Merge pull request #37 from ansible-lockdown/auditd_improvements

Auditd improvements, workflow updates Oracle Support
2023-03-10 16:19:17 +00:00 · 2023-03-10 16:19:17 +00:00 · cd66d451db
commit cd66d451db
parent a58e3ff0d6 0a863c5848
34 changed files with 150 additions and 108 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,9 +1,12 @@
+---
+
 parseable: true
 quiet: true
 skip_list:
    - 'schema'
    - 'no-changed-when'
    - 'var-spacing'
+    - 'fqcn-builtins'
    - 'experimental'
    - 'name[play]'
    - 'name[casing]'
--- a/.github/workflows/linux_benchmark_testing.yml
+++ b/.github/workflows/linux_benchmark_testing.yml
@ -87,13 +87,6 @@ jobs:
        run: sleep 60s
        shell: bash

-# Set up requirements for random root password CIS 5.6.6
-      - name: add urandom passwd to root account
-        shell: bash
-        working-directory: .github/workflows
-        run: |
-         ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem
-
 # Run the ansible playbook
      - name: Run_Ansible_Playbook
        uses: arillso/action.playbook@master
--- a/.github/workflows/main.tf
+++ b/.github/workflows/main.tf
@ -77,8 +77,8 @@ resource "local_file" "inventory" {
        setup_audit: true
        run_audit: true
        system_is_ec2: true
-        audit_git_version: devel
        skip_reboot: false
+        rhel9cis_rule_5_6_6: false  # skip root passwd check and keys only
    EOF
 }

--- a/.yamllint
+++ b/.yamllint
@ -1,29 +1,31 @@
 ---
-ignore: |
-  tests/
-  molecule/
-  .github/
-  .gitlab-ci.yml
-  *molecule.yml
-
 extends: default

+ignore: |
+    tests/
+    molecule/
+    .github/
+    .gitlab-ci.yml
+    *molecule.yml
+
 rules:
-  braces:
-    max-spaces-inside: 1
-    level: error
-  brackets:
-    max-spaces-inside: 1
-    level: error
-  indentation:
-    indent-sequences: consistent
-    level: error
-  line-length: disable
-  key-duplicates: enable
-  new-line-at-end-of-file: enable
-  new-lines:
-    type: unix
-  trailing-spaces: enable
-  truthy:
-    allowed-values: ['true', 'false']
-    check-keys: true
+    indentation:
+        # Requiring 4 space indentation
+        spaces: 4
+        # Requiring consistent indentation within a file, either indented or not
+        indent-sequences: consistent
+    braces:
+        max-spaces-inside: 1
+        level: error
+    brackets:
+        max-spaces-inside: 1
+        level: error
+    line-length: disable
+    key-duplicates: enable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    trailing-spaces: enable
+    truthy:
+        allowed-values: ['true', 'false']
+        check-keys: false
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,15 @@
 # Changes to rhel9CIS

+## 1.0.3
+
+Update to auditd components improve idempotency and tidy up
+Added a warning to check diff if any changes to template file (if template file exists) else its new.
+workflow update to remove the urandom update
+skip 5.6.6 root password check
+variable naming
+OracleLinux support added
+#38 journald restart amendment thanks to @bdwyertech
+
 ## 1.0.2

 thanks to @smatterchew
@ -7,6 +17,7 @@ thanks to @smatterchew

 thanks to @I-am-MoS
 #34 create user.cfg if not present
+
 Aligned benchmark audit version with remediate release

 ## 1.0.1
--- a/README.md
+++ b/README.md
@ -36,6 +36,7 @@ To use release version please point to main branch
 RHEL 9
 Almalinux 9
 Rocky 9
+OracleLinux 9

 ansible 2.10
 jmespath
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -464,9 +464,9 @@ rhel9cis_ftp_client: false

 ## Section3 vars
 ## Sysctl
-sysctl_update: false
-flush_ipv4_route: false
-flush_ipv6_route: false
+rhel9cis_sysctl_update: false
+rhel9cis_flush_ipv4_route: false
+rhel9cis_flush_ipv6_route: false

 ### Firewall Service - either firewalld, iptables, or nftables
 #### Some control allow for services to be removed or masked
@ -512,7 +512,7 @@ rhel9cis_max_log_file_size: 10
 update_audit_template: false

 ## Advanced option found in auditd post
-allow_auditd_uid_user_exclusions: false
+rhel9cis_allow_auditd_uid_user_exclusions: false


 # This can be used to configure other keys in auditd.conf
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -13,7 +13,7 @@
      sysctl_set: true
  ignore_errors: true  # noqa ignore-errors
  when:
-      - flush_ipv4_route
+      - rhel9cis_flush_ipv4_route
      - not system_is_container

 - name: Sysctl flush ipv6 route table
@ -22,13 +22,13 @@
      value: '1'
      sysctl_set: true
  when:
-      - flush_ipv6_route
+      - rhel9cis_flush_ipv6_route
      - not system_is_container

 - name: Systemd restart tmp.mount
  ansible.builtin.systemd:
      name: tmp.mount
-      daemon_Reload: true
+      daemon_reload: true
      enabled: true
      masked: false
      state: Reloaded
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -1,8 +1,9 @@
 ---
+
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
  ansible.builtin.stat:
      path: /etc/audit/rules.d/99_auditd.rules
-  register: auditd_file
+  register: rhel9cis_auditd_file

 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file
  ansible.builtin.template:
@ -11,17 +12,25 @@
      owner: root
      group: root
      mode: 0640
-  diff: "{{ auditd_file.stat.exists }}"  # Only run diff if not a new file
-  register: audit_rules_updated
+  diff: "{{ rhel9cis_auditd_file.stat.exists }}"  # Only run diff if not a new file
+  register: rhel9cis_auditd_template_updated
  notify:
      - Auditd immutable check
      - Audit immutable fact
      - Restart auditd

+- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count  # noqa: no-handler
+  ansible.builtin.import_tasks: warning_facts.yml
+  vars:
+      warn_control_id: 'Auditd template updated, see diff output for details'
+  when:
+      - rhel9cis_auditd_template_updated.changed
+      - rhel9cis_auditd_file.stat.exists
+
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
  ansible.builtin.stat:
      path: /etc/audit/rules.d/98_auditd_exceptions.rules
-  register: auditd_exception_file
+  register: rhel9cis_auditd_exception_file

 - name: POST | Set up auditd user logging exceptions | setup file
  ansible.builtin.template:
@ -30,8 +39,8 @@
      owner: root
      group: root
      mode: 0640
-  diff: "{{ auditd_exception_file.stat.exists }}"
+  diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}"
  notify: Restart auditd
  when:
-      - allow_auditd_uid_user_exclusions
+      - rhel9cis_allow_auditd_uid_user_exclusions
      - rhel9cis_auditd_uid_exclude | length > 0
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -1,13 +1,13 @@
 ---
 # Post tasks

- name: Gather the package facts after remediation
+- name: POST | Gather the package facts after remediation
  ansible.builtin.package_facts:
      manager: auto
  tags:
      - always

- name: Update sysctl
+- name: POST | Update sysctl
  ansible.builtin.template:
      src: "etc/sysctl.d/{{ item }}.j2"
      dest: "/etc/sysctl.d/{{ item }}"
@ -22,7 +22,7 @@
      - 60-netipv4_sysctl.conf
      - 60-netipv6_sysctl.conf
  when:
-      - sysctl_update
+      - rhel9cis_sysctl_update
      - not system_is_container
      - "'procps-ng' in ansible_facts.packages"

--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -120,11 +120,12 @@

 - name: "PRELIM | Update to latest gpg keys"
  ansible.builtin.package:
-      name: "{{ ansible_distribution | lower }}-gpg-keys"
+      name: "{{ gpg_key_package }}"
      state: latest
  when:
      - rhel9cis_rule_1_2_4
      - ansible_distribution != 'RedHat'
+      - ansible_distribution != 'OracleLinux'

 - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
  ansible.builtin.package:
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -112,6 +112,7 @@
  when:
      - rhel9cis_rule_1_2_4
      - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat'
+      - ansible_distribution != 'OracleLinux'
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_1/cis_1.3.x.yml
+++ b/tasks/section_1/cis_1.3.x.yml
@ -57,7 +57,7 @@
 - name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
  ansible.builtin.blockinfile:
      path: /etc/aide.conf
-      marker: "# {mark} Audit tools (CIS - Ansible)"
+      marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
      block: |
        /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
        /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -28,7 +28,7 @@
            mode: "{{ item.mode }}"
            state: touch
            modification_time: preserve
-            acess_time: preserve
+            access_time: preserve
        loop:
            - { path: 'grub.cfg', mode: '0700' }
            - { path: 'grubenv', mode: '0600' }
--- a/tasks/section_1/cis_1.5.x.yml
+++ b/tasks/section_1/cis_1.5.x.yml
@ -33,7 +33,7 @@
  block:
      - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true

      - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
        ansible.builtin.debug:
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -6,8 +6,8 @@
  block:
      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv6_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv6_route: true

      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
        ansible.builtin.debug:
--- a/tasks/section_3/cis_3.2.x.yml
+++ b/tasks/section_3/cis_3.2.x.yml
@ -4,8 +4,8 @@
  block:
      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
        ansible.builtin.debug:
@ -15,7 +15,7 @@
        block:
            - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
              ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true

            - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
              ansible.builtin.debug:
@ -36,8 +36,8 @@
  block:
      - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@ -4,8 +4,8 @@
  block:
      - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@ -14,7 +14,7 @@
        block:
            - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact"
              ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true

            - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6"
              ansible.builtin.debug:
@ -33,8 +33,8 @@
  block:
      - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4"
        ansible.builtin.debug:
@ -44,7 +44,7 @@
        block:
            - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
              ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true

            - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
              ansible.builtin.debug:
@ -63,8 +63,8 @@
  block:
      - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
        ansible.builtin.debug:
@ -82,8 +82,8 @@
  block:
      - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
        ansible.builtin.debug:
@ -101,8 +101,8 @@
  block:
      - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
        ansible.builtin.debug:
@ -120,8 +120,8 @@
  block:
      - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
        ansible.builtin.debug:
@ -139,8 +139,8 @@
  block:
      - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
        ansible.builtin.debug:
@ -158,8 +158,8 @@
  block:
      - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv4_route: true

      - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
        ansible.builtin.debug:
@ -177,8 +177,8 @@
  block:
      - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
-            flush_ipv6_route: true
+            rhel9cis_sysctl_update: true
+            rhel9cis_flush_ipv6_route: true

      - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
        ansible.builtin.debug:
--- a/tasks/section_4/cis_4.1.4.x.yml
+++ b/tasks/section_4/cis_4.1.4.x.yml
@ -8,16 +8,22 @@
  block:
      - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file"
        ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
-        register: audit_logfile
        changed_when: false
+        register: audit_discovered_logfile
+
+      - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file"
+        ansible.builtin.stat:
+            path: "{{ audit_discovered_logfile.stdout }}"
+        changed_when: false
+        register: auditd_logfile

      - name: |
            "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
            "4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
            "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
        ansible.builtin.file:
-            path: "{{ audit_logfile.stdout }}"
-            mode: 0640
+            path: "{{ audit_discovered_logfile.stdout }}"
+            mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
            owner: root
            group: root
  when:
@ -37,12 +43,12 @@
  block:
      - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions"
        ansible.builtin.stat:
-            path: "{{ audit_logfile.stdout | dirname }}"
+            path: "{{ audit_discovered_logfile.stdout | dirname }}"
        register: auditlog_dir

      - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set"
        ansible.builtin.file:
-            path: "{{ audit_logfile.stdout | dirname }}"
+            path: "{{ audit_discovered_logfile.stdout | dirname }}"
            state: directory
            mode: 0750
        when: not auditlog_dir.stat.mode is match('07(0|5)0')
--- a/tasks/section_4/cis_4.2.1.x.yml
+++ b/tasks/section_4/cis_4.2.1.x.yml
@ -75,7 +75,7 @@
      - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting"
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
-            marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # mail logging additions to meet CIS standards
              mail.*                                                  -/var/log/mail
@ -90,7 +90,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "# {mark} NEWS LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # news logging additions to meet CIS standards
              news.crit                                               -/var/log/news/news.crit
@ -103,7 +103,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # misc. logging additions to meet CIS standards
              *.=warning;*.=err                                        -/var/log/warn
@ -117,7 +117,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # local log settings to meet CIS standards
              local0,local1.*                                          -/var/log/localmessages
@ -132,7 +132,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)"
+            marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # Private settings to meet CIS standards
              auth,authpriv.*                                           /var/log/secure
@ -143,7 +143,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)"
+            marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # Cron settings to meet CIS standards
              cron.*                                                   /var/log/cron
--- a/tasks/section_4/cis_4.2.2.x.yml
+++ b/tasks/section_4/cis_4.2.2.x.yml
@ -19,7 +19,7 @@
      path: /etc/systemd/journal-upload.conf
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  loop:
      - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'}
      - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
@ -106,7 +106,7 @@
      path: /etc/systemd/journald.conf
      regexp: "^#Compress=|^Compress="
      line: Compress=yes
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  when:
      - rhel9cis_rule_4_2_2_3
  tags:
@ -121,7 +121,7 @@
      path: /etc/systemd/journald.conf
      regexp: "^#Storage=|^Storage="
      line: Storage=persistent
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  when:
      - rhel9cis_rule_4_2_2_4
  tags:
@ -137,7 +137,7 @@
      path: /etc/systemd/journald.conf
      regexp: "^ForwardToSyslog="
      line: "#ForwardToSyslog=yes"
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  when:
      - rhel9cis_rule_4_2_2_5
  tags:
@ -153,7 +153,7 @@
      path: /etc/systemd/journald.conf
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  loop:
      - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'}
      - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' }
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -48,7 +48,7 @@
  ansible.builtin.blockinfile:
      path: "{{ item.path }}"
      state: "{{ item.state }}"
-      marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED"
+      marker: "# {mark} - CIS benchmark - Ansible-lockdown"
      create: true
      mode: 0644
      block: |
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,7 +1,10 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+## Ansible controlled file
+# Added as part of ansible-lockdown CIS baseline 
+# provided by MindPointGroup LLC
+### YOUR CHANGES WILL BE LOST!

 # This file contains users whose actions are not logged by auditd
-{% if allow_auditd_uid_user_exclusions %} 
+{% if rhel9cis_allow_auditd_uid_user_exclusions %} 
 {% for user in rhel9cis_auditd_uid_exclude %}
 -a never,user -F uid!={{ user }} -F auid!={{ user }}
 {% endfor %}
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,4 +1,7 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+## Ansible controlled file
+# Added as part of ansible-lockdown CIS baseline 
+# provided by MindPointGroup LLC
+### YOUR CHANGES WILL BE LOST!

 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
 {% if rhel9cis_rule_4_1_3_1 %}
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,5 +1,8 @@
 # Run AIDE integrity check 
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+## Ansible controlled file
+# Added as part of ansible-lockdown CIS baseline 
+# provided by MindPointGroup LLC
+### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2

 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }}
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC

 # Lock desktop media-handling automount setting
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC

 # Lock desktop media-handling settings 
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC

 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC

 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC


--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC

 # Lock desktop screensaver idle-delay setting
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC

 [org/gnome/login-screen]
--- a/vars/OracleLinux.yml
+++ b/vars/OracleLinux.yml
@ -0,0 +1,4 @@
+---
+# OS Specific Settings
+os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
+os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"
--- a/vars/main.yml
+++ b/vars/main.yml
@ -10,3 +10,5 @@ rhel9cis_allowed_crypto_policies:
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
+
+gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys"