ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 14:27:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Update .j2 branding

Browse source 
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>
This commit is contained in:
Frederick Witty 2026-02-11 15:39:59 -05:00
parent 71206432be
commit f413385208
No known key found for this signature in database
GPG key ID: 0CFA99C02DE4D8C3
40 changed files with 53 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -3,6 +3,7 @@
## 2.0.5 - Based on CIS v2.0.0 ## 2.0.5 - Based on CIS v2.0.0
- QA Fixes - QA Fixes
- .j2 Branding Update
- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task - Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
- fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml - fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml
- Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis) - Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis)

6
meta/main.yml
View file

@ -1,11 +1,11 @@
--- ---
galaxy_info: galaxy_info:
author: "MindPoint Group" author: "Ansible-Lockdown"
description: "Apply the RHEL 9 CIS" description: "Apply the RHEL 9 CIS"
company: "MindPoint Group" company: "MindPoint Group - A Tyto Athene Company"
license: MIT license: MIT
role_name: rhel9_cis role_name: rhel9_cis
namespace: mindpointgroup namespace: ansible-lockdown
min_ansible_version: 2.10.1 min_ansible_version: 2.10.1
platforms: platforms:
- name: EL - name: EL

4
templates/audit/98_auditd_exception.rules.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
### YOUR CHANGES WILL BE LOST! ### YOUR CHANGES WILL BE LOST!
# This file contains users whose actions are not logged by auditd # This file contains users whose actions are not logged by auditd

4
templates/audit/99_auditd.rules.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
### YOUR CHANGES WILL BE LOST! ### YOUR CHANGES WILL BE LOST!
# This template will set all of the auditd configurations via a handler in the role in one task instead of individually # This template will set all of the auditd configurations via a handler in the role in one task instead of individually

1
templates/etc/aide.conf.d/crypt_audit_procs.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# Audit Tools # Audit Tools
/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512

4
templates/etc/ansible/compliance_facts.j2
View file

@ -1,6 +1,4 @@
# CIS Hardening Carried out {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
[lockdown_details] [lockdown_details]
# Benchmark release # Benchmark release

2
templates/etc/chrony.conf.j2
View file

@ -1,4 +1,4 @@
{{ ansible_managed | comment }} {{ file_managed_by_ansible }}
# Use public servers from the pool.ntp.org project. # Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html). # Please consider joining the pool (http://www.pool.ntp.org/join.html).

4
templates/etc/cron.d/aide.cron.j2
View file

@ -1,7 +1,5 @@
{{ file_managed_by_ansible }}
# Run AIDE integrity check # Run AIDE integrity check
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
### YOUR CHANGES WILL BE LOST! ### YOUR CHANGES WILL BE LOST!
# CIS 1.3.2 # CIS 1.3.2

1
templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy dropping the SHA1 hash and signature support # This is a subpolicy dropping the SHA1 hash and signature support
# Carried out as part of CIS Benchmark rule 1.6.3 # Carried out as part of CIS Benchmark rule 1.6.3

1
templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable all CBC mode ciphers # This is a subpolicy to disable all CBC mode ciphers
# for the SSH protocol (libssh and OpenSSH) # for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rule 1.6.5 # Carried out as part of CIS Benchmark rule 1.6.5

1
templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable Encrypt then MAC # This is a subpolicy to disable Encrypt then MAC
# for the SSH protocol (libssh and OpenSSH) # for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rule 1.6.7 # Carried out as part of CIS Benchmark rule 1.6.7

1
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak ciphers # This is a subpolicy to disable weak ciphers
# for the SSH protocol (libssh and OpenSSH) # for the SSH protocol (libssh and OpenSSH)
# Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4 # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4

1
templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak macs # This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark control 5.1.6 # Carried out as part of CIS Benchmark control 5.1.6

1
templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# This is a subpolicy to disable weak macs # This is a subpolicy to disable weak macs
# Carried out as part of CIS Benchmark rule 1.6.4 # Carried out as part of CIS Benchmark rule 1.6.4

4
templates/etc/dconf/db/00-automount_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
# Lock desktop media-handling automount setting # Lock desktop media-handling automount setting
/org/gnome/desktop/media-handling/automount /org/gnome/desktop/media-handling/automount

4
templates/etc/dconf/db/00-autorun_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
# Lock desktop media-handling settings # Lock desktop media-handling settings
/org/gnome/desktop/media-handling/autorun-never /org/gnome/desktop/media-handling/autorun-never

4
templates/etc/dconf/db/00-media-automount.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
[org/gnome/desktop/media-handling] [org/gnome/desktop/media-handling]
automount=false automount=false

4
templates/etc/dconf/db/00-media-autorun.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
[org/gnome/desktop/media-handling] [org/gnome/desktop/media-handling]
autorun-never=true autorun-never=true

4
templates/etc/dconf/db/00-screensaver.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
# Specify the dconf path # Specify the dconf path
[org/gnome/desktop/session] [org/gnome/desktop/session]

4
templates/etc/dconf/db/00-screensaver_lock.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
# Lock desktop screensaver idle-delay setting # Lock desktop screensaver idle-delay setting
/org/gnome/desktop/session/idle-delay /org/gnome/desktop/session/idle-delay

4
templates/etc/dconf/db/gdm.d/01-banner-message.j2
View file

@ -1,6 +1,4 @@
## Ansible controlled file {{ file_managed_by_ansible }}
# Added as part of ansible-lockdown CIS baseline
# provided by {{ company_title }}
[org/gnome/login-screen] [org/gnome/login-screen]
banner-message-enable=true banner-message-enable=true

1
templates/etc/logrotate.d/rsyslog_log.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
/var/log/rsyslog/*.log { /var/log/rsyslog/*.log {
{{ rhel9cis_rsyslog_logrotate_rotated_when }} {{ rhel9cis_rsyslog_logrotate_rotated_when }}
rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }} rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}

6
templates/etc/modprobe.d/modprobe.conf.j2
View file

@ -1,6 +1,4 @@
# Disable usage of protocol {{ item }} {{ file_managed_by_ansible }}
# Set by ansible {{ benchmark }} remediation role ## YOUR CHANGES WILL BE LOST!
# https://github.com/ansible-lockdown
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
install {{ item }} /bin/true install {{ item }} /bin/true

1
templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.3 Ensure password complexity is configured # 5.3.3.2.3 Ensure password complexity is configured
{% if rhel9cis_passwd_complex_option == 'minclass' %} # pragma: allowlist secret {% if rhel9cis_passwd_complex_option == 'minclass' %} # pragma: allowlist secret

1
templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.6 Ensure password dictionary check is enabled # 5.3.3.2.6 Ensure password dictionary check is enabled
dictcheck = {{ rhel9cis_passwd_dictcheck_value }} dictcheck = {{ rhel9cis_passwd_dictcheck_value }}

1
templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.1 Ensure password number of changed characters is configured # 5.3.3.2.1 Ensure password number of changed characters is configured
difok = {{ rhel9cis_passwd_difok_value }} difok = {{ rhel9cis_passwd_difok_value }}

1
templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.2 Ensure minimum password length is configured # 5.3.3.2.2 Ensure minimum password length is configured
minlen = {{ rhel9cis_passwd_minlen_value }} minlen = {{ rhel9cis_passwd_minlen_value }}

1
templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.5 Ensure password maximum sequential characters is configured # 5.3.3.2.5 Ensure password maximum sequential characters is configured
maxsequence = {{ rhel9cis_passwd_maxsequence_value }} maxsequence = {{ rhel9cis_passwd_maxsequence_value }}

1
templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.7 Ensure password quality checking is enforced # 5.3.3.2.7 Ensure password quality checking is enforced
enforcing = {{ rhel9cis_passwd_quality_enforce_value }} enforcing = {{ rhel9cis_passwd_quality_enforce_value }}

1
templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.4 Ensure password same consecutive characters is configured # 5.3.3.2.4 Ensure password same consecutive characters is configured
maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }} maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}

1
templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# CIS Configurations # CIS Configurations
# 5.3.3.2.7 Ensure password quality is enforced for the root user # 5.3.3.2.7 Ensure password quality is enforced for the root user
{{ rhel9cis_passwd_quality_enforce_root_value }} {{ rhel9cis_passwd_quality_enforce_root_value }}

3
templates/etc/sysctl.d/60-disable_ipv6.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! {{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv6 disable # IPv6 disable
{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}

3
templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! {{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
{% if rhel9cis_rule_1_5_1 %} {% if rhel9cis_rule_1_5_1 %}
# Adress space randomise # Adress space randomise

3
templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! {{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv4 Network sysctl # IPv4 Network sysctl
{% if rhel9cis_rule_3_3_1 %} {% if rhel9cis_rule_3_3_1 %}

3
templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
View file

@ -1,4 +1,5 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! {{ file_managed_by_ansible }}
## YOUR CHANGES WILL BE LOST!
# IPv6 Network sysctl # IPv6 Network sysctl
{% if rhel9cis_ipv6_required %} {% if rhel9cis_ipv6_required %}

2
templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark {{ file_managed_by_ansible }}
# CIS rule 6_2_2_2 # CIS rule 6_2_2_2
[Journal] [Journal]
ForwardToSyslog=no ForwardToSyslog=no

2
templates/etc/systemd/journald.conf.d/rotation.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark {{ file_managed_by_ansible }}
# CIS rule 6_2_1_3 # CIS rule 6_2_1_3
[Journal] [Journal]
SystemMaxUse={{ rhel9cis_journald_systemmaxuse }} SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}

2
templates/etc/systemd/journald.conf.d/storage.conf.j2
View file

@ -1,4 +1,4 @@
# File created for CIS benchmark {{ file_managed_by_ansible }}
[Journal] [Journal]
{% if rhel9cis_rule_6_2_2_3 %} {% if rhel9cis_rule_6_2_2_3 %}
# Set compress CIS rule 6_2_2_3 # Set compress CIS rule 6_2_2_3

3
templates/etc/systemd/system/tmp.mount.j2
View file

@ -1,3 +1,4 @@
{{ file_managed_by_ansible }}
# SPDX-License-Identifier: LGPL-2.1+ # SPDX-License-Identifier: LGPL-2.1+
# #
# This file is part of systemd. # This file is part of systemd.
@ -7,7 +8,7 @@
# the Free Software Foundation; either version 2.1 of the License, or # the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version. # (at your option) any later version.
## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! ## YOUR CHANGED WILL BE LOST!
[Unit] [Unit]
Description=Temporary Directory (/tmp) Description=Temporary Directory (/tmp)

7
vars/main.yml
View file

@ -77,4 +77,9 @@ audit_bins:
- /sbin/auditd - /sbin/auditd
- /sbin/augenrules - /sbin/augenrules
company_title: 'Mindpoint Group - A Tyto Athene Company' company_title: 'MindPoint Group - A Tyto Athene Company'
file_managed_by_ansible: |-
# File managed by ansible as part of {{ benchmark }} benchmark
# As part of Ansible-lockdown
# Provided by {{ company_title }}