Merge pull request #381 from ansible-lockdown/August25_updates

August25 updates
2025-08-15 16:46:20 +01:00 · 2025-08-15 16:46:20 +01:00 · 39c7dfa187
commit 39c7dfa187
parent 456d203fd3 f8d9521367
7 changed files with 23 additions and 10 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -7,7 +7,7 @@ ci:

 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v5.0.0
+  rev: v6.0.0
  hooks:
  # Safety
  - id: detect-aws-credentials
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,12 @@
 # Changes to rhel9CIS

+## 2.0.3 - Based on CIS v2.0.0
+
+- addressed issue 371 thanks to @bgro and kodebach
+- addressed issue 350 thanks to @chrispipo
+- addressed issue 364 thanks to @polski-g
+- pre-commit update
+
 ## 2.0.2 - Based on CIS v2.0.0

 - Update to audit_only to allow fetching results
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -617,6 +617,8 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an
 # End Banner

 ## Control 1.8.x - Settings for GDM
+# do not run Control 1.8.x if using a display manager different than gdm
+rhel10cis_display_manager: "gdm"
 # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
 # be executed either to:
 # - secure GDM, if GUI is needed('rhel9cis_gui: true')
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -93,11 +93,14 @@
      block:
        - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"  # noqa name[template]
          ansible.builtin.assert:
-            that:
-              - prelim_ansible_user_password_set.stdout | length != 0
-              - prelim_ansible_user_password_set.stdout != "!!"
-            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
-            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
+            that: |
+              (
+                ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
+              or
+                (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list)
+              )
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"

        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
          ansible.builtin.assert:
@ -131,7 +134,7 @@
    - rule_5.4.2.4
  block:
    - name: "Ensure root password is set"
-      ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
      changed_when: false
      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
      register: prelim_root_passwd_set
--- a/tasks/section_1/main.yml
+++ b/tasks/section_1/main.yml
@ -61,5 +61,6 @@
    file: cis_1.7.x.yml

 - name: "SECTION | 1.8 | Gnome Display Manager"
+  when: rhel10cis_display_manager == 'gdm'
  ansible.builtin.import_tasks:
    file: cis_1.8.x.yml
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -139,7 +139,7 @@
      ansible.builtin.stat:
        path: "{{ item }}"
      loop: "{{ discovered_root_paths_split.stdout_lines }}"
-      register: paths_stat
+      register: discovered_root_paths_stat

    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
      ansible.builtin.file:
@ -148,7 +148,7 @@
        owner: root
        group: root
        mode: 'go-w'
-      loop: "{{ paths_stat.results }}"
+      loop: "{{ discovered_root_paths_stat.results }}"
      when: not item.stat.exists

    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -131,7 +131,7 @@
          *.=warning;*.=err                                        -/var/log/warn
          *.crit                                                   /var/log/warn
          *.*;mail.none;news.none                                  /var/log/messages
-        insertafter: '#### RULES ####'
+        insertbefore: '# ### sample forwarding rule ###'
      notify: Restart rsyslog

    - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"