updated var naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -464,9 +464,9 @@ rhel9cis_ftp_client: false
 
 ## Section3 vars
 ## Sysctl
-sysctl_update: false
+rhel9cis_sysctl_update: false
-flush_ipv4_route: false
+rhel9cis_flush_ipv4_route: false
-flush_ipv6_route: false
+rhel9cis_flush_ipv6_route: false
 
 ### Firewall Service - either firewalld, iptables, or nftables
 #### Some control allow for services to be removed or masked
@@ -512,7 +512,7 @@ rhel9cis_max_log_file_size: 10
 update_audit_template: false
 
 ## Advanced option found in auditd post
-allow_auditd_uid_user_exclusions: false
+rhel9cis_allow_auditd_uid_user_exclusions: false
 
 
 # This can be used to configure other keys in auditd.conf

tasks/auditd.yml

@@ -42,5 +42,5 @@
   diff: "{{ auditd_exception_file.stat.exists }}"
   notify: Restart auditd
   when:
-      - allow_auditd_uid_user_exclusions
+      - rhel9cis_allow_auditd_uid_user_exclusions
       - rhel9cis_auditd_uid_exclude | length > 0

tasks/section_1/cis_1.5.x.yml

@@ -33,7 +33,7 @@
   block:
       - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
 
       - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
         ansible.builtin.debug:

tasks/section_3/cis_3.1.x.yml

@@ -6,8 +6,8 @@
   block:
       - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv6_route: true
+            rhel9cis_flush_ipv6_route: true
 
       - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
         ansible.builtin.debug:

tasks/section_3/cis_3.2.x.yml

@@ -4,8 +4,8 @@
   block:
       - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
         ansible.builtin.debug:
@@ -15,7 +15,7 @@
         block:
             - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
               ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true
 
             - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
               ansible.builtin.debug:
@@ -36,8 +36,8 @@
   block:
       - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
       - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
         ansible.builtin.debug:
             msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"

tasks/section_3/cis_3.3.x.yml

@@ -4,8 +4,8 @@
   block:
       - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
       - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4"
         ansible.builtin.debug:
             msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@@ -14,7 +14,7 @@
         block:
             - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact"
               ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true
 
             - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6"
               ansible.builtin.debug:
@@ -33,8 +33,8 @@
   block:
       - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4"
         ansible.builtin.debug:
@@ -44,7 +44,7 @@
         block:
             - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
               ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true
 
             - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
               ansible.builtin.debug:
@@ -63,8 +63,8 @@
   block:
       - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
         ansible.builtin.debug:
@@ -82,8 +82,8 @@
   block:
       - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
         ansible.builtin.debug:
@@ -101,8 +101,8 @@
   block:
       - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
         ansible.builtin.debug:
@@ -120,8 +120,8 @@
   block:
       - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
         ansible.builtin.debug:
@@ -139,8 +139,8 @@
   block:
       - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
         ansible.builtin.debug:
@@ -158,8 +158,8 @@
   block:
       - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
 
       - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
         ansible.builtin.debug:
@@ -177,8 +177,8 @@
   block:
       - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
         ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv6_route: true
+            rhel9cis_flush_ipv6_route: true
 
       - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
         ansible.builtin.debug:

templates/audit/98_auditd_exception.rules.j2

@@ -1,7 +1,7 @@
 ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
 
 # This file contains users whose actions are not logged by auditd
-{% if allow_auditd_uid_user_exclusions %} 
+{% if rhel9cis_allow_auditd_uid_user_exclusions %} 
 {% for user in rhel9cis_auditd_uid_exclude %}
 -a never,user -F uid!={{ user }} -F auid!={{ user }}
 {% endfor %}