Merge pull request #267 from ansible-lockdown/devel

CIS v1.0.0 final release to main
2024-12-19 15:07:56 +00:00 · 2024-12-19 15:07:56 +00:00 · ef2b7dca5d
commit ef2b7dca5d
parent 81a929961a f0ae9ea692
15 changed files with 23 additions and 16 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -43,7 +43,7 @@ repos:
    args: ['--baseline-path', '.config/.gitleaks-report.json']
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.10.0
+  rev: v24.12.2
  hooks:
  - id: ansible-lint
    name: Ansible-lint
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -98,8 +98,15 @@
  when:
      - auditd_immutable_check.stdout == '1'
- name: Restart auditd
+- name: Stop auditd process
-  ansible.builtin.shell: service auditd restart
+  ansible.builtin.shell: systemctl kill auditd
  listen: Restart auditd
 - name: Start auditd process
  ansible.builtin.systemd_service:
      name: auditd
      state: started
  listen: Restart auditd
 - name: Change_requires_reboot
  ansible.builtin.set_fact:
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -23,7 +23,7 @@
  ansible.builtin.import_tasks:
      file: warning_facts.yml
  vars:
-      warn_control_id: 'Auditd template updated, see diff output for details'
+      warn_control_id: 'Auditd template updated, validate as expected'
  when:
      - rhel9cis_auditd_template_updated.changed
      - rhel9cis_auditd_file.stat.exists
--- a/tasks/section_1/cis_1.5.x.yml
+++ b/tasks/section_1/cis_1.5.x.yml
@ -18,7 +18,7 @@
 - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled"
  ansible.builtin.lineinfile:
      path: /etc/systemd/coredump.conf
-      regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
+      regexp: '^ProcessSizeMax\s*=\s*.*[1-9].*'
      line: 'ProcessSizeMax=0'
  when:
      - rhel9cis_rule_1_5_2
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # This file contains users whose actions are not logged by auditd
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,7 +1,7 @@
 # Run AIDE integrity check
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/desktop/media-handling]
 automount=false
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/desktop/media-handling]
 autorun-never=true
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Specify the dconf path
 [org/gnome/desktop/session]
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/login-screen]
 banner-message-enable=true