Merge pull request #37 from ansible-lockdown/auditd_improvements

Auditd improvements, workflow updates Oracle Support
2023-03-10 16:19:17 +00:00 · 2023-03-10 16:19:17 +00:00 · cd66d451db
commit cd66d451db
parent a58e3ff0d6 0a863c5848
34 changed files with 150 additions and 108 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,9 +1,12 @@
 ---
 parseable: true
 quiet: true
 skip_list:
    - 'schema'
    - 'no-changed-when'
    - 'var-spacing'
    - 'fqcn-builtins'
    - 'experimental'
    - 'name[play]'
    - 'name[casing]'
--- a/.github/workflows/linux_benchmark_testing.yml
+++ b/.github/workflows/linux_benchmark_testing.yml
@ -87,13 +87,6 @@ jobs:
        run: sleep 60s
        shell: bash
 # Set up requirements for random root password CIS 5.6.6
      - name: add urandom passwd to root account
        shell: bash
        working-directory: .github/workflows
        run: |
         ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem
 # Run the ansible playbook
      - name: Run_Ansible_Playbook
        uses: arillso/action.playbook@master
--- a/.github/workflows/main.tf
+++ b/.github/workflows/main.tf
@ -77,8 +77,8 @@ resource "local_file" "inventory" {
        setup_audit: true
        run_audit: true
        system_is_ec2: true
        audit_git_version: devel
        skip_reboot: false
        rhel9cis_rule_5_6_6: false  # skip root passwd check and keys only
    EOF
 }
--- a/.yamllint
+++ b/.yamllint
@ -1,29 +1,31 @@
 ---
 ignore: |
  tests/
  molecule/
  .github/
  .gitlab-ci.yml
  *molecule.yml
 extends: default
 ignore: |
    tests/
    molecule/
    .github/
    .gitlab-ci.yml
    *molecule.yml
 rules:
-  braces:
+    indentation:
-    max-spaces-inside: 1
+        # Requiring 4 space indentation
-    level: error
+        spaces: 4
-  brackets:
+        # Requiring consistent indentation within a file, either indented or not
-    max-spaces-inside: 1
+        indent-sequences: consistent
-    level: error
+    braces:
-  indentation:
+        max-spaces-inside: 1
-    indent-sequences: consistent
+        level: error
-    level: error
+    brackets:
-  line-length: disable
+        max-spaces-inside: 1
-  key-duplicates: enable
+        level: error
-  new-line-at-end-of-file: enable
+    line-length: disable
-  new-lines:
+    key-duplicates: enable
-    type: unix
+    new-line-at-end-of-file: enable
-  trailing-spaces: enable
+    new-lines:
-  truthy:
+        type: unix
-    allowed-values: ['true', 'false']
+    trailing-spaces: enable
-    check-keys: true
+    truthy:
        allowed-values: ['true', 'false']
        check-keys: false
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,15 @@
 # Changes to rhel9CIS
 ## 1.0.3
 Update to auditd components improve idempotency and tidy up
 Added a warning to check diff if any changes to template file (if template file exists) else its new.
 workflow update to remove the urandom update
 skip 5.6.6 root password check
 variable naming
 OracleLinux support added
 #38 journald restart amendment thanks to @bdwyertech
 ## 1.0.2
 thanks to @smatterchew
@ -7,6 +17,7 @@ thanks to @smatterchew
 thanks to @I-am-MoS
 #34 create user.cfg if not present
 Aligned benchmark audit version with remediate release
 ## 1.0.1
--- a/README.md
+++ b/README.md
@ -36,6 +36,7 @@ To use release version please point to main branch
 RHEL 9
 Almalinux 9
 Rocky 9
 OracleLinux 9
 ansible 2.10
 jmespath
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -464,9 +464,9 @@ rhel9cis_ftp_client: false
 ## Section3 vars
 ## Sysctl
-sysctl_update: false
+rhel9cis_sysctl_update: false
-flush_ipv4_route: false
+rhel9cis_flush_ipv4_route: false
-flush_ipv6_route: false
+rhel9cis_flush_ipv6_route: false
 ### Firewall Service - either firewalld, iptables, or nftables
 #### Some control allow for services to be removed or masked
@ -512,7 +512,7 @@ rhel9cis_max_log_file_size: 10
 update_audit_template: false
 ## Advanced option found in auditd post
-allow_auditd_uid_user_exclusions: false
+rhel9cis_allow_auditd_uid_user_exclusions: false
 # This can be used to configure other keys in auditd.conf
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -13,7 +13,7 @@
      sysctl_set: true
  ignore_errors: true  # noqa ignore-errors
  when:
-      - flush_ipv4_route
+      - rhel9cis_flush_ipv4_route
      - not system_is_container
 - name: Sysctl flush ipv6 route table
@ -22,13 +22,13 @@
      value: '1'
      sysctl_set: true
  when:
-      - flush_ipv6_route
+      - rhel9cis_flush_ipv6_route
      - not system_is_container
 - name: Systemd restart tmp.mount
  ansible.builtin.systemd:
      name: tmp.mount
-      daemon_Reload: true
+      daemon_reload: true
      enabled: true
      masked: false
      state: Reloaded
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -1,8 +1,9 @@
 ---
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
  ansible.builtin.stat:
      path: /etc/audit/rules.d/99_auditd.rules
-  register: auditd_file
+  register: rhel9cis_auditd_file
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file
  ansible.builtin.template:
@ -11,17 +12,25 @@
      owner: root
      group: root
      mode: 0640
-  diff: "{{ auditd_file.stat.exists }}"  # Only run diff if not a new file
+  diff: "{{ rhel9cis_auditd_file.stat.exists }}"  # Only run diff if not a new file
-  register: audit_rules_updated
+  register: rhel9cis_auditd_template_updated
  notify:
      - Auditd immutable check
      - Audit immutable fact
      - Restart auditd
 - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count  # noqa: no-handler
  ansible.builtin.import_tasks: warning_facts.yml
  vars:
      warn_control_id: 'Auditd template updated, see diff output for details'
  when:
      - rhel9cis_auditd_template_updated.changed
      - rhel9cis_auditd_file.stat.exists
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
  ansible.builtin.stat:
      path: /etc/audit/rules.d/98_auditd_exceptions.rules
-  register: auditd_exception_file
+  register: rhel9cis_auditd_exception_file
 - name: POST | Set up auditd user logging exceptions | setup file
  ansible.builtin.template:
@ -30,8 +39,8 @@
      owner: root
      group: root
      mode: 0640
-  diff: "{{ auditd_exception_file.stat.exists }}"
+  diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}"
  notify: Restart auditd
  when:
-      - allow_auditd_uid_user_exclusions
+      - rhel9cis_allow_auditd_uid_user_exclusions
      - rhel9cis_auditd_uid_exclude | length > 0
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -1,13 +1,13 @@
 ---
 # Post tasks
- name: Gather the package facts after remediation
+- name: POST | Gather the package facts after remediation
  ansible.builtin.package_facts:
      manager: auto
  tags:
      - always
- name: Update sysctl
+- name: POST | Update sysctl
  ansible.builtin.template:
      src: "etc/sysctl.d/{{ item }}.j2"
      dest: "/etc/sysctl.d/{{ item }}"
@ -22,7 +22,7 @@
      - 60-netipv4_sysctl.conf
      - 60-netipv6_sysctl.conf
  when:
-      - sysctl_update
+      - rhel9cis_sysctl_update
      - not system_is_container
      - "'procps-ng' in ansible_facts.packages"
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -120,11 +120,12 @@
 - name: "PRELIM | Update to latest gpg keys"
  ansible.builtin.package:
-      name: "{{ ansible_distribution | lower }}-gpg-keys"
+      name: "{{ gpg_key_package }}"
      state: latest
  when:
      - rhel9cis_rule_1_2_4
      - ansible_distribution != 'RedHat'
      - ansible_distribution != 'OracleLinux'
 - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
  ansible.builtin.package:
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -112,6 +112,7 @@
  when:
      - rhel9cis_rule_1_2_4
      - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat'
      - ansible_distribution != 'OracleLinux'
  tags:
      - level1-server
      - level1-workstation
--- a/tasks/section_1/cis_1.3.x.yml
+++ b/tasks/section_1/cis_1.3.x.yml
@ -57,7 +57,7 @@
 - name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
  ansible.builtin.blockinfile:
      path: /etc/aide.conf
-      marker: "# {mark} Audit tools (CIS - Ansible)"
+      marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
      block: |
        /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
        /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -28,7 +28,7 @@
            mode: "{{ item.mode }}"
            state: touch
            modification_time: preserve
-            acess_time: preserve
+            access_time: preserve
        loop:
            - { path: 'grub.cfg', mode: '0700' }
            - { path: 'grubenv', mode: '0600' }
--- a/tasks/section_1/cis_1.5.x.yml
+++ b/tasks/section_1/cis_1.5.x.yml
@ -33,7 +33,7 @@
  block:
      - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
      - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
        ansible.builtin.debug:
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -6,8 +6,8 @@
  block:
      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv6_route: true
+            rhel9cis_flush_ipv6_route: true
      - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
        ansible.builtin.debug:
--- a/tasks/section_3/cis_3.2.x.yml
+++ b/tasks/section_3/cis_3.2.x.yml
@ -4,8 +4,8 @@
  block:
      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding"
        ansible.builtin.debug:
@ -15,7 +15,7 @@
        block:
            - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact"
              ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true
            - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding"
              ansible.builtin.debug:
@ -36,8 +36,8 @@
  block:
      - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@ -4,8 +4,8 @@
  block:
      - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4"
        ansible.builtin.debug:
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
@ -14,7 +14,7 @@
        block:
            - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact"
              ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true
            - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6"
              ansible.builtin.debug:
@ -33,8 +33,8 @@
  block:
      - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4"
        ansible.builtin.debug:
@ -44,7 +44,7 @@
        block:
            - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact"
              ansible.builtin.set_fact:
-                  flush_ipv6_route: true
+                  rhel9cis_flush_ipv6_route: true
            - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6"
              ansible.builtin.debug:
@ -63,8 +63,8 @@
  block:
      - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
        ansible.builtin.debug:
@ -82,8 +82,8 @@
  block:
      - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
        ansible.builtin.debug:
@ -101,8 +101,8 @@
  block:
      - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
        ansible.builtin.debug:
@ -120,8 +120,8 @@
  block:
      - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
        ansible.builtin.debug:
@ -139,8 +139,8 @@
  block:
      - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
        ansible.builtin.debug:
@ -158,8 +158,8 @@
  block:
      - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv4_route: true
+            rhel9cis_flush_ipv4_route: true
      - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
        ansible.builtin.debug:
@ -177,8 +177,8 @@
  block:
      - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact"
        ansible.builtin.set_fact:
-            sysctl_update: true
+            rhel9cis_sysctl_update: true
-            flush_ipv6_route: true
+            rhel9cis_flush_ipv6_route: true
      - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6"
        ansible.builtin.debug:
--- a/tasks/section_4/cis_4.1.4.x.yml
+++ b/tasks/section_4/cis_4.1.4.x.yml
@ -8,16 +8,22 @@
  block:
      - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file"
        ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
        register: audit_logfile
        changed_when: false
        register: audit_discovered_logfile
      - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file"
        ansible.builtin.stat:
            path: "{{ audit_discovered_logfile.stdout }}"
        changed_when: false
        register: auditd_logfile
      - name: |
            "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
            "4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
            "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
        ansible.builtin.file:
-            path: "{{ audit_logfile.stdout }}"
+            path: "{{ audit_discovered_logfile.stdout }}"
-            mode: 0640
+            mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
            owner: root
            group: root
  when:
@ -37,12 +43,12 @@
  block:
      - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions"
        ansible.builtin.stat:
-            path: "{{ audit_logfile.stdout | dirname }}"
+            path: "{{ audit_discovered_logfile.stdout | dirname }}"
        register: auditlog_dir
      - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set"
        ansible.builtin.file:
-            path: "{{ audit_logfile.stdout | dirname }}"
+            path: "{{ audit_discovered_logfile.stdout | dirname }}"
            state: directory
            mode: 0750
        when: not auditlog_dir.stat.mode is match('07(0|5)0')
--- a/tasks/section_4/cis_4.2.1.x.yml
+++ b/tasks/section_4/cis_4.2.1.x.yml
@ -75,7 +75,7 @@
      - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting"
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
-            marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # mail logging additions to meet CIS standards
              mail.*                                                  -/var/log/mail
@ -90,7 +90,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "# {mark} NEWS LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # news logging additions to meet CIS standards
              news.crit                                               -/var/log/news/news.crit
@ -103,7 +103,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # misc. logging additions to meet CIS standards
              *.=warning;*.=err                                        -/var/log/warn
@ -117,7 +117,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)"
+            marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # local log settings to meet CIS standards
              local0,local1.*                                          -/var/log/localmessages
@ -132,7 +132,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)"
+            marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # Private settings to meet CIS standards
              auth,authpriv.*                                           /var/log/secure
@ -143,7 +143,7 @@
        ansible.builtin.blockinfile:
            path: /etc/rsyslog.conf
            state: present
-            marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)"
+            marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown"
            block: |
              # Cron settings to meet CIS standards
              cron.*                                                   /var/log/cron
--- a/tasks/section_4/cis_4.2.2.x.yml
+++ b/tasks/section_4/cis_4.2.2.x.yml
@ -19,7 +19,7 @@
      path: /etc/systemd/journal-upload.conf
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  loop:
      - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'}
      - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
@ -106,7 +106,7 @@
      path: /etc/systemd/journald.conf
      regexp: "^#Compress=|^Compress="
      line: Compress=yes
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  when:
      - rhel9cis_rule_4_2_2_3
  tags:
@ -121,7 +121,7 @@
      path: /etc/systemd/journald.conf
      regexp: "^#Storage=|^Storage="
      line: Storage=persistent
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  when:
      - rhel9cis_rule_4_2_2_4
  tags:
@ -137,7 +137,7 @@
      path: /etc/systemd/journald.conf
      regexp: "^ForwardToSyslog="
      line: "#ForwardToSyslog=yes"
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  when:
      - rhel9cis_rule_4_2_2_5
  tags:
@ -153,7 +153,7 @@
      path: /etc/systemd/journald.conf
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
-  notify: Restart systemd_journal_upload
+  notify: Restart journald
  loop:
      - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'}
      - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' }
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -48,7 +48,7 @@
  ansible.builtin.blockinfile:
      path: "{{ item.path }}"
      state: "{{ item.state }}"
-      marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED"
+      marker: "# {mark} - CIS benchmark - Ansible-lockdown"
      create: true
      mode: 0644
      block: |
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,7 +1,10 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!
 # This file contains users whose actions are not logged by auditd
-{% if allow_auditd_uid_user_exclusions %} 
+{% if rhel9cis_allow_auditd_uid_user_exclusions %} 
 {% for user in rhel9cis_auditd_uid_exclude %}
 -a never,user -F uid!={{ user }} -F auid!={{ user }}
 {% endfor %}
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,4 +1,7 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
 {% if rhel9cis_rule_4_1_3_1 %}
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,5 +1,8 @@
 # Run AIDE integrity check 
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }}
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 # Lock desktop media-handling automount setting
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 # Lock desktop media-handling settings 
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 # Lock desktop screensaver idle-delay setting
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of CIS
+# Added as part of ansible-lockdown CIS baseline 
 # provided by MindPointGroup LLC
 [org/gnome/login-screen]
--- a/vars/OracleLinux.yml
+++ b/vars/OracleLinux.yml
@ -0,0 +1,4 @@
 ---
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"
--- a/vars/main.yml
+++ b/vars/main.yml
@ -10,3 +10,5 @@ rhel9cis_allowed_crypto_policies:
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
 gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys"