Merge pull request #49 from ansible-lockdown/devel

Galaxy Compliance
2023-03-21 21:11:51 +00:00 · 2023-03-21 21:11:51 +00:00 · 759bbbad7e
commit 759bbbad7e
parent 8bbccd6b62 eee101c844
20 changed files with 228 additions and 250 deletions
--- a/.github/workflows/linux_benchmark_testing.yml
+++ b/.github/workflows/linux_benchmark_testing.yml
@ -6,106 +6,106 @@ name: linux_benchmark_pipeline
 # Triggers the workflow on push or pull request
 # events but only for the devel branch
 on:
-  pull_request_target:
+    pull_request_target:
-    types: [opened, reopened, synchronize]
+        types: [opened, reopened, synchronize]
-    branches:
+        branches:
-      - devel
+            - devel
-      - main
+            - main
-    paths:
+        paths:
-      - '**.yml'
+            - '**.yml'
-      - '**.sh'
+            - '**.sh'
-      - '**.j2'
+            - '**.j2'
-      - '**.ps1'
+            - '**.ps1'
-      - '**.cfg'
+            - '**.cfg'
 # A workflow run is made up of one or more jobs
 # that can run sequentially or in parallel
 jobs:
  # This will create messages for first time contributers and direct them to the Discord server
-  welcome:
+    welcome:
-      runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-      steps:
+        steps:
-          - uses: actions/first-interaction@main
+            - uses: actions/first-interaction@main
-            with:
+              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                  repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
+                  pr-message: |-
-                  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! 
+                      Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                  Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
-  # This workflow contains a single job called "build"
+      # This workflow contains a single job called "build"
-  build:
+    build:
-    # The type of runner that the job will run on
+      # The type of runner that the job will run on
-    runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
    env: 
      ENABLE_DEBUG: false
    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, 
      # so your job can access it
      - uses: actions/checkout@v3
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Add_ssh_key
        working-directory: .github/workflows
        env:
-          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+            ENABLE_DEBUG: false
-          PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+
-        run: |
+        # Steps represent a sequence of tasks that will be executed as part of the job
-          mkdir .ssh
+        steps:
-          chmod 700 .ssh
+          # Checks-out your repository under $GITHUB_WORKSPACE, 
-          echo $PRIVATE_KEY > .ssh/github_actions.pem
+          # so your job can access it
-          chmod 600 .ssh/github_actions.pem
+            - uses: actions/checkout@v3
              with:
                  ref: ${{ github.event.pull_request.head.sha }}
            - name: Add_ssh_key
              working-directory: .github/workflows
              env:
                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
              run: |
                mkdir .ssh
                chmod 700 .ssh
                echo $PRIVATE_KEY > .ssh/github_actions.pem
                chmod 600 .ssh/github_actions.pem
 ### Build out the server
-      - name: Terraform_Init
+            - name: Terraform_Init
-        working-directory: .github/workflows
+              working-directory: .github/workflows
-        run: terraform init
+              run: terraform init
-      - name: Terraform_Validate
+            - name: Terraform_Validate
-        working-directory: .github/workflows
+              working-directory: .github/workflows
-        run: terraform validate
+              run: terraform validate
-      - name: Terraform_Apply
+            - name: Terraform_Apply
-        working-directory: .github/workflows
+              working-directory: .github/workflows
-        env:
+              env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
+              run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
-## Debug Section
+      ## Debug Section
-      - name: DEBUG - Show Ansible hostfile
+            - name: DEBUG - Show Ansible hostfile
-        if: env.ENABLE_DEBUG == 'true'
+              if: env.ENABLE_DEBUG == 'true'
-        working-directory: .github/workflows
+              working-directory: .github/workflows
-        run: cat hosts.yml
+              run: cat hosts.yml
-# Aws deployments taking a while to come up insert sleep or playbook fails
+      # Aws deployments taking a while to come up insert sleep or playbook fails
-      - name: Sleep for 60 seconds
+            - name: Sleep for 60 seconds
-        run: sleep 60s
+              run: sleep 60s
-        shell: bash
+              shell: bash
-# Run the ansible playbook
+      # Run the ansible playbook
-      - name: Run_Ansible_Playbook
+            - name: Run_Ansible_Playbook
-        uses: arillso/action.playbook@master
+              uses: arillso/action.playbook@master
-        with:
+              with:
-          playbook: site.yml
+                  playbook: site.yml
-          inventory: .github/workflows/hosts.yml
+                  inventory: .github/workflows/hosts.yml
-          galaxy_file: collections/requirements.yml
+                  galaxy_file: collections/requirements.yml
-          private_key: ${{ secrets.SSH_PRV_KEY }}
+                  private_key: ${{ secrets.SSH_PRV_KEY }}
-#          verbose: 3
+        #          verbose: 3
-        env:
+              env:
-          ANSIBLE_HOST_KEY_CHECKING: "false"
+                  ANSIBLE_HOST_KEY_CHECKING: "false"
-          ANSIBLE_DEPRECATION_WARNINGS: "false"
+                  ANSIBLE_DEPRECATION_WARNINGS: "false"
-# Remove test system - User secrets to keep if necessary
+      # Remove test system - User secrets to keep if necessary
-      - name: Terraform_Destroy
+            - name: Terraform_Destroy
-        working-directory: .github/workflows
+              working-directory: .github/workflows
-        if: always() && env.ENABLE_DEBUG == 'false'
+              if: always() && env.ENABLE_DEBUG == 'false'
-        env:
+              env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
+              run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
--- a/.github/workflows/main.tf
+++ b/.github/workflows/main.tf
@ -5,7 +5,6 @@ provider "aws" {
 // Create a security group with access to port 22 and port 80 open to serve HTTP traffic
 resource "random_id" "server" {
  keepers = {
    # Generate a new id each time we switch to a new AMI id
--- a/.github/workflows/update_galaxy.yml
+++ b/.github/workflows/update_galaxy.yml
@ -7,15 +7,15 @@ name: update galaxy
 # Controls when the action will run.
 # Triggers the workflow on merge request events to the main branch
 on:
-  push:
+    push:
-    branches:
+        branches:
-      - main
+            - main
 jobs:
    update_role:
-      runs-on: ubuntu-latest
+        runs-on: ubuntu-latest
-      steps:
+        steps:
-        - uses: actions/checkout@v3
+            - uses: actions/checkout@v3
-        - uses: robertdebock/galaxy-action@master
+            - uses: robertdebock/galaxy-action@master
-          with:
+              with:
-            galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
+                  galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
-            git_branch: main
+                  git_branch: main
--- a/.yamllint
+++ b/.yamllint
@ -1,33 +1,25 @@
 ---
 # Based on ansible-lint config
 extends: default
 ignore: |
    tests/
    molecule/
    .github/
    .gitlab-ci.yml
    *molecule.yml
 rules:
-    indentation:
+  braces: {max-spaces-inside: 1, level: error}
-        # Requiring 4 space indentation
+  brackets: {max-spaces-inside: 1, level: error}
-        spaces: 4
+  colons: {max-spaces-after: -1, level: error}
-        # Requiring consistent indentation within a file, either indented or not
+  commas: {max-spaces-after: -1, level: error}
-        indent-sequences: consistent
+  comments: disable
-    braces:
+  comments-indentation: disable
-        max-spaces-inside: 1
+  document-start: disable
-        level: error
+  empty-lines: {max: 3, level: error}
-    brackets:
+  hyphens: {level: error}
-        max-spaces-inside: 1
+  indentation:
-        level: error
+     # Requiring 4 space indentation
-    empty-lines:
+     spaces: 4
-        max: 1
+     # Requiring consistent indentation within a file, either indented or not
-    line-length: disable
+     indent-sequences: consistent
-    key-duplicates: enable
+  key-duplicates: enable
-    new-line-at-end-of-file: enable
+  line-length: disable
-    new-lines:
+  new-line-at-end-of-file: disable
-        type: unix
+  new-lines: {type: unix}
-    trailing-spaces: enable
+  trailing-spaces: disable
-    truthy:
+  truthy: disable
        allowed-values: ['true', 'false']
        check-keys: false
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@ -61,7 +61,6 @@ following text in your contribution commit message:
 ::
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
 option to `git commit` to automatically include the signoff message.
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,10 @@
 # Changes to rhel9CIS
 ## 1.0.6
 updated ymlalint as galaxy doenst honouyr local settings
 removed empty lines in files
 ## 1.0.5
 updated yamllint
--- a/3
+++ b/3
@ -1,6 +1,5 @@
 .PHONY: all help galaxy-install ansible-list yamllint pip-requirements
 GALAXY=ansible-galaxy
 ANSIBLE_LINT='/usr/local/bin/ansible-lint'
 ANSIBLE_FILE=site.yml
@ -15,7 +14,6 @@ help:
 	@echo "    yamllint                           to lint playbook files"
 	@echo "    pip-requirements                   add pip required file"
 galaxy-install:
 	$(GALAXY) install -r ./collections/requirements.yml
@ -29,4 +27,3 @@ pip-requirements:
 	@echo 'Python dependencies:'
 	@cat requirements.txt
 	pip3 install -r requirements.txt
--- a/ansible.cfg
+++ b/ansible.cfg
@ -12,7 +12,6 @@ stdout_callback = yaml
 # Use the stdout_callback when running ad-hoc commands.
 bin_ansible_callbacks = True
 [privilege_escalation]
 [paramiko_connection]
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -5,23 +5,23 @@
  gather_facts: true
  vars:
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-    ansible_user: root
+      ansible_user: root
-    system_is_container: true
+      system_is_container: true
-    rhel9cis_selinux_disable: true
+      rhel9cis_selinux_disable: true
-    rhel9cis_rule_5_3_4: false
+      rhel9cis_rule_5_3_4: false
-    rhel9cis_rule_1_1_10: false
+      rhel9cis_rule_1_1_10: false
-    rhel9cis_firewall: "none"
+      rhel9cis_firewall: "none"
-    rhel9cis_rule_4_1_1_1: false
+      rhel9cis_rule_4_1_1_1: false
-    rhel9cis_rule_4_1_1_2: false
+      rhel9cis_rule_4_1_1_2: false
-    rhel9cis_rule_4_1_1_3: false
+      rhel9cis_rule_4_1_1_3: false
-    rhel9cis_rule_4_1_1_4: false
+      rhel9cis_rule_4_1_1_4: false
-    rhel9cis_rule_4_2_1_2: false
+      rhel9cis_rule_4_2_1_2: false
-    rhel9cis_rule_4_2_1_4: false
+      rhel9cis_rule_4_2_1_4: false
-    rhel9cis_rule_5_1_1: false
+      rhel9cis_rule_5_1_1: false
  pre_tasks:
  tasks:
-    - name: "Include tasks"
+      - name: "Include tasks"
-      ansible.builtin.include_role:
+        ansible.builtin.include_role:
-        name: "{{ role_name }}"
+            name: "{{ role_name }}"
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -3,32 +3,31 @@
 # https://molecule.readthedocs.io/en/latest/
 driver:
-  name: docker
+    name: docker
 platforms:
-  - name: ubi9
+    - name: ubi9
-    image: registry.access.redhat.com/ubi9/ubi-init
+      image: registry.access.redhat.com/ubi9/ubi-init
-    pre_build_image: true
+      pre_build_image: true
-    volumes:
+      volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+          - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    privileged: true
+      privileged: true
-    command: "/usr/sbin/init"
+      command: "/usr/sbin/init"
-    capabilities:
+      capabilities:
-      - SYS_ADMIN
+          - SYS_ADMIN
 provisioner:
-  name: ansible
+    name: ansible
-  config_options:
+    config_options:
-    defaults:
+        defaults:
-      interpreter_python: auto_silent
+            interpreter_python: auto_silent
-      callbacks_enabled: profile_tasks, timer
+            callbacks_enabled: profile_tasks, timer
 lint: |
-  set -e
+    set -e
-  yamllint .
+    yamllint .
-  ansible-lint
+    ansible-lint
-  flake8
+    flake8
 verifier:
-  name: ansible
+    name: ansible
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@ -4,10 +4,10 @@
  gather_facts: false
  vars:
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
  tasks:
-    - name: "Include verify tasks"
+      - name: "Include verify tasks"
-      ansible.builtin.include_role:
+        ansible.builtin.include_role:
-        name: "{{ role_name }}"
+            name: "{{ role_name }}"
-        tasks_from: verify
+            tasks_from: verify
--- a/molecule/localhost/converge.yml
+++ b/molecule/localhost/converge.yml
@ -6,13 +6,12 @@
  gather_facts: true
  vars:
-    ansible_user: "{{ lookup('env', 'USER') }}"
+      ansible_user: "{{ lookup('env', 'USER') }}"
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-    rhel9cis_rule_5_3_4: false
+      rhel9cis_rule_5_3_4: false
  pre_tasks:
  tasks:
-    - name: "Include tasks"
+      - name: "Include tasks"
-      ansible.builtin.include_role:
+        ansible.builtin.include_role:
-        name: "{{ role_name }}"
+            name: "{{ role_name }}"
--- a/molecule/localhost/molecule.yml
+++ b/molecule/localhost/molecule.yml
@ -3,28 +3,27 @@
 # https://molecule.readthedocs.io/en/latest/
 driver:
-  name: delegated
+    name: delegated
-  options:
+    options:
-    managed: false
+        managed: false
-    ansible_connection_options:
+        ansible_connection_options:
-      ansible_connection: local
+            ansible_connection: local
 platforms:
-  - name: localhost
+    - name: localhost
 provisioner:
-  name: ansible
+    name: ansible
-  config_options:
+    config_options:
-    defaults:
+        defaults:
-      interpreter_python: auto_silent
+            interpreter_python: auto_silent
-      stdout_callback: yaml
+            stdout_callback: yaml
-      callbacks_enabled: profile_tasks, timer
+            callbacks_enabled: profile_tasks, timer
 lint: |
-  set -e
+    set -e
-  yamllint .
+    yamllint .
-  ansible-lint
+    ansible-lint
-  flake8
+    flake8
 verifier:
-  name: ansible
+    name: ansible
--- a/molecule/localhost/verify.yml
+++ b/molecule/localhost/verify.yml
@ -5,10 +5,10 @@
  become: true
  vars:
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
  tasks:
-    - name: "Include verify tasks"
+      - name: "Include verify tasks"
-      ansible.builtin.include_role:
+        ansible.builtin.include_role:
-        name: "{{ role_name }}"
+            name: "{{ role_name }}"
-        tasks_from: verify
+            tasks_from: verify
--- a/molecule/wsl/converge.yml
+++ b/molecule/wsl/converge.yml
@ -6,22 +6,21 @@
  gather_facts: true
  vars:
-    ansible_user: "{{ lookup('env', 'USER') }}"
+      ansible_user: "{{ lookup('env', 'USER') }}"
-    system_is_container: true
+      system_is_container: true
-    rhel8cis_selinux_disable: true
+      rhel8cis_selinux_disable: true
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-    rhel8cis_rule_5_3_4: false
+      rhel8cis_rule_5_3_4: false
-    rhel8cis_rule_1_1_10: false
+      rhel8cis_rule_1_1_10: false
-    rhel8cis_rsyslog_ansiblemanaged: false
+      rhel8cis_rsyslog_ansiblemanaged: false
-    rhel8cis_rule_3_4_1_3: false
+      rhel8cis_rule_3_4_1_3: false
-    rhel8cis_rule_3_4_1_4: false
+      rhel8cis_rule_3_4_1_4: false
-    rhel8cis_rule_4_2_1_2: false
+      rhel8cis_rule_4_2_1_2: false
-    rhel8cis_rule_4_2_1_4: false
+      rhel8cis_rule_4_2_1_4: false
-    rhel8cis_rule_5_1_1: false
+      rhel8cis_rule_5_1_1: false
  pre_tasks:
  tasks:
-    - name: "Include tasks"
+      - name: "Include tasks"
-      ansible.builtin.include_role:
+        ansible.builtin.include_role:
-        name: "{{ role_name }}"
+            name: "{{ role_name }}"
--- a/molecule/wsl/molecule.yml
+++ b/molecule/wsl/molecule.yml
@ -3,27 +3,26 @@
 # https://molecule.readthedocs.io/en/latest/
 driver:
-  name: delegated
+    name: delegated
-  options:
+    options:
-    managed: false
+        managed: false
-    ansible_connection_options:
+        ansible_connection_options:
-      ansible_connection: local
+            ansible_connection: local
 platforms:
-  - name: localhost
+    - name: localhost
 provisioner:
-  name: ansible
+    name: ansible
-  config_options:
+    config_options:
-    defaults:
+        defaults:
-      interpreter_python: auto_silent
+            interpreter_python: auto_silent
-      callbacks_enabled: profile_tasks, timer
+            callbacks_enabled: profile_tasks, timer
 lint: |
-  set -e
+    set -e
-  yamllint .
+    yamllint .
-  ansible-lint
+    ansible-lint
-  flake8
+    flake8
 verifier:
-  name: ansible
+    name: ansible
--- a/molecule/wsl/verify.yml
+++ b/molecule/wsl/verify.yml
@ -4,10 +4,10 @@
  gather_facts: false
  vars:
-    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+      role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
  tasks:
-    - name: "Include verify tasks"
+      - name: "Include verify tasks"
-      ansible.builtin.include_role:
+        ansible.builtin.include_role:
-        name: "{{ role_name }}"
+            name: "{{ role_name }}"
-        tasks_from: verify
+            tasks_from: verify
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -9,7 +9,6 @@ benchmark_version: '1.0.0'
 # If run via script this is discovered and set
 host_os_distribution: {{ ansible_distribution | lower }}
 #  timeout for each command to run where set - default = 10seconds/10000ms
 timeout_ms: 60000
@ -127,7 +126,6 @@ rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }}
 # Ensure system-wide crypto policy is not legacy
 rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }}
 # section 2
 # Services
 # 2.1 Time Synchronization
@ -191,7 +189,6 @@ rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }}
 rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }}
 rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }}
 #  Section 4 rules
 # 4.1 Configure System Accounting
 rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }}
@ -265,7 +262,6 @@ rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }}
 # 4.3 Logrotate
 rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }}
 # Section 5
 #  Authentication and Authorization
 # 5.1 Configure time-based job schedulers
@ -450,7 +446,6 @@ rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }}
 rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }}
 rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
 # Section 4
 ## Set if host is a logserver
@ -486,7 +481,6 @@ rhel9cis_authselect:
  custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }}
  default_file_to_copy: {{ rhel9cis_authselect['default_file_to_copy'] }}
 ## 5.4.1 Enable automation to create custom profile settings, using the setings above
 rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }}
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -2,7 +2,6 @@
 # Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 # Specify the dconf path
 [org/gnome/desktop/session]
--- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
@ -1,8 +1,7 @@
 ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
 {% if rhel9cis_rule_1_5_3 %}
 # Kernel sysctl
 # CIS 1.5.3
 kernel.randomize_va_space = 2
-{% endif %}
+{% endif %}