From e6ba3cea4ac8ddda6155a6b42c0616f81c60538f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 2 Mar 2026 17:47:33 +0000 Subject: [PATCH 1/5] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v26.1.1 → v26.2.0](https://github.com/ansible-community/ansible-lint/compare/v26.1.1...v26.2.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6abad7b..4771eb9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -48,7 +48,7 @@ repos: name: Run Gitleaks test - repo: https://github.com/ansible-community/ansible-lint - rev: v26.1.1 + rev: v26.2.0 hooks: - id: ansible-lint name: Ansible-lint From 83cf830f36411c23597ef74dd4dbc24a944c161a Mon Sep 17 00:00:00 2001 From: defnotyujine Date: Mon, 9 Mar 2026 14:55:38 +0800 Subject: [PATCH 2/5] Added always tag to ensure variable exists on CIS profile tag-based execution Signed-off-by: defnotyujine --- tasks/prelim.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 09e3620..91e576d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -259,6 +259,8 @@ - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11 + tags: + - always ansible.builtin.stat: path: /etc/ssh/sshd_config.d/50-redhat.conf register: prelim_sshd_50_redhat_file From e6ccdea36563e453e240bdc612bd6776305e78df Mon Sep 17 00:00:00 2001 From: defnotyujine Date: Mon, 9 Mar 2026 19:14:33 +0800 Subject: [PATCH 3/5] Updated Jinja template to fix compliance issues for control 5.3.3.2.7 Signed-off-by: defnotyujine --- defaults/main.yml | 2 +- tasks/section_5/cis_5.3.3.2.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4245f53..5be5f91 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1104,7 +1104,7 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con rhel9cis_passwd_dictcheck_value: 1 # 5.3.3.2.7 - Ensure password quality is enforced for the root user -rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret +rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret rhel9cis_passwd_quality_enforce_value: 1 rhel9cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index aa2e0f8..a53d857 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -340,7 +340,7 @@ - system notify: Authselect update -- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced" +- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user" when: rhel9cis_rule_5_3_3_2_7 tags: - level1-server From ce40cd630c9c76b5cae2891a457fe586def65c04 Mon Sep 17 00:00:00 2001 From: defnotyujine Date: Tue, 10 Mar 2026 17:19:22 +0800 Subject: [PATCH 4/5] Added missing variable for task 5.2.4 Signed-off-by: defnotyujine --- defaults/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 4245f53..2a13f7a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -959,6 +959,13 @@ rhel9cis_ssh_maxsessions: 4 # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" +## Control 5.2.4 - Ensure users must provide password for escalation +# The following variable specifies a list of users that should not be required to provide a password +# for escalation. Feel free to edit it according to your needs. +rhel9cis_sudoers_exclude_nopasswd_list: + - ec2-user + - vagrant + ## Control 5.2.x - Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute From decb9061d571722f967510b1048b3942cd3cf18f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 17:45:10 +0000 Subject: [PATCH 5/5] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.30.0 → v8.30.1](https://github.com/gitleaks/gitleaks/compare/v8.30.0...v8.30.1) - [github.com/ansible-community/ansible-lint: v26.2.0 → v26.3.0](https://github.com/ansible-community/ansible-lint/compare/v26.2.0...v26.3.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4771eb9..adecfe0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,13 +42,13 @@ repos: name: Detect Secrets test - repo: https://github.com/gitleaks/gitleaks - rev: v8.30.0 + rev: v8.30.1 hooks: - id: gitleaks name: Run Gitleaks test - repo: https://github.com/ansible-community/ansible-lint - rev: v26.2.0 + rev: v26.3.0 hooks: - id: ansible-lint name: Ansible-lint