Merge pull request #422 from ansible-lockdown/issue_416_fix

Issue 416 fix
updated name info for tasks related to 3.1.1
2025-12-24 14:23:05 +00:00 · 2025-12-23 11:10:13 -05:00 · 2025-12-23 09:04:42 -05:00 · 2025-12-23 08:42:28 -05:00 · 2025-12-23 09:27:35 +00:00 · 2025-12-22 16:56:24 -05:00
9 changed files with 30 additions and 27 deletions
--- a/.github/workflows/add_repo_issue_to_gh_project.yml
+++ b/.github/workflows/add_repo_issue_to_gh_project.yml
@ -14,4 +14,4 @@ jobs:
      - uses: actions/add-to-project@main
        with:
          project-url: https://github.com/orgs/ansible-lockdown/projects/1
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.ALD_GH_PROJECT }}
--- a/.github/workflows/update_galaxy.yml
+++ b/.github/workflows/update_galaxy.yml
@ -1,19 +0,0 @@
---
-
-    name: update galaxy
-
-    on:
-        push:
-            branches:
-                - main
-    jobs:
-        update_role:
-            runs-on: ubuntu-latest
-            steps:
-                - name: Checkout repo
-                  uses: actions/checkout@v4
-
-                - name: Action Ansible Galaxy Release ${{ github.ref_name }}
-                  uses: ansible-actions/ansible-galaxy-action@main
-                  with:
-                    galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -41,12 +41,12 @@ repos:
  - id: detect-secrets

 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.28.0
+  rev: v8.30.0
  hooks:
  - id: gitleaks

 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.9.2
+  rev: v25.12.2
  hooks:
  - id: ansible-lint
    name: Ansible-lint
--- a/Changelog.md
+++ b/Changelog.md
@ -1,6 +1,5 @@
 # Changes to rhel9CIS

-
 ## 2.0.4 - Based on CIS v2.0.0

 - addressed issue #393 thank you to @fragglexarmy
@ -11,6 +10,9 @@
 - work flow updates
 - audit logic improvements
 - auditd template 2.19 compatible
+- pre-commit updates
+- #410 thanks to @kpi-nourman
+- #413 thanks to @bbaassssiiee

 ## 2.0.3 - Based on CIS v2.0.0
 - addressed issue #387, thank you @fragglexarmy
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -802,6 +802,8 @@ rhel9cis_tftp_client: false
 ## Control 3.1.1 - Ensure IPv6 status is identified
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
+# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
+rhel9cis_ipv6_disable_method: "sysctl"

 ## Control 3.1.2 - Ensure wireless interfaces are disabled
 # if wireless adapter found allow network manager to be installed
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -134,7 +134,7 @@
    - rule_5.4.2.4
  block:
    - name: "Ensure root password is set"
-      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)"
      changed_when: false
      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
      register: prelim_root_passwd_set
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -16,15 +16,30 @@
    - rule_3.1.1
    - NIST800-53R5_CM-7
  block:
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true

-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"

+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
+      when: "'kernel' in rhel9cis_ipv6_disable_method"
+      ansible.builtin.command: grubby --info=ALL
+      changed_when: false
+      failed_when: false
+      register: discovered_rhel9cis_3_1_1_ipv6_status
+
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
+      when:
+        - "'kernel' in rhel9cis_ipv6_disable_method"
+        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
+      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
+
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  when:
    - rhel9cis_rule_3_1_2
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -4,4 +4,4 @@

 [org/gnome/login-screen]
 banner-message-enable=true
-banner-message-text="{{ rhel9cis_warning_banner }}"
+banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}"
--- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
+++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
@ -4,4 +4,7 @@
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
+{% for interface in ansible_interfaces %}
+net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
+{% endfor %}
 {% endif %}
Author	SHA1	Message	Date
George Nalen	8c2597e61b	Merge pull request #422 from ansible-lockdown/issue_416_fix Some checks are pending Export Public Repo Badges / export-badges (push) Waiting to run Details Issue 416 fix	2025-12-23 11:10:13 -05:00
George Nalen	29a48f7f4c	updated name info for tasks related to 3.1.1 Signed-off-by: George Nalen <georgen@mindpointgroup.com>	2025-12-23 09:04:42 -05:00
George Nalen	d9927f005b	fixed typo in disable method var Signed-off-by: George Nalen <georgen@mindpointgroup.com>	2025-12-23 08:42:28 -05:00
uk-bolly	f5d7d2294d	Merge pull request #421 from ansible-lockdown/pre-commit-ci-update-config Some checks are pending Export Public Repo Badges / export-badges (push) Waiting to run Details [pre-commit.ci] pre-commit autoupdate	2025-12-23 09:27:35 +00:00
George Nalen	2b7c8293b8	fixed linting issue Signed-off-by: George Nalen <georgen@mindpointgroup.com>	2025-12-22 16:56:24 -05:00
George Nalen	beb3bfdc94	added option for sysctl or kernel for disabling IPv6 Signed-off-by: George Nalen <georgen@mindpointgroup.com>	2025-12-22 16:35:08 -05:00
pre-commit-ci[bot]	96474159ab	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v25.12.1 → v25.12.2](https://github.com/ansible-community/ansible-lint/compare/v25.12.1...v25.12.2)	2025-12-22 17:33:38 +00:00
George Nalen	62989d258b	added fix to issue #416 Signed-off-by: George Nalen <gjnalen@gmail.com>	2025-12-19 16:31:37 -05:00
Frederick Witty	53287f31a9	Merge pull request #417 from ansible-lockdown/pre-commit-ci-update-config [pre-commit.ci] pre-commit autoupdate	2025-12-17 14:43:02 -05:00
pre-commit-ci[bot]	322404a692	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.29.1 → v8.30.0](https://github.com/gitleaks/gitleaks/compare/v8.29.1...v8.30.0) - [github.com/ansible-community/ansible-lint: v25.11.0 → v25.12.1](https://github.com/ansible-community/ansible-lint/compare/v25.11.0...v25.12.1)	2025-12-15 17:41:29 +00:00
Frederick Witty	07885f99b4	Merge pull request #415 from ansible-lockdown/issue_413 issues 413 addressed thansk to @bbaassssiiee	2025-12-01 08:53:54 -05:00
Mark Bolwell	571711f11e	updated with correct fix thanks to @bbaassssiiee Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-12-01 10:23:25 +00:00
Mark Bolwell	52452b1e3c	issues 413 addressed thansk to @bbaassssiiee Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-11-28 14:51:43 +00:00
Frederick Witty	8b160681f5	Merge pull request #412 from ansible-lockdown/issue_#410 #410 add fix provided by @kpi-nourman via discord community	2025-11-25 10:06:32 -05:00
Mark Bolwell	72602c63fa	add fix provided by @kpi-nourman via discord community Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-11-25 09:28:00 +00:00
uk-bolly	5091aafcd6	Merge pull request #411 from ansible-lockdown/pre-commit-ci-update-config [pre-commit.ci] pre-commit autoupdate	2025-11-25 08:46:23 +00:00
pre-commit-ci[bot]	539ac4f5cc	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.29.0 → v8.29.1](https://github.com/gitleaks/gitleaks/compare/v8.29.0...v8.29.1)	2025-11-24 17:42:03 +00:00
uk-bolly	eb432ddb14	Merge pull request #409 from ansible-lockdown/pre-commit-ci-update-config [pre-commit.ci] pre-commit autoupdate	2025-11-17 12:07:40 +00:00
pre-commit-ci[bot]	0ec943073c	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.28.0 → v8.29.0](https://github.com/gitleaks/gitleaks/compare/v8.28.0...v8.29.0) - [github.com/ansible-community/ansible-lint: v25.9.2 → v25.11.0](https://github.com/ansible-community/ansible-lint/compare/v25.9.2...v25.11.0)	2025-11-10 17:45:49 +00:00
Frederick Witty	28b52876ec	Merge pull request #408 from ansible-lockdown/auto_issue_to_project .github standardization	2025-10-23 15:07:02 -04:00
Frederick Witty	4c41656a3b	.github standardization Signed-off-by: Frederick Witty <frederick.witty@gotyto.com>	2025-10-23 08:28:06 -04:00