Merge pull request #438 from ansible-lockdown/pre-commit-ci-update-config

[pre-commit.ci] pre-commit autoupdate
Merge pull request #439 from defnotyujine/fix_5.2.4
2026-03-26 14:37:13 +00:00 · 2026-03-18 17:46:10 +00:00 · 2026-03-18 17:45:55 +00:00 · 2026-03-18 17:45:13 +00:00 · 2026-03-18 17:43:04 +00:00 · 2026-03-16 17:45:10 +00:00
4 changed files with 13 additions and 4 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -42,13 +42,13 @@ repos:
    name: Detect Secrets test
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.30.0
+  rev: v8.30.1
  hooks:
  - id: gitleaks
    name: Run Gitleaks test
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v26.1.1
+  rev: v26.3.0
  hooks:
  - id: ansible-lint
    name: Ansible-lint
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -959,6 +959,13 @@ rhel9cis_ssh_maxsessions: 4
 # This variable defines the path and file name of the sudo log file.
 rhel9cis_sudolog_location: "/var/log/sudo.log"
 ## Control 5.2.4 - Ensure users must provide password for escalation
 # The following variable specifies a list of users that should not be required to provide a password
 # for escalation. Feel free to edit it according to your needs.
 rhel9cis_sudoers_exclude_nopasswd_list:
  - ec2-user
  - vagrant
 ## Control 5.2.x - Ensure sudo authentication timeout is configured correctly
 # This variable sets the duration (in minutes) during which a user's authentication credentials
 # are cached after successfully authenticating using "sudo". This allows the user to execute
@ -1104,7 +1111,7 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con
 rhel9cis_passwd_dictcheck_value: 1
 # 5.3.3.2.7 - Ensure password quality is enforced for the root user
-rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf  # pragma: allowlist secret
+rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwroot.conf  # pragma: allowlist secret
 rhel9cis_passwd_quality_enforce_value: 1
 rhel9cis_passwd_quality_enforce_root_value: enforce_for_root  # pragma: allowlist secret
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -259,6 +259,8 @@
 - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
  when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11
  tags:
    - always
  ansible.builtin.stat:
    path: /etc/ssh/sshd_config.d/50-redhat.conf
  register: prelim_sshd_50_redhat_file
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -340,7 +340,7 @@
        - system
      notify: Authselect update
- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
+- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
  when: rhel9cis_rule_5_3_3_2_7
  tags:
    - level1-server
Author	SHA1	Message	Date
uk-bolly	eedb2188c3	Merge pull request #438 from ansible-lockdown/pre-commit-ci-update-config Some checks failed Export Public Repo Badges / export-badges (push) Has been cancelled Details [pre-commit.ci] pre-commit autoupdate	2026-03-18 17:46:10 +00:00
uk-bolly	5e8ff2dc4a	Merge pull request #439 from defnotyujine/fix_5.2.4 Added missing variable for task 5.2.4	2026-03-18 17:45:55 +00:00
uk-bolly	871c75d09e	Merge pull request #437 from defnotyujine/fix-5.3.3.2.7 Updated Jinja template to fix compliance issues for control 5.3.3.2.7	2026-03-18 17:45:13 +00:00
uk-bolly	ab6254aa7a	Merge pull request #436 from defnotyujine/fix_5.1.10_5.1.11 Added always tag to ensure variable exists on CIS profile tag-based e…	2026-03-18 17:43:04 +00:00
pre-commit-ci[bot]	decb9061d5	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.30.0 → v8.30.1](https://github.com/gitleaks/gitleaks/compare/v8.30.0...v8.30.1) - [github.com/ansible-community/ansible-lint: v26.2.0 → v26.3.0](https://github.com/ansible-community/ansible-lint/compare/v26.2.0...v26.3.0)	2026-03-16 17:45:10 +00:00
defnotyujine	ce40cd630c	Added missing variable for task 5.2.4 Signed-off-by: defnotyujine <batauling1000@gmail.com>	2026-03-10 17:33:08 +08:00
defnotyujine	e6ccdea365	Updated Jinja template to fix compliance issues for control 5.3.3.2.7 Signed-off-by: defnotyujine <batauling1000@gmail.com>	2026-03-09 19:19:02 +08:00
defnotyujine	83cf830f36	Added always tag to ensure variable exists on CIS profile tag-based execution Signed-off-by: defnotyujine <batauling1000@gmail.com>	2026-03-09 17:39:10 +08:00
uk-bolly	497b3dc8d9	Merge pull request #433 from ansible-lockdown/pre-commit-ci-update-config Some checks failed Export Public Repo Badges / export-badges (push) Has been cancelled Details [pre-commit.ci] pre-commit autoupdate	2026-03-03 09:55:07 +00:00
pre-commit-ci[bot]	e6ba3cea4a	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v26.1.1 → v26.2.0](https://github.com/ansible-community/ansible-lint/compare/v26.1.1...v26.2.0)	2026-03-02 17:47:33 +00:00