov 2025 14:35:20 +0000 Subject: [PATCH 2/5] updated Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a1a002d..a7b9e43 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,13 +42,13 @@ repos: name: Detect Secrets test - repo: https://github.com/gitleaks/gitleaks - rev: v8.27.2 + rev: v8.29.1 hooks: - id: gitleaks name: Run Gitleaks test - repo: https://github.com/ansible-community/ansible-lint - rev: v25.9.0 + rev: v25.11.0 hooks: - id: ansible-lint name: Ansible-lint From ed784d270b70eba79dab647d8cef5b4a42c62a0d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Nov 2025 14:44:59 +0000 Subject: [PATCH 3/5] added fix for issues #413 azure locked passwords Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6c5a3f3..f7508f3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -132,7 +132,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(\*LOCK\*|Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set From add8ebb81927df1c58d6e9b1f40b377f1120dc73 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Nov 2025 14:47:00 +0000 Subject: [PATCH 4/5] udpated Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog.md b/Changelog.md index 9287a24..f4088f3 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,11 @@ # Changes to rhel9CIS + +# Based on CIS v2.0.0 +pre-commit udpates +public issue #410 thanks to @kpi-nourman +public issue #413 thanks to @bbaassssiiee + # Based on CIS v2.0.0 Public issues incorporated Workflow updates From f80c60bb8a2fd12a7044a01d7840ce765e8f484e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Dec 2025 10:41:38 +0000 Subject: [PATCH 5/5] updated with correct fix thanks to @bbaassssiiee Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index f7508f3..4e1e5ae 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -132,7 +132,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(\*LOCK\*|Password set|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set