From 52a293e9a12a3fb3dbd77fab14600fdbc21eb9dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:25:32 +0000 Subject: [PATCH 01/26] removed register Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f2dd122..07e73d2 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,4 +1,5 @@ --- + - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/99_auditd.rules @@ -12,7 +13,6 @@ group: root mode: 0640 diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file - register: audit_rules_updated notify: - Auditd immutable check - Audit immutable fact From e0a490e1d54f1af0453e3a3d58ae7344e86080ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:25:45 +0000 Subject: [PATCH 02/26] Added POST to name Signed-off-by: Mark Bolwell --- tasks/post.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 3a2426e..591cfda 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,13 +1,13 @@ --- # Post tasks -- name: Gather the package facts after remediation +- name: POST | Gather the package facts after remediation ansible.builtin.package_facts: manager: auto tags: - always -- name: Update sysctl +- name: POST | Update sysctl ansible.builtin.template: src: "etc/sysctl.d/{{ item }}.j2" dest: "/etc/sysctl.d/{{ item }}" From 969ee917ba3d96f2d519f8554118cb6609c67802 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:26:15 +0000 Subject: [PATCH 03/26] #36 thanks to @fahadysf Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 7f0e71a..ec27fa6 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -28,7 +28,7 @@ mode: "{{ item.mode }}" state: touch modification_time: preserve - acess_time: preserve + access_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - { path: 'grubenv', mode: '0600' } From 7459f1d44586dc69c412b7dd304b39eec38352c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:26:34 +0000 Subject: [PATCH 04/26] idempontency improvements Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 9eb2bd5..5e9ee73 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -8,7 +8,13 @@ block: - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - register: audit_logfile + register: audit_discovered_logfile + changed_when: false + + - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" + ansible.builtin.stat: + path: "{{ audit_discovered_logfile.stdout }}" + register: auditd_logfile changed_when: false - name: | @@ -16,8 +22,8 @@ "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: - path: "{{ audit_logfile.stdout }}" - mode: 0640 + path: "{{ audit_discovered_logfile.stdout }}" + mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}" owner: root group: root when: @@ -37,12 +43,12 @@ block: - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" ansible.builtin.stat: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ audit_discovered_logfile.stdout | dirname }}" register: auditlog_dir - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory mode: 0750 when: not auditlog_dir.stat.mode is match('07(0|5)0') From c119a8074f40c28bf25a83e25021569afc720311 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:39:07 +0000 Subject: [PATCH 05/26] removed urandom work Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 991470e..8d26a35 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,13 +87,6 @@ jobs: run: sleep 60s shell: bash -# Set up requirements for random root password CIS 5.6.6 - - name: add urandom passwd to root account - shell: bash - working-directory: .github/workflows - run: | - ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem - # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From 13705f1d121a6af2e51fcb6122b5839f86591074 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:39:21 +0000 Subject: [PATCH 06/26] added skip to 5.6.6 root passwd check Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index dad096f..735646e 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -79,6 +79,7 @@ resource "local_file" "inventory" { system_is_ec2: true audit_git_version: devel skip_reboot: false + rhel9cis_rule_5_6_6: false # skip root passwd check and keys only EOF } From f6b3e9b9e27ed1797b8ee3c014edc07c449ddc45 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 27 Feb 2023 17:49:40 +0000 Subject: [PATCH 07/26] moved to default audit version Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 735646e..516d5cc 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -77,7 +77,6 @@ resource "local_file" "inventory" { setup_audit: true run_audit: true system_is_ec2: true - audit_git_version: devel skip_reboot: false rhel9cis_rule_5_6_6: false # skip root passwd check and keys only EOF From 0ab1bdd120bf2186779fbc58482be63c1cc089e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 08:01:57 +0000 Subject: [PATCH 08/26] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index ba1933c..8f94881 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,11 @@ # Changes to rhel9CIS +## 1.0.3 + +Update to auditd components improve idempotency and tidy up +workflow update to remove the urandom update +skip 5.6.6 root password check + ## 1.0.2 thanks to @smatterchew @@ -7,6 +13,7 @@ thanks to @smatterchew thanks to @I-am-MoS #34 create user.cfg if not present + Aligned benchmark audit version with remediate release ## 1.0.1 From 37f0eec4d4de7490f45f1aab9f8b28f155d89d64 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Feb 2023 14:28:48 +0000 Subject: [PATCH 09/26] Added audit template change warn control Signed-off-by: Mark Bolwell --- Changelog.md | 1 + tasks/auditd.yml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/Changelog.md b/Changelog.md index 8f94881..4e65f04 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## 1.0.3 Update to auditd components improve idempotency and tidy up +Added a warning to check diff if any changes to template file (if template file exists) else its new. workflow update to remove the urandom update skip 5.6.6 root password check diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 07e73d2..cc0f622 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -13,11 +13,20 @@ group: root mode: 0640 diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file + register: auditd_template_updated notify: - Auditd immutable check - Audit immutable fact - Restart auditd +- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'Auditd_template_updated-see-diff-output' + when: + - auditd_template_updated.changed + - auditd_file.stat.exists + - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/98_auditd_exceptions.rules From b88dca6954c24a62a82ee296ecc737ca7cc61777 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 09:10:39 +0000 Subject: [PATCH 10/26] updated warning for template updated Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index cc0f622..1768aa1 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -22,7 +22,7 @@ - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'Auditd_template_updated-see-diff-output' + warn_control_id: 'Auditd template updated, see diff output for details' when: - auditd_template_updated.changed - auditd_file.stat.exists From 58d3bb4e41d70a92fa4187820b16939c4ffd284f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 09:17:38 +0000 Subject: [PATCH 11/26] updated var naming Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++-- tasks/auditd.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 4 +- tasks/section_3/cis_3.2.x.yml | 10 ++--- tasks/section_3/cis_3.3.x.yml | 40 ++++++++++---------- templates/audit/98_auditd_exception.rules.j2 | 2 +- 7 files changed, 34 insertions(+), 34 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4a95eaf..fb188b0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,9 +464,9 @@ rhel9cis_ftp_client: false ## Section3 vars ## Sysctl -sysctl_update: false -flush_ipv4_route: false -flush_ipv6_route: false +rhel9cis_sysctl_update: false +rhel9cis_flush_ipv4_route: false +rhel9cis_flush_ipv6_route: false ### Firewall Service - either firewalld, iptables, or nftables #### Some control allow for services to be removed or masked @@ -512,7 +512,7 @@ rhel9cis_max_log_file_size: 10 update_audit_template: false ## Advanced option found in auditd post -allow_auditd_uid_user_exclusions: false +rhel9cis_allow_auditd_uid_user_exclusions: false # This can be used to configure other keys in auditd.conf diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 1768aa1..2a2eb9c 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -42,5 +42,5 @@ diff: "{{ auditd_exception_file.stat.exists }}" notify: Restart auditd when: - - allow_auditd_uid_user_exclusions + - rhel9cis_allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 443bfc1..3f80647 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -33,7 +33,7 @@ block: - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" ansible.builtin.set_fact: - sysctl_update: true + rhel9cis_sysctl_update: true - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" ansible.builtin.debug: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index e972ae2..7ffe31c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -6,8 +6,8 @@ block: - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv6_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" ansible.builtin.debug: diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 56e47f7..cc5567f 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -4,8 +4,8 @@ block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" ansible.builtin.debug: @@ -15,7 +15,7 @@ block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" ansible.builtin.debug: @@ -36,8 +36,8 @@ block: - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 84363e7..e8f3a5f 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -4,8 +4,8 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -14,7 +14,7 @@ block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" ansible.builtin.debug: @@ -33,8 +33,8 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" ansible.builtin.debug: @@ -44,7 +44,7 @@ block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - flush_ipv6_route: true + rhel9cis_flush_ipv6_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" ansible.builtin.debug: @@ -63,8 +63,8 @@ block: - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" ansible.builtin.debug: @@ -82,8 +82,8 @@ block: - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" ansible.builtin.debug: @@ -101,8 +101,8 @@ block: - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" ansible.builtin.debug: @@ -120,8 +120,8 @@ block: - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" ansible.builtin.debug: @@ -139,8 +139,8 @@ block: - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" ansible.builtin.debug: @@ -158,8 +158,8 @@ block: - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv4_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv4_route: true - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" ansible.builtin.debug: @@ -177,8 +177,8 @@ block: - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" ansible.builtin.set_fact: - sysctl_update: true - flush_ipv6_route: true + rhel9cis_sysctl_update: true + rhel9cis_flush_ipv6_route: true - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" ansible.builtin.debug: diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index d8a0b8d..5602632 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,7 +1,7 @@ ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if allow_auditd_uid_user_exclusions %} +{% if rhel9cis_allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} From 03e4b0e57ff13b1847cfef6aa968422fcf5877c4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 10:17:37 +0000 Subject: [PATCH 12/26] variable naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- tasks/auditd.yml | 14 +++++++------- tasks/post.yml | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 212eacc..552d29f 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,7 +13,7 @@ sysctl_set: true ignore_errors: true # noqa ignore-errors when: - - flush_ipv4_route + - rhel9cis_flush_ipv4_route - not system_is_container - name: Sysctl flush ipv6 route table @@ -22,7 +22,7 @@ value: '1' sysctl_set: true when: - - flush_ipv6_route + - rhel9cis_flush_ipv6_route - not system_is_container - name: Systemd restart tmp.mount diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 2a2eb9c..486ef31 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -3,7 +3,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/99_auditd.rules - register: auditd_file + register: rhel9cis_auditd_file - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file ansible.builtin.template: @@ -12,8 +12,8 @@ owner: root group: root mode: 0640 - diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file - register: auditd_template_updated + diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file + register: rhel9cis_auditd_template_updated notify: - Auditd immutable check - Audit immutable fact @@ -24,13 +24,13 @@ vars: warn_control_id: 'Auditd template updated, see diff output for details' when: - - auditd_template_updated.changed - - auditd_file.stat.exists + - rhel9cis_auditd_template_updated.changed + - rhel9cis_auditd_file.stat.exists - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/98_auditd_exceptions.rules - register: auditd_exception_file + register: rhel9cis_auditd_exception_file - name: POST | Set up auditd user logging exceptions | setup file ansible.builtin.template: @@ -39,7 +39,7 @@ owner: root group: root mode: 0640 - diff: "{{ auditd_exception_file.stat.exists }}" + diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" notify: Restart auditd when: - rhel9cis_allow_auditd_uid_user_exclusions diff --git a/tasks/post.yml b/tasks/post.yml index 591cfda..8e8fea7 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -22,7 +22,7 @@ - 60-netipv4_sysctl.conf - 60-netipv6_sysctl.conf when: - - sysctl_update + - rhel9cis_sysctl_update - not system_is_container - "'procps-ng' in ansible_facts.packages" From a307da2ab201f7f1041bb087f572a1869e52b723 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Mar 2023 10:17:46 +0000 Subject: [PATCH 13/26] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 4e65f04..11a8fba 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ Update to auditd components improve idempotency and tidy up Added a warning to check diff if any changes to template file (if template file exists) else its new. workflow update to remove the urandom update skip 5.6.6 root password check +variable naming ## 1.0.2 From c061a35b317f1dd069eeea8a6e933379f597bc4a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:21:08 +0000 Subject: [PATCH 14/26] created new gpg_key_package variable Signed-off-by: Mark Bolwell --- vars/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vars/main.yml b/vars/main.yml index 9815eea..edc6c7d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,3 +10,5 @@ rhel9cis_allowed_crypto_policies: # Used to control warning summary warn_control_list: "" warn_count: 0 + +gpg_key_package: "{{ ansible_distribution | lower )-gpg-keys }}" From 3de7cd2f56a45799a425236bb94d70790525cfae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:21:33 +0000 Subject: [PATCH 15/26] use new variable gpg_key_variable Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 97e9e99..e674fb6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -120,11 +120,12 @@ - name: "PRELIM | Update to latest gpg keys" ansible.builtin.package: - name: "{{ ansible_distribution | lower }}-gpg-keys" + name: "{{ gpg_key_package }}" state: latest when: - rhel9cis_rule_1_2_4 - ansible_distribution != 'RedHat' + - ansible_distribution != 'OracleLinux' - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: From e04da88df42da0108d489f359513c574fbe5c87a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:22:08 +0000 Subject: [PATCH 16/26] Added OracleLinux support Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 1 + vars/OracleLinux.yml | 4 ++++ 2 files changed, 5 insertions(+) create mode 100644 vars/OracleLinux.yml diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 452c009..2501732 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -112,6 +112,7 @@ when: - rhel9cis_rule_1_2_4 - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' + - ansible_distribution != 'OracleLinux' tags: - level1-server - level1-workstation diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml new file mode 100644 index 0000000..d916178 --- /dev/null +++ b/vars/OracleLinux.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings +os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec +os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " From 58122f2fee3d416f38ebc83d4b7c58869d042f9e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:51:41 +0000 Subject: [PATCH 17/26] updated layout Signed-off-by: Mark Bolwell --- .ansible-lint | 3 +++ .yamllint | 52 ++++++++++++++++++++++++++------------------------- 2 files changed, 30 insertions(+), 25 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index e582a58..964eb05 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,9 +1,12 @@ +--- + parseable: true quiet: true skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' + - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' diff --git a/.yamllint b/.yamllint index 4823010..3af111e 100644 --- a/.yamllint +++ b/.yamllint @@ -1,29 +1,31 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - extends: default +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + rules: - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - indentation: - indent-sequences: consistent - level: error - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false From 5984829b471d63e40fa6da5a7ecca8caebe4c236 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 11:54:00 +0000 Subject: [PATCH 18/26] Oracle Support added Signed-off-by: Mark Bolwell --- Changelog.md | 1 + README.md | 1 + 2 files changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 11a8fba..8d509ba 100644 --- a/Changelog.md +++ b/Changelog.md @@ -7,6 +7,7 @@ Added a warning to check diff if any changes to template file (if template file workflow update to remove the urandom update skip 5.6.6 root password check variable naming +OracleLinux support added ## 1.0.2 diff --git a/README.md b/README.md index 9513374..71e7636 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,7 @@ To use release version please point to main branch RHEL 9 Almalinux 9 Rocky 9 +OracleLinux 9 ansible 2.10 jmespath From 5a928b4304336f749913fb0f7df93d0479fec0c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Mar 2023 11:02:15 +0000 Subject: [PATCH 19/26] Issue #38 thanks to bdwyertech Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.2.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 72767a4..2c9355b 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -19,7 +19,7 @@ path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: Restart systemd_journal_upload + notify: Restart journald loop: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} @@ -106,7 +106,7 @@ path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - notify: Restart systemd_journal_upload + notify: Restart journald when: - rhel9cis_rule_4_2_2_3 tags: @@ -121,7 +121,7 @@ path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - notify: Restart systemd_journal_upload + notify: Restart journald when: - rhel9cis_rule_4_2_2_4 tags: @@ -137,7 +137,7 @@ path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - notify: Restart systemd_journal_upload + notify: Restart journald when: - rhel9cis_rule_4_2_2_5 tags: @@ -153,7 +153,7 @@ path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: Restart systemd_journal_upload + notify: Restart journald loop: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } From de2896ed73750d06ae96574558920caf57840af7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 7 Mar 2023 11:03:04 +0000 Subject: [PATCH 20/26] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 8d509ba..6933ff5 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,7 @@ workflow update to remove the urandom update skip 5.6.6 root password check variable naming OracleLinux support added +#38 journald restart amendment thanks to @bdwyertech ## 1.0.2 From 599c6db3e145f3e8441f5ff9726fc72655739237 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 08:18:18 +0000 Subject: [PATCH 21/26] fix typo Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index edc6c7d..2a93184 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -11,4 +11,4 @@ rhel9cis_allowed_crypto_policies: warn_control_list: "" warn_count: 0 -gpg_key_package: "{{ ansible_distribution | lower )-gpg-keys }}" +gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys" From b170c4ac736ddb5d930db0c37a6f2f19f05d6e0e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 10:13:26 +0000 Subject: [PATCH 22/26] fix typo Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 552d29f..968e9e6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -28,7 +28,7 @@ - name: Systemd restart tmp.mount ansible.builtin.systemd: name: tmp.mount - daemon_Reload: true + daemon_reload: true enabled: true masked: false state: Reloaded From ebdb8b9129c2c271b8cd33d96fa0a547a092ba00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:08:12 +0000 Subject: [PATCH 23/26] Updated layout Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 5e9ee73..ec3eebd 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -8,14 +8,14 @@ block: - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - register: audit_discovered_logfile changed_when: false + register: audit_discovered_logfile - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" ansible.builtin.stat: path: "{{ audit_discovered_logfile.stdout }}" - register: auditd_logfile changed_when: false + register: auditd_logfile - name: | "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" From 5e5174a5b0981585726191b392a9984efa760aa5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:19:35 +0000 Subject: [PATCH 24/26] updated marker Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 12 ++++++------ tasks/section_5/cis_5.6.x.yml | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 2c61fc8..1275d86 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -57,7 +57,7 @@ - name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" ansible.builtin.blockinfile: path: /etc/aide.conf - marker: "# {mark} Audit tools (CIS - Ansible)" + marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" block: | /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 4eeb61d..10e0ac2 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -75,7 +75,7 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" ansible.builtin.blockinfile: path: /etc/rsyslog.conf - marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" + marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # mail logging additions to meet CIS standards mail.* -/var/log/mail @@ -90,7 +90,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)" + marker: "# {mark} NEWS LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # news logging additions to meet CIS standards news.crit -/var/log/news/news.crit @@ -103,7 +103,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)" + marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # misc. logging additions to meet CIS standards *.=warning;*.=err -/var/log/warn @@ -117,7 +117,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown" block: | # local log settings to meet CIS standards local0,local1.* -/var/log/localmessages @@ -132,7 +132,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown" block: | # Private settings to meet CIS standards auth,authpriv.* /var/log/secure @@ -143,7 +143,7 @@ ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present - marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" + marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown" block: | # Cron settings to meet CIS standards cron.* /var/log/cron diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 349095a..adea221 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -48,7 +48,7 @@ ansible.builtin.blockinfile: path: "{{ item.path }}" state: "{{ item.state }}" - marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" + marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true mode: 0644 block: | From 945fe54fe44364e589fd595ad49e307c6ad380f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:19:52 +0000 Subject: [PATCH 25/26] updated comments Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 5 ++++- templates/audit/99_auditd.rules.j2 | 5 ++++- templates/etc/cron.d/aide.cron.j2 | 5 ++++- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 5602632..2f76269 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,4 +1,7 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by MindPointGroup LLC +### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd {% if rhel9cis_allow_auditd_uid_user_exclusions %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 050de20..c48782c 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,4 +1,7 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by MindPointGroup LLC +### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 781fdd4..21270eb 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,8 @@ # Run AIDE integrity check -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by MindPointGroup LLC +### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index f83a74a..73b4505 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/login-screen] From 0a863c5848fade6a7454e5af4fe1c62844627267 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Mar 2023 15:20:30 +0000 Subject: [PATCH 26/26] updated comments Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index 3534474..d92c56b 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop media-handling automount setting diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 04e23a5..503069c 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop media-handling settings diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 227498e..32192c3 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index a8c297f..16ded9d 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 5aa21c1..0b9f686 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index 5d5869f..fae6e82 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of CIS +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop screensaver idle-delay setting