ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Update .j2 branding

Browse source 
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
This commit is contained in:
Frederick Witty 2026-02-11 15:39:59 -05:00
parent 71206432be
commit f413385208
No known key found for this signature in database
GPG key ID: 0CFA99C02DE4D8C3
40 changed files with 53 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

1
templates/etc/aide.conf.d/crypt_audit_procs.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# Audit Tools
/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512

4
templates/etc/ansible/compliance_facts.j2
View file

@ -1,6 +1,4 @@
# CIS Hardening Carried out
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
[lockdown_details]
# Benchmark release

2
templates/etc/chrony.conf.j2
View file

@ -1,4 +1,4 @@
{{ ansible_managed | comment }}
{{ file_managed_by_ansible }}
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).

4
templates/etc/cron.d/aide.cron.j2
View file

@ -1,7 +1,5 @@
{{ file_managed_by_ansible }}
# Run AIDE integrity check
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
### YOUR CHANGES WILL BE LOST!
# CIS 1.3.2

1
templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy dropping the SHA1 hash and signature support
# Carried out as part of CIS Benchmark rule 1.6.3

1
templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable all CBC mode ciphers
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rule 1.6.5

1
templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable Encrypt then MAC
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rule 1.6.7

1
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak ciphers
# for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4

1
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark control 5.1.6

1
templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark rule 1.6.4

4
templates/etc/dconf/db/00-automount_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
# Lock desktop media-handling automount setting
/org/gnome/desktop/media-handling/automount

4
templates/etc/dconf/db/00-autorun_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
# Lock desktop media-handling settings
/org/gnome/desktop/media-handling/autorun-never

4
templates/etc/dconf/db/00-media-automount.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
[org/gnome/desktop/media-handling]
automount=false

4
templates/etc/dconf/db/00-media-autorun.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
[org/gnome/desktop/media-handling]
autorun-never=true

4
templates/etc/dconf/db/00-screensaver.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
# Specify the dconf path
[org/gnome/desktop/session]

4
templates/etc/dconf/db/00-screensaver_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
# Lock desktop screensaver idle-delay setting
/org/gnome/desktop/session/idle-delay

4
templates/etc/dconf/db/gdm.d/01-banner-message.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
{{ file_managed_by_ansible }}
[org/gnome/login-screen]
banner-message-enable=true

1
templates/etc/logrotate.d/rsyslog_log.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
/var/log/rsyslog/*.log {
{{ rhel9cis_rsyslog_logrotate_rotated_when }}
rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}

6
templates/etc/modprobe.d/modprobe.conf.j2
View file

@ -1,6 +1,4 @@
# Disable usage of protocol {{ item }}
# Set by ansible {{ benchmark }} remediation role
# https://github.com/ansible-lockdown
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
install {{ item }} /bin/true

1
templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.3 Ensure password complexity is configured
{% if rhel9cis_passwd_complex_option == 'minclass' %} # pragma: allowlist secret

1
templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.6 Ensure password dictionary check is enabled
dictcheck = {{ rhel9cis_passwd_dictcheck_value }}

1
templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.1 Ensure password number of changed characters is configured
difok = {{ rhel9cis_passwd_difok_value }}

1
templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.2 Ensure minimum password length is configured
minlen = {{ rhel9cis_passwd_minlen_value }}

1
templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.5 Ensure password maximum sequential characters is configured
maxsequence = {{ rhel9cis_passwd_maxsequence_value }}

1
templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.7 Ensure password quality checking is enforced
enforcing = {{ rhel9cis_passwd_quality_enforce_value }}

1
templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.4 Ensure password same consecutive characters is configured
maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}

1
templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations
# 5.3.3.2.7 Ensure password quality is enforced for the root user
{{ rhel9cis_passwd_quality_enforce_root_value }}

3
templates/etc/sysctl.d/60-disable_ipv6.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv6 disable
{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}

3
templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
{% if rhel9cis_rule_1_5_1 %}
# Adress space randomise

3
templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv4 Network sysctl
{% if rhel9cis_rule_3_3_1 %}

3
templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
{{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv6 Network sysctl
{% if rhel9cis_ipv6_required %}

2
templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark
{{ file_managed_by_ansible }}
# CIS rule 6_2_2_2
[Journal]
ForwardToSyslog=no

2
templates/etc/systemd/journald.conf.d/rotation.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark
{{ file_managed_by_ansible }}
# CIS rule 6_2_1_3
[Journal]
SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}

2
templates/etc/systemd/journald.conf.d/storage.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark
{{ file_managed_by_ansible }}
[Journal]
{% if rhel9cis_rule_6_2_2_3 %}
# Set compress CIS rule 6_2_2_3

3
templates/etc/systemd/system/tmp.mount.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
@ -7,7 +8,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
## YOUR CHANGED WILL BE LOST!
[Unit]
Description=Temporary Directory (/tmp)