Merge pull request #407 from ansible-lockdown/devel

Latest fixed to merge with main
Merge pull request #368 from ansible-lockdown/devel
2025-12-25 14:43:06 +00:00 · 2025-10-17 10:56:49 -04:00 · 2025-07-18 12:21:14 -04:00 · 2025-07-02 10:50:59 -04:00 · 2025-03-18 09:22:32 +00:00 · 2025-02-14 10:44:12 +00:00
9 changed files with 27 additions and 30 deletions
--- a/.github/workflows/add_repo_issue_to_gh_project.yml
+++ b/.github/workflows/add_repo_issue_to_gh_project.yml
@ -14,4 +14,4 @@ jobs:
      - uses: actions/add-to-project@main
        with:
          project-url: https://github.com/orgs/ansible-lockdown/projects/1
-          github-token: ${{ secrets.ALD_GH_PROJECT }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/update_galaxy.yml
+++ b/.github/workflows/update_galaxy.yml
@ -0,0 +1,19 @@
 ---
    name: update galaxy
    on:
        push:
            branches:
                - main
    jobs:
        update_role:
            runs-on: ubuntu-latest
            steps:
                - name: Checkout repo
                  uses: actions/checkout@v4
                - name: Action Ansible Galaxy Release ${{ github.ref_name }}
                  uses: ansible-actions/ansible-galaxy-action@main
                  with:
                    galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -41,12 +41,12 @@ repos:
  - id: detect-secrets
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.30.0
+  rev: v8.28.0
  hooks:
  - id: gitleaks
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.12.2
+  rev: v25.9.2
  hooks:
  - id: ansible-lint
    name: Ansible-lint
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,6 @@
 # Changes to rhel9CIS
 ## 2.0.4 - Based on CIS v2.0.0
 - addressed issue #393 thank you to @fragglexarmy
@ -10,9 +11,6 @@
 - work flow updates
 - audit logic improvements
 - auditd template 2.19 compatible
 - pre-commit updates
 - #410 thanks to @kpi-nourman
 - #413 thanks to @bbaassssiiee
 ## 2.0.3 - Based on CIS v2.0.0
 - addressed issue #387, thank you @fragglexarmy
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -802,8 +802,6 @@ rhel9cis_tftp_client: false
 ## Control 3.1.1 - Ensure IPv6 status is identified
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
 # rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
 rhel9cis_ipv6_disable_method: "sysctl"
 ## Control 3.1.2 - Ensure wireless interfaces are disabled
 # if wireless adapter found allow network manager to be installed
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -134,7 +134,7 @@
    - rule_5.4.2.4
  block:
    - name: "Ensure root password is set"
-      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
      changed_when: false
      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
      register: prelim_root_passwd_set
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -16,30 +16,15 @@
    - rule_3.1.1
    - NIST800-53R5_CM-7
  block:
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.set_fact:
        rhel9cis_sysctl_update: true
        rhel9cis_flush_ipv6_route: true
-    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
      when: "'sysctl' in rhel9cis_ipv6_disable_method"
      ansible.builtin.debug:
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
      when: "'kernel' in rhel9cis_ipv6_disable_method"
      ansible.builtin.command: grubby --info=ALL
      changed_when: false
      failed_when: false
      register: discovered_rhel9cis_3_1_1_ipv6_status
    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
      when:
        - "'kernel' in rhel9cis_ipv6_disable_method"
        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
      ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1"
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
  when:
    - rhel9cis_rule_3_1_2
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -4,4 +4,4 @@
 [org/gnome/login-screen]
 banner-message-enable=true
-banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}"
+banner-message-text="{{ rhel9cis_warning_banner }}"
--- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
+++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
@ -4,7 +4,4 @@
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 {% for interface in ansible_interfaces %}
 net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
 {% endfor %}
 {% endif %}
Author	SHA1	Message	Date
Frederick Witty	9bab97dccc	Merge pull request #407 from ansible-lockdown/devel Latest fixed to merge with main	2025-10-17 10:56:49 -04:00
Fred W.	751fac8a0c	Merge pull request #368 from ansible-lockdown/devel July 25 Release to main	2025-07-18 12:21:14 -04:00
jjoympg	25b4bb780c	Merge pull request #355 from ansible-lockdown/devel Merge latest into devel	2025-07-02 10:50:59 -04:00
uk-bolly	3d502efaef	Merge pull request #307 from ansible-lockdown/devel Updates to benchmark v2.0.0	2025-03-18 09:22:32 +00:00
uk-bolly	f4a0bca52a	Merge pull request #290 from ansible-lockdown/devel CIS V2 release to main	2025-02-14 10:44:12 +00:00
uk-bolly	ef2b7dca5d	Merge pull request #267 from ansible-lockdown/devel CIS v1.0.0 final release to main	2024-12-19 15:07:56 +00:00
uk-bolly	81a929961a	Merge pull request #259 from ansible-lockdown/devel CIS v1.0.0 updates Nov 2024	2024-11-19 18:11:52 +00:00
uk-bolly	16cb6a4617	Merge pull request #235 from ansible-lockdown/devel rhel9-cis main release v1.0.0	2024-09-10 15:45:16 +01:00
uk-bolly	151896e113	Merge pull request #213 from ansible-lockdown/devel Update to galaxy meta	2024-06-11 13:02:59 +01:00
uk-bolly	306eb59b88	Merge pull request #210 from ansible-lockdown/devel Release to main	2024-06-10 12:49:41 +01:00
uk-bolly	7661bc0963	Merge pull request #205 from ansible-lockdown/devel Release to main	2024-05-01 13:53:19 +01:00
uk-bolly	00e6f196b5	Merge pull request #89 from ansible-lockdown/devel workflow check run	2023-08-10 14:25:08 +01:00
uk-bolly	4567a0baad	Merge pull request #86 from ansible-lockdown/devel Readme layout update	2023-08-09 16:08:19 +01:00
uk-bolly	10dc297e9a	Merge pull request #84 from ansible-lockdown/devel devel to main release	2023-08-09 14:34:53 +01:00
uk-bolly	21a886a81c	Merge pull request #64 from ansible-lockdown/devel Devel to main - bug fixes	2023-06-06 14:40:39 +01:00
uk-bolly	759bbbad7e	Merge pull request #49 from ansible-lockdown/devel Galaxy Compliance	2023-03-21 21:11:51 +00:00
uk-bolly	8bbccd6b62	Merge pull request #47 from ansible-lockdown/devel Merge to Main galaxy workflow	2023-03-21 16:35:53 +00:00
uk-bolly	beaeb3a181	Merge pull request #45 from ansible-lockdown/devel Initial 1.0 release CIS 1.0	2023-03-21 15:39:53 +00:00