Merge pull request #401 from ansible-lockdown/Oct25_updates

Oct25 updates
2025-10-03 10:17:39 -04:00 · 2025-10-03 10:17:39 -04:00 · 724a09f23d
commit 724a09f23d
parent c69fedcf0a 6500e39f42
13 changed files with 451 additions and 320 deletions
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@ -1,7 +1,7 @@
 ---

 - name: Post Audit | Run post_remediation {{ benchmark }} audit  # noqa name[template]
-  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
+  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
  changed_when: true
  environment:
    AUDIT_BIN: "{{ audit_bin }}"
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -1,4 +1,5 @@
 ---
+
 - name: Pre Audit Setup | Setup the LE audit
  when: setup_audit
  tags: setup_audit
@ -71,7 +72,7 @@
    mode: 'go-rwx'

 - name: Pre Audit | Run pre_remediation audit {{ benchmark }}  # noqa name[template]
-  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""  # noqa yaml[line-length]
+  ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
  changed_when: true
  environment:
    AUDIT_BIN: "{{ audit_bin }}"
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -41,8 +41,8 @@
      ansible.builtin.file:
        path: "{{ item.path }}"
        owner: root
-        group: root
-        mode: 'u-x,go-rwx'
+        group: "{{ 'ssh_keys' if (item.gr_name == 'ssh_keys') else 'root' }}"
+        mode: "{{ 'u-x,g-wx,o-rwx' if (item.gr_name == 'ssh_keys') else 'u-x,go-rwx' }}"
      loop: "{{ discovered_ssh_private_host_key.files }}"
      loop_control:
        label: "{{ item.path }}"
--- a/tasks/section_5/cis_5.4.1.x.yml
+++ b/tasks/section_5/cis_5.4.1.x.yml
@ -94,7 +94,7 @@
        - discovered_warn_days.stdout_lines | length > 0
        - item in prelim_interactive_users | map(attribute='username') | list
        - rhel9cis_force_user_warnage
-      ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
+      ansible.builtin.command: "chage --warndays {{ rhel9cis_pass_warn_age }} {{ item }}"
      changed_when: true
      loop: "{{ discovered_warn_days.stdout_lines }}"

--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -11,7 +11,7 @@

 - name: "SECTION | 5.2 | Configure privilege escalation"
  when:
-    - - rhel9cis_section5_2
+    - rhel9cis_section5_2
  ansible.builtin.import_tasks:
    file: cis_5.2.x.yml