feat: become true for all tasks

Latest main release

.ansible-lint

@@ -1,9 +1,9 @@
 ---
 
-parseable: true
 quiet: true
 skip_list:
   - 'package-latest'
   - 'risky-shell-pipe'
+  - 'var-naming[read-only]'
 use_default_rules: true
 verbosity: 0

.github/workflows/add_repo_issue_to_gh_project.yml

@@ -14,4 +14,4 @@ jobs:
       - uses: actions/add-to-project@main
         with:
           project-url: https://github.com/orgs/ansible-lockdown/projects/1
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.ALD_GH_PROJECT }}

.github/workflows/export_badges_private.yml

@@ -12,8 +12,6 @@ on:
   push:
     branches:
       - latest
-  schedule:
-    - cron: '0 */6 * * *'
   workflow_dispatch:
 
 jobs:

.github/workflows/update_galaxy.yml

@@ -1,19 +0,0 @@
----
-
-    name: update galaxy
-
-    on:
-        push:
-            branches:
-                - main
-    jobs:
-        update_role:
-            runs-on: ubuntu-latest
-            steps:
-                - name: Checkout repo
-                  uses: actions/checkout@v4
-
-                - name: Action Ansible Galaxy Release ${{ github.ref_name }}
-                  uses: ansible-actions/ansible-galaxy-action@main
-                  with:
-                    galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}

.pre-commit-config.yaml

@@ -39,14 +39,16 @@ repos:
   rev: v1.5.0
   hooks:
   - id: detect-secrets
+    name: Detect Secrets test
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.28.0
+  rev: v8.30.0
   hooks:
   - id: gitleaks
+    name: Run Gitleaks test
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.9.2
+  rev: v26.1.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +67,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.1  # or higher tag
+  rev: v1.38.0  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

.yamllint

@@ -1,4 +1,5 @@
 ---
+
 extends: default
 ignore: |
     tests/

CONTRIBUTING.rst

@@ -7,7 +7,7 @@ Rules
 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
 3) All work is done in your own branch
 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
-5) Be open and nice to eachother
+5) Be open and nice to each other
 
 Workflow
 --------

Changelog.md

@@ -1,8 +1,87 @@
-# Changes to rhel9CIS
+# Changes to RHEL9CIS
 
+## 2.0.5 - Based on CIS v2.0.0
+
+- QA Fixes
+- .j2 Branding Update
+- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task
+- fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml
+- Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis)
+- Fixed broken Changelog link in README.md (case mismatch)
+- Added var-naming[read-only] to ansible-lint skip list for molecule files
+- Bootloader password logic updated with salt and hash options
+- Added passlib dependency documentation for bootloader password hash
+- Updated company title
+- Tidied up comments and variables for bootloader password
+- Removed scheduled tasks
+- Fixed typo thanks to Eugene @Frequentis
+- Unused variable audit: wired up all unused variables, removed legacy references
+- Updated chrony template to use rhel9cis_chrony_server_makestep, rtcsync, and minsources variables instead of hardcoded values
+- Wired up rhel9cis_authselect_custom_profile_create toggle in authselect profile creation task
+- Fixed task 5.3.3.2.7/5.3.3.2.8 mislabeling: separated password quality enforce and root enforce into correct tasks
+- Wired up audit_capture_files_dir in audit_only workflow for file capture to control node
+- Clarified rhel9cis_root_unlock_time documentation for commented-out alternative usage
+- Removed legacy rhel9cis_rule_1_1_10 from molecule converge files and is_container.yml
+- Fixed wrong variable name rhel9cis_unowned_group to rhel9cis_ungrouped_group in tasks/section_7/cis_7.1.x.yml
+- Added rhel9cis_install_network_manager toggle to 3.1.2 wireless interfaces task
 
 ## 2.0.4 - Based on CIS v2.0.0
 
+addressed issue #419, thank you @aaronk1
+addressed issue #418 thank you @bbaassssiiee
+Added better sysctl logic to disable IPv6
+Added option to disable IPv6 via sysctl (original method) or via the kernel
+pre-commit updates
+public issue #410 thanks to @kpi-nourman
+public issue #413 thanks to @bbaassssiiee
+Public issues incorporated
+Workflow updates
+Pre-commit updates
+README latest versions
+Audit improvements and max-concurrent option added
+Benchmark version variable in audit template
+fixed typo thanks to @fragglexarmy #393
+fixed typo thanks to @trumbaut #397 & #399
+updated auditd template to be 2.19 compliant
+PR345 thanks to thulium-drake boot password hash - if used needs passlib module
+tidy up tags on tasks/main.yml
+
+## 2.0.3 - Based on CIS v2.0.0
+
+- Thank you @fragglexarmy
+  - addressed Public issue 387
+- Addressed Public issue 382 to improve regex logic on 5.4.2.4
+- Improvement on crypto policy managed controls with var logic
+- Thanks to @polski-g
+  - addressed issue 384
+- update command to shell module on tasks
+- Thanks to @numericillustration
+  - Public PR 380
+  - systemd_service rolled back to systemd for < ansible 2.14
+- Thanks to @bgro and @Kodebach
+  - Public PR 371
+  - updated to user sudo check 5.2.4
+- Thanks to @DianaMariaDDM
+  - Public PR 367
+  - updated several typos
+- Thanks to @polski-g
+  - Public PR 364
+  - gdm section 1.8 improvements
+- Thanks to @chrispipo
+  - Public PR 350
+  - change insert before for rsyslog setting
+- Thanks to @thesmilinglord
+  - public issue 377
+  - change 1.3 from include task to import for tagging
+- Thanks to @Fredouye
+  - public issue 372
+  - allow password with different locale
+
+## 2.0.4 - Based on CIS v2.0.0
+
+- addressed issue #419, thank you @aaronk1
+- addressed issue #418 thank you @bbaassssiiee
+- addressed issue #416 thank you @georgenalen and @bbaassssiiee
 - addressed issue #393 thank you to @fragglexarmy
 - addressed issue #394 thank you to @dbeuker
 - addressed issues #390 and #391 thanks to @polski-g
@@ -11,6 +90,9 @@
 - work flow updates
 - audit logic improvements
 - auditd template 2.19 compatible
+- pre-commit updates
+- #410 thanks to @kpi-nourman
+- #413 thanks to @bbaassssiiee
 
 ## 2.0.3 - Based on CIS v2.0.0
 - addressed issue #387, thank you @fragglexarmy
@@ -59,7 +141,7 @@
   - updated controls 6.2.10-6.2.14
 - audit
   - steps moved to prelim
-  - update to coipy and archive logic and variables
+  - update to copy and archive logic and variables
 - removed vars not used
 - updated quotes used in mode tasks
 - pre-commit update
@@ -93,7 +175,7 @@
 - lint updates
 - .secrets updated
 - file mode quoted
-- updated 5.6.5 thansk to feedback from S!ghs on discord community
+- updated 5.6.5 thanks to feedback from S!ghs on discord community
 
 ## 1.1.1 - Based on CIS v1.0.0
 
@@ -125,7 +207,7 @@
 ## 1.0.10
 
 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72)
-  - Only run check when paybook user not a superuser
+  - Only run check when playbook user not a superuser
 - fix for 5.5.3 thanks to @nrg-fv
 
 ## 1.0.9
@@ -197,7 +279,7 @@ Jan-2023 release
 
 - updated ansible minimum to 2.10
 - Lint file updates and improvements
-- auditd now shows diff ater initial template added
+- auditd now shows diff after initial template added
 - many control rewritten
 - Many controls moved ID references
 - Audit updates aligned
@@ -222,7 +304,7 @@ Jan-2023 release
 - #209 5.6.5 rewrite umask settings
 - #220 tidy up and align variables
 - #226 Thanks to Thulium-Drake
-  -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases)
+  -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required for auditd to run correctly in some cases)
 
 - #227 thanks to OscarElits
   - chrony files now RH expected locations
@@ -262,9 +344,9 @@ Jan-2023 release
 - not all controls work with rhel8 releases any longer
   - selinux disabled 1.6.1.4
   - logrotate - 4.3.x
-- updated to rhel8cis v2.0 benchamrk requirements
+- updated to rhel8cis v2.0 benchmark requirements
 - removed iptables firewall controls (not valid on rhel9)
-- added more to logrotate 4.3.x - sure to logrotate now a seperate package
+- added more to logrotate 4.3.x - sure to logrotate now a separate package
 - grub path now standard to /boot/grub2/grub.cfg
 - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
 - workflow update
@@ -283,7 +365,7 @@ args:
 ```
 
 - update boolean values to true/false
-- 3.4.2 improved checks for p[ackage presence
+- 3.4.2 improved checks for package presence
 - changed to assert for OS/release and ansible version
 
 ## Initial

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -19,7 +19,6 @@
 
 ## Lint & Pre-Commit Tools 🔧
 
-[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/RHEL9-CIS/devel)
 ![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white)
 ![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white)
 
@@ -49,7 +48,6 @@
 ![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/benchmark-version.json)
 
 [![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)
-[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
 
 ![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/prs.json)
 ![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/issues-closed.json)
@@ -58,9 +56,9 @@
 
 ## Looking for support? 🤝
 
-[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RHEL9-CIS)
+[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9-CIS)
 
-[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RHEL9-CIS)
+[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9-CIS)
 
 ### Community 💬
 
@@ -86,10 +84,10 @@ This role **will make changes to the system** which may have unintended conseque
 
 ## Coming From A Previous Release ⏪
 
-CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release.
+CIS release always contains changes, it is highly recommended to review the new references and available variables. These have changed significantly since ansible-lockdown initial release.
 This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
 
-Further details can be seen in the [Changelog](./ChangeLog.md)
+Further details can be seen in the [Changelog](./Changelog.md)
 
 ---
 
@@ -103,7 +101,7 @@ This is managed using tags:
 - level2-server
 - level2-workstation
 
-The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component.
+The controls found in defaults/main.yml also need to reflect this, as they control the testing that takes place if you are using the audit component.
 
 ---
 ## Requirements ✅
@@ -130,6 +128,9 @@ RHEL Family OS 9
 - python-def
 - libselinux-python
 
+If you are using the option to create your own bootloader hash the ansible controller
+-  passlib
+
 ---
 
 ## Auditing 🔍

defaults/main.yml

@@ -1,5 +1,6 @@
 ---
-# defaults file for rhel9-cis
+
+# defaults file for RHEL9-CIS
 # WARNING:
 # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
 # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
@@ -63,7 +64,7 @@ benchmark: RHEL9-CIS
 # System will reboot if false, can give better audit results
 skip_reboot: true
 
-# default value will change to true but wont reboot if not enabled but will error
+# default value will change to true but won't reboot if not enabled but will error
 change_requires_reboot: false
 
 ###
@@ -93,17 +94,11 @@ audit_max_concurrent: 50
 
 ## Only run Audit do not remediate
 audit_only: false
-### As part of audit_only ###
-# Path to copy the files to will create dir structure in audit_only mode
-audit_capture_files_dir: /some/location to copy to on control node
 #############################
 
-## How to retrieve audit binary(Goss)
-# Options are 'copy' or 'download' - detailed settings at the bottom of this file
-# - if 'copy':
-#    - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss
-# - if 'download':
-#    - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars
+# How to retrieve audit binary
+# Options are copy or download - detailed settings at the bottom of this file
+# you will need access to either github or the file already downloaded
 get_audit_binary_method: download
 
 ## if get_audit_binary_method - copy the following needs to be updated for your environment
@@ -257,9 +252,8 @@ rhel9cis_rule_1_8_8: true
 rhel9cis_rule_1_8_9: true
 rhel9cis_rule_1_8_10: true
 
-## Section 2 Fixes
 # Section 2 rules are controlling Services (Special Purpose Services, and service clients)
-# Configure Server Services
+## Configure Server Services
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
 rhel9cis_rule_2_1_3: true
@@ -400,7 +394,6 @@ rhel9cis_rule_5_3_3_2_4: true
 rhel9cis_rule_5_3_3_2_5: true
 rhel9cis_rule_5_3_3_2_6: true
 rhel9cis_rule_5_3_3_2_7: true
-rhel9cis_rule_5_3_3_2_8: true
 # 5.3.3.3 Configure pam_pwhistory module
 # These are added as part of 5.3.2.4 using jinja2 template
 rhel9cis_rule_5_3_3_3_1: true
@@ -539,7 +532,7 @@ rhel9cis_rule_7_2_9: true
 
 ## Ability to enable debug on mounts to assist in troubleshooting
 # Mount point changes are set based upon facts created in Prelim
-# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
+# these then build the variable and options that are passed to the handler to set the mount point for the controls in section1.
 rhel9cis_debug_mount_data: false
 
 ## Control 1.1.2
@@ -583,14 +576,33 @@ rhel9cis_selinux_pol: targeted
 rhel9cis_selinux_enforce: enforcing
 
 ## Control 1.4.1
-# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value
-# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with
-# this format: 'grub.pbkdf2.sha512.<Rounds>.<Salt>.<Checksum>'
+# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
+rhel9cis_set_boot_pass: false
+
+################### bootloader password ############################################################
+#
+# Two options for setting the bootloader password
+#
+# Option 1: Set the bootloader password and salt – requires the passlib Python module
+# to be available on the Ansible controller.
+# Set this value to something secure to have predictable hashes,
+# which will prevent unnecessary changes.
+
+rhel9cis_bootloader_salt: ''
+
+# This variable stores the GRUB bootloader password to be written
+# to the '/boot/grub2/user.cfg' file. The default value must be changed.
+
+rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
+
+# Option 2: Set the bootloader password hash – if the salt value is empty,
+# the password will be set using the variable below.
+# If you are not using the bootloader hash filter, you can set it here
+# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring
+
 rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
 
-## Control 1.4.1
-# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
-rhel9cis_set_boot_pass: true
+######################################################################################################
 
 ## Controls 1.6.x and Controls 5.1.x
 # This variable governs if current Ansible role should manage system-wide crypto policy.
@@ -602,14 +614,7 @@ rhel9cis_crypto_policy_ansiblemanaged: true
 #  -'FUTURE': conservative security level that is believed to withstand any near-term future attacks
 #  -'FIPS': A level that conforms to the FIPS140-2 requirements
 rhel9cis_crypto_policy: 'DEFAULT'
-# This variable contains the value of the crypto policy module(combinations of policies and
-# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
-# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
-#    - 'OSPP'
-#    - 'AD-SUPPORT'
-#    - 'AD-SUPPORT-LEGACY'
-rhel9cis_crypto_policy_module: ''
-## Controls 1.6.x
+## Control 1.6
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
 # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
@@ -619,7 +624,7 @@ rhel9cis_additional_crypto_policy_module: ''
 # - 1.7.1 - Ensure message of the day is configured properly
 # - 1.7.2 - Ensure local login warning banner is configured properly
 # - 1.7.3 - Ensure remote login warning banner is configured properly
-# This variable  stores the content for the Warning Banner(relevant for issue, issue.net, motd).
+# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd).
 rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported.
 # End Banner
 
@@ -802,6 +807,8 @@ rhel9cis_tftp_client: false
 ## Control 3.1.1 - Ensure IPv6 status is identified
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: true
+# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
+rhel9cis_ipv6_disable_method: "sysctl"
 
 ## Control 3.1.2 - Ensure wireless interfaces are disabled
 # if wireless adapter found allow network manager to be installed
@@ -907,8 +914,8 @@ rhel9cis_sshd_clientalivecountmax: 3
 # keep the connection alive and prevent it being terminated due to inactivity.
 rhel9cis_sshd_clientaliveinterval: 15
 
-## Control 5.1.10 - Ensure sshd DisableForwarding is enabled
-# By Default this will also disablex11 forwarding
+## Control 5.1.12 - disable forwarding
+# By Default this will also disable X11 forwarding
 # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
 # This variable's value is used in the `/etc/ssh/ssh_config.d/50-redhat.conf` file to
 # disable X11Forwarding. If X11 is required, set this variable's value to `yes`!
@@ -952,14 +959,7 @@ rhel9cis_ssh_maxsessions: 4
 # This variable defines the path and file name of the sudo log file.
 rhel9cis_sudolog_location: "/var/log/sudo.log"
 
-## Control 5.2.4 - Ensure users must provide password for escalation
-# The following variable specifies a list of users that should not be required to provide a password
-# for escalation. Feel free to edit it according to your needs.
-rhel9cis_sudoers_exclude_nopasswd_list:
-  - ec2-user
-  - vagrant
-
-## Control 5.2.6 - Ensure sudo authentication timeout is configured correctly
+## Control 5.2.x - Ensure sudo authentication timeout is configured correctly
 # This variable sets the duration (in minutes) during which a user's authentication credentials
 # are cached after successfully authenticating using "sudo". This allows the user to execute
 # multiple commands with elevated privileges without needing to re-enter their password for each
@@ -999,19 +999,38 @@ rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
 ## Control 5.3.3.1.1 -
 # This variable sets the amount of tries a password can be entered, before a user is locked.
 rhel9cis_pam_faillock_deny: 5
-## Control 5.3.3.2, 5.3.2.2
+
+# - 5.3.3.1.2
 # This variable sets the amount of time a user will be unlocked after the max amount of
 # password failures.
 rhel9cis_pam_faillock_unlock_time: 900
 
-## Control 5.3.3.1.3 - Ensure password failed attempts lockout includes root account
-# This variable is used in the task that ensures that even the root account
-# is included in the password failed attempts lockout measure.
-# The following variable is used in the 'regexp' field. This field is used to find the
-# line in the file. If the line matches the regular expression, it will be replaced
-# with the line parameter's value.
+#####################################################################################################################
+# 5.3.3.1.3 | Ensure pam_faillock is configured - root account lockout behavior
+#
+# Controls how root is handled when the failed login threshold is reached.
+#################### Two mutually exclusive options #################################################################
+#
+#   -> even_deny_root          : Lock root just like any other account
+#   -> root_unlock_time = <n>  : Lock root but auto-unlock after <n> seconds
+#
+# Note: The default value is set to 'even_deny_root' to align with the CIS Benchmark recommendation of locking root
+# identically to regular users when the failed login threshold is reached. If you prefer to have root auto-unlock
+# after a specified time, set 'rhel9cis_pamroot_lock_option' to "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
+# and adjust 'rhel9cis_root_unlock_time' as needed.
+#
+# Set ONE of the following:
+#
+# Option 1: root is locked identically to regular users when the failed login threshold is reached
 rhel9cis_pamroot_lock_option: even_deny_root
 
+# Option 2: root is locked but auto-unlocks after the specified seconds.
+# Seconds before root is automatically unlocked (only used when rhel9cis_pamroot_lock_option includes root_unlock_time)
+rhel9cis_root_unlock_time: 60
+# rhel9cis_pamroot_lock_option: "root_unlock_time = {{ rhel9cis_root_unlock_time }}"
+#
+########################################################################################################################
+
 ## Control 5.3.3.2.1 - Ensure password number of changed characters is configured
 # This variable holds the path to the configuration file that will be created (or overwritten if already existing)
 # in order to implement the 'Ensure password number of changed characters is configured' control.
@@ -1084,14 +1103,9 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con
 # When set to '0', dictionary checks are disabled. CIS states that it shall always be set to '1'.
 rhel9cis_passwd_dictcheck_value: 1
 
-# This variable is used in one of the config files to ensure password quality checking is enforced
+# 5.3.3.2.7 - Ensure password quality is enforced for the root user
+rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf  # pragma: allowlist secret
 rhel9cis_passwd_quality_enforce_value: 1
-
-## Control 5.3.3.2.7 - Ensure password quality is enforced for the root user
-# This variable holds the path to the configuration file that will be created (or overwritten if already existing)
-# in order to implement the 'Ensure password quality is enforced for the root user' control.
-rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf  # pragma: allowlist secret
-# The following variable enforces that the root user must adhere to the same password quality policies as other users.
 rhel9cis_passwd_quality_enforce_root_value: enforce_for_root  # pragma: allowlist secret
 
 ## Control 5.3.3.3.1 - Ensure password history remember is configured
@@ -1131,21 +1145,21 @@ rhel9cis_inactivelock:
   # CIS requires a value of 30 days or less.
   lock_days: 30
 
-## Control 5.4.1.6 - Ensure all users last password change date is in the past
+## Control 5.4.1.x - Ensure all users last password change date is in the past
 # Allow ansible to expire password for account with a last changed date in the future. Setting it
 # to 'false' will just display users in violation, while 'true' will expire those users passwords.
 rhel9cis_futurepwchgdate_autofix: true
 
-## Control 5.4.2.6 - Ensure root user umask is configured
-# The following variable specifies the "umask" to configure for the root user.
-# The user file-creation mode mask ( umask ) is used to determine the file
-# permission for newly created directories and files. In Linux, the default
-# permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for
-# any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default
-# Linux permissions by restricting (masking) these permissions. The umask is not
-# simply subtracted, but is processed bitwise. Bits set in the umask are cleared
-# in the resulting file mode. CIS recommends setting 'umask' to '0027' or more
-# restrictive.
+# 5.4.2.x
+
+## 5.4.2.5 Root user used
+# Root by default is not used unless setup by user
+# The role will only run certain commands if set to true
+# This allows the ability to skip tasks that may cause an issue
+# With the understanding root has full access
+rhel9cis_uses_root: false
+
+## 5.4.2.6 - Ensure root home directory permissions are 750 or more restrictive
 rhel9cis_root_umask: '0027'  # 0027 or more restrictive
 
 ## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin
@@ -1162,7 +1176,7 @@ rhel9cis_shell_session_timeout: 900
 # This variable specifies the path of the timeout setting file.
 # (TMOUT setting can be set in multiple files, but only one is required for the
 # rule to pass. Options are:
-# - a file in `/etc/profile.d/` ending in `.s`,
+# - a file in `/etc/profile.d/` ending in `.sh`,
 # - `/etc/profile`, or
 # - `/etc/bash.bashrc`.
 rhel9cis_shell_session_file: /etc/profile.d/tmout.sh
@@ -1190,9 +1204,8 @@ rhel9cis_aide_db_file_age: 1w
 # If AIDE is already setup this variable forces a new database
 # file to be created.
 rhel9cis_aide_db_recreate: false
-# This variable is used to check if there is already an existing database file
-# created by AIDE on the target system. If it is not present, the role will generate
-# a database file with the same name as the value of this variable.
+
+# allows changing the db file; note the config needs to be adjusted too
 rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz
 
 ## Control 6.1.2 - Ensure filesystem integrity is regularly checked
@@ -1222,12 +1235,12 @@ rhel9cis_aide_cron:
   # This variable governs the day of the month when the AIDE cronjob is run.
   # `*` signifies that the job is run on all days; furthermore, specific days
   # can be given in the range `1-31`; several days can be concatenated with a comma.
-  # The specified day(s) can must be in the range  `1-31`.
+  # The specified day(s) must be in the range `1-31`.
   aide_day: '*'
   # This variable governs months when the AIDE cronjob is run.
   # `*` signifies that the job is run in every month; furthermore, specific months
   # can be given in the range `1-12`; several months can be concatenated with commas.
-  # The specified month(s) can must be in the range  `1-12`.
+  # The specified month(s) must be in the range `1-12`.
   aide_month: '*'
   # This variable governs the weekdays, when the AIDE cronjob is run.
   # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
@@ -1267,7 +1280,7 @@ rhel9cis_journald_runtimekeepfree: 100G
 # Current variable governs the settings for log retention(how long the log files will be kept).
 # Thus, it specifies the maximum time to store entries in a single journal
 # file before rotating to the next one. Set to 0 to turn off this feature.
-# The given values is interpreted as seconds, unless suffixed with the units
+# The given value is interpreted as seconds, unless suffixed with the units
 # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
 # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
 # ATTENTION: Uncomment the keyword below when values are set!

filter_plugins/grub_hash.py

@@ -0,0 +1,73 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+# Copyright (c) 2025, Jeffrey van Pelt <jeff@vanpelt.one>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+name: grub_hash
+short_description: Generate a GRUB2 password hash
+version_added: 1.0.0
+author: Jeffrey van Pelt (@Thulium-Drake)
+description:
+  - Generate a GRUB2 password hash from the input
+options:
+  _input:
+    description: The desired password for the GRUB bootloader
+    type: string
+    required: true
+  salt:
+    description: The salt used to generate the hash
+    type: string
+    required: false
+  rounds:
+    description: The amount of rounds to run the PBKDF2 function
+    type: int
+    required: false
+"""
+
+EXAMPLES = r"""
+- name: 'Generate hash with defaults'
+  ansible.builtin.debug:
+    msg: "{{ 'mango123!' | grub_hash }}"
+
+- name: 'Generate hash with custom rounds and salt'
+  ansible.builtin.debug:
+    msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}"
+    # Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C
+"""
+
+RETURN = r"""
+_value:
+  description: A GRUB2 password hash
+  type: string
+"""
+
+from ansible.errors import AnsibleFilterError
+import os
+import base64
+from passlib.hash import grub_pbkdf2_sha512
+
+def grub_hash(password, rounds=10000, salt=None):
+    if salt is None:
+        # Generate 64-byte salt if not provided
+        salt = os.urandom(64)
+
+    # Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed
+    if not isinstance(salt, bytes):
+        try:
+            salt = salt.encode("utf-8")
+        except AttributeError:
+            raise TypeError("Salt must be a string, not int.")
+
+    # Configure hash generator
+    pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt)
+    return pbkdf2_generator.hash(password)
+
+class FilterModule(object):
+    def filters(self):
+        return {
+            'grub_hash': grub_hash
+        }

handlers/main.yml

@@ -11,6 +11,7 @@
     state: present
     fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
     opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  become: true
   listen: "Remount /tmp"
 
 - name: "Remounting /tmp"
@@ -19,6 +20,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
+  become: true
   listen: "Remount /tmp"
 
 - name: "Remounting /tmp systemd"
@@ -28,6 +30,7 @@
     name: tmp.mount
     state: restarted
     daemon_reload: true
+  become: true
   listen: "Remount /tmp"
 
 - name: "Adding options for /dev/shm"
@@ -39,6 +42,7 @@
     state: present
     fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
     opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  become: true
   listen: "Remount /dev/shm"
 
 - name: "Remounting /dev/shm"
@@ -47,6 +51,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
+  become: true
   listen: "Remount /dev/shm"
 
 - name: "Adding options for /home"
@@ -58,6 +63,7 @@
     state: present
     fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
     opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  become: true
   listen: "Remount /home"
 
 - name: "Remounting /home"
@@ -66,6 +72,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
+  become: true
   listen: "Remount /home"
 
 - name: "Adding options for /var"
@@ -77,6 +84,7 @@
     state: present
     fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
     opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  become: true
   listen: "Remount /var"
 
 - name: "Remounting /var"
@@ -85,6 +93,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
+  become: true
   listen: "Remount /var"
 
 - name: "Adding options for /var/tmp"
@@ -96,6 +105,7 @@
     state: present
     fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
     opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  become: true
   listen: "Remount /var/tmp"
 
 - name: "Remounting /var/tmp"
@@ -104,6 +114,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
+  become: true
   listen: "Remount /var/tmp"
 
 - name: "Adding options for /var/log"
@@ -115,6 +126,7 @@
     state: present
     fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
     opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  become: true
   listen: "Remount /var/log"
 
 - name: "Remounting /var/log"
@@ -123,6 +135,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
+  become: true
   listen: "Remount /var/log"
 
 - name: "Adding options for /var/log/audit"
@@ -134,6 +147,7 @@
     state: present
     fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
     opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  become: true
   listen: "Remount /var/log/audit"
 
 - name: "Remounting /var/log/audit"
@@ -142,6 +156,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
+  become: true
   listen: "Remount /var/log/audit"
 
 - name: "Remounting /boot/efi"
@@ -150,7 +165,8 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
-  notify: Change_requires_reboot
+  notify: Set reboot required
+  become: true
   listen: "Remount /boot/efi"
 
 - name: Reload sysctl
@@ -194,7 +210,7 @@
   ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
   changed_when: true
   notify:
-    - Change_requires_reboot
+    - Set reboot required
     - Restart sshd
 
 - name: Restart firewalld
@@ -255,19 +271,21 @@
   when: discovered_auditd_immutable_check.stdout == '1'
   ansible.builtin.debug:
     msg: "Reboot required for auditd to apply new rules as immutable set"
-  notify: Change_requires_reboot
+  notify: Set reboot required
 
 - name: Stop auditd process
   ansible.builtin.command: systemctl kill auditd
   changed_when: true
+  become: true
   listen: Restart auditd
 
 - name: Start auditd process
   ansible.builtin.systemd:
     name: auditd
     state: started
+  become: true
   listen: Restart auditd
 
-- name: Change_requires_reboot
+- name: Set reboot required
   ansible.builtin.set_fact:
     change_requires_reboot: true

meta/main.yml

@@ -1,11 +1,11 @@
 ---
 galaxy_info:
-  author: "MindPoint Group"
+  author: "Ansible-Lockdown"
   description: "Apply the RHEL 9 CIS"
-  company: "MindPoint Group"
+  company: "MindPoint Group - A Tyto Athene Company"
   license: MIT
   role_name: rhel9_cis
-  namespace: mindpointgroup
+  namespace: ansible-lockdown
   min_ansible_version: 2.10.1
   platforms:
     - name: EL

molecule/default/converge.yml

@@ -10,7 +10,6 @@
       system_is_container: true
       rhel9cis_selinux_disable: true
       rhel9cis_rule_5_2_4: false
-      rhel9cis_rule_1_1_10: false
       rhel9cis_firewall: "none"
       rhel9cis_rule_4_1_1_1: false
       rhel9cis_rule_4_1_1_2: false

molecule/wsl/converge.yml

@@ -8,16 +8,15 @@
   vars:
       ansible_user: "{{ lookup('env', 'USER') }}"
       system_is_container: true
-      rhel8cis_selinux_disable: true
+      rhel9cis_selinux_disable: true
       role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
-      rhel8cis_rule_5_3_4: false
-      rhel8cis_rule_1_1_10: false
-      rhel8cis_rsyslog_ansiblemanaged: false
-      rhel8cis_rule_3_4_1_3: false
-      rhel8cis_rule_3_4_1_4: false
-      rhel8cis_rule_4_2_1_2: false
-      rhel8cis_rule_4_2_1_4: false
-      rhel8cis_rule_5_1_1: false
+      rhel9cis_rule_5_3_4: false
+      rhel9cis_rsyslog_ansiblemanaged: false
+      rhel9cis_rule_3_4_1_3: false
+      rhel9cis_rule_3_4_1_4: false
+      rhel9cis_rule_4_2_1_2: false
+      rhel9cis_rule_4_2_1_4: false
+      rhel9cis_rule_5_1_1: false
 
   pre_tasks:
   tasks:

site.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Apply ansible-lockdown hardening
-  hosts: all
+  hosts: "{{ hosts | default('all') }}"
   become: true
   roles:
     - role: "{{ playbook_dir }}"

tasks/LE_audit_setup.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: Pre Audit Setup | Set audit package name
   block:
     - name: Pre Audit Setup | Set audit package name | 64bit

tasks/main.yml

@@ -11,18 +11,16 @@
         that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
         fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
         success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
-
+    
     - name: "Check ansible version"
       tags: always
       ansible.builtin.assert:
         that: ansible_version.full is version_compare(min_ansible_version, '>=')
         fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
         success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
-
+    
     - name: "Setup rules if container"
-      when:
-        - ansible_connection == 'docker' or
-          ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+      when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
       tags:
         - container_discovery
         - always
@@ -30,34 +28,34 @@
         - name: "Discover and set container variable if required"
           ansible.builtin.set_fact:
             system_is_container: true
-
+    
         - name: "Load variable for container"
           ansible.builtin.include_vars:
             file: "{{ container_vars_file }}"
-
+    
         - name: "Output if discovered is a container"
           when: system_is_container
           ansible.builtin.debug:
             msg: system has been discovered as a container
-
+    
     - name: "Check crypto-policy input"
       ansible.builtin.assert:
         that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
         fail_msg: "Crypto policy is not a permitted version"
         success_msg: "Crypto policy is a permitted version"
-
-    - name: "Check rhel9cis_bootloader_password_hash variable has been changed"
+    
+    - name: "Check rhel9cis_bootloader_password variable has been changed"
       when:
         - rhel9cis_set_boot_pass
         - rhel9cis_rule_1_4_1
       tags: always
       ansible.builtin.assert:
-        that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
-        msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
-
+        that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
+        msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly"
+    
     - name: "Check crypto-policy module input"
       when:
-        - rhel9cis_rule_1_6_1
+        - rhel9cis_crypto_policy_ansiblemanaged
         - rhel9cis_crypto_policy_module | length > 0
       tags:
         - rule_1.6.1
@@ -67,7 +65,7 @@
         that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
         fail_msg: "Crypto policy module is not a permitted version"
         success_msg: "Crypto policy module is a permitted version"
-
+    
     - name: "Check password set for {{ ansible_env.SUDO_USER }}"
       when:
         - rhel9cis_rule_5_2_4
@@ -85,12 +83,12 @@
           failed_when: false
           check_mode: false
           register: prelim_ansible_user_password_set
-
+    
         - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"  # noqa name[template]
           when: prelim_ansible_user_password_set.stdout == "not found"
           ansible.builtin.debug:
             msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
-
+    
         - name: "Check local account"
           when: prelim_ansible_user_password_set.stdout != "not found"
           block:
@@ -102,15 +100,15 @@
                   or
                     (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
                   )
-                fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
+                fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access"
                 success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
-
+    
             - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
               ansible.builtin.assert:
                 that: (not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
                 fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
                 success_msg: "The local account {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4"
-
+    
     - name: "Check authselect profile is selected"
       when: rhel9cis_allow_authselect_updates
       tags: always
@@ -119,13 +117,13 @@
           ansible.builtin.assert:
             that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile'
             fail_msg: "You still have the default name for your authselect profile"
-
+    
         - name: "Check authselect profile is selected | Check current profile"
           ansible.builtin.command: authselect list
           changed_when: false
-          failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
-          register: prelim_authselect_current_profile
-
+          failed_when: prelim_authselect_profile_list.rc not in [ 0, 1 ]
+          register: prelim_authselect_profile_list
+    
     - name: "Ensure root password is set"
       when: rhel9cis_rule_5_4_2_4
       tags:
@@ -137,88 +135,86 @@
         - rule_5.4.2.4
       block:
         - name: "Ensure root password is set"
-          ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)"
+          ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)"
           changed_when: false
           failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
           register: prelim_root_passwd_set
-
+    
         - name: "Ensure root password is set"
           ansible.builtin.assert:
             that: prelim_root_passwd_set.rc == 0
             fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set"
             success_msg: "You have a root password set"
-
+    
     - name: "Gather the package facts"
       tags: always
       ansible.builtin.package_facts:
         manager: auto
-
+    
     - name: "Include OS specific variables"
       tags: always
       ansible.builtin.include_vars:
         file: "{{ ansible_facts.distribution }}.yml"
-
+    
     - name: "Include preliminary steps"
-      tags:
-        - prelim_tasks
-        - always
+      tags: prelim_tasks
       ansible.builtin.import_tasks:
         file: prelim.yml
-
+    
     - name: "Run Section 1 tasks"
       when: rhel9cis_section1
       ansible.builtin.import_tasks:
         file: section_1/main.yml
-
+    
     - name: "Run Section 2 tasks"
       when: rhel9cis_section2
       ansible.builtin.import_tasks:
         file: section_2/main.yml
-
+    
     - name: "Run Section 3 tasks"
       when: rhel9cis_section3
       ansible.builtin.import_tasks:
         file: section_3/main.yml
-
+    
     - name: "Run Section 4 tasks"
       when: rhel9cis_section4
       ansible.builtin.import_tasks:
         file: section_4/main.yml
-
+    
     - name: "Run Section 5 tasks"
       when: rhel9cis_section5
       ansible.builtin.import_tasks:
         file: section_5/main.yml
-
+    
     - name: "Run Section 6 tasks"
       when: rhel9cis_section6
       ansible.builtin.import_tasks:
         file: section_6/main.yml
-
+    
     - name: "Run Section 7 tasks"
       when: rhel9cis_section7
       ansible.builtin.import_tasks:
         file: section_7/main.yml
-
+    
     - name: "Run auditd logic"
       when: update_audit_template
       tags: always
       ansible.builtin.import_tasks:
         file: auditd.yml
-
+    
     - name: "Run post remediation tasks"
       tags:
         - post_tasks
         - always
       ansible.builtin.import_tasks:
         file: post.yml
-
+    
     - name: "Run post_remediation audit"
       when: run_audit
       tags: always
       ansible.builtin.import_tasks:
         file: post_remediation_audit.yml
-
+    
     - name: Add ansible file showing Benchmark and levels applied if audit details not present
       when:
         - create_benchmark_facts
@@ -235,7 +231,7 @@
             owner: root
             group: root
             mode: 'u=rwx,go=rx'
-
+    
         - name: Create ansible facts file and levels applied if audit facts not present
           ansible.builtin.template:
             src: etc/ansible/compliance_facts.j2
@@ -243,7 +239,7 @@
             owner: root
             group: root
             mode: 'u-x,go=r'
-
+    
     - name: Fetch audit files
       when:
         - fetch_audit_output
@@ -251,13 +247,13 @@
       tags: always
       ansible.builtin.import_tasks:
         file: fetch_audit_output.yml
-
+    
     - name: "Show Audit Summary"
       when: run_audit
       tags: always
       ansible.builtin.debug:
         msg: "{{ audit_results.split('\n') }}"
-
+    
     - name: "If Warnings found Output count and control IDs affected"
       when: warn_count != 0
       tags: always

tasks/post.yml

@@ -28,8 +28,7 @@
 
 - name: POST | reboot system if changes require it and not skipped
   when: change_requires_reboot
-  tags:
-    - always
+  tags: always
   vars:
     warn_control_id: Reboot_required
   block:

tasks/prelim.yml

@@ -1,10 +1,12 @@
 ---
 
-# Preliminary tasks that should always be run
-# List users in order to look files inside each home directory
+# Preliminary tasks that should always run
+# List users in order to look up files inside each home directory
 
 - name: "PRELIM | Include audit specific variables"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
+    - setup_audit
   tags:
     - setup_audit
     - run_audit
@@ -12,7 +14,8 @@
     file: audit.yml
 
 - name: "PRELIM | Include pre-remediation audit tasks"
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
   tags: run_audit
   ansible.builtin.import_tasks: pre_remediation_audit.yml
 
@@ -92,6 +95,11 @@
     - rhel9cis_rule_1_2_1_1
     - ansible_facts.distribution != 'RedHat'
     - ansible_facts.distribution != 'OracleLinux'
+  tags:
+    - level1-server
+    - level1-workstation
+    - rule_1.2.1.1
+    - gpg
   ansible.builtin.package:
     name: "{{ gpg_key_package }}"
     state: latest
@@ -206,14 +214,15 @@
   block:
     - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
       ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
-      register: discover_wireless_adapters
+      register: prelim_wireless_adapters
       changed_when: false
       check_mode: false
-      failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
+      failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ]
 
     - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present"
       when:
-        - discover_wireless_adapters.rc == 0
+        - rhel9cis_install_network_manager
+        - prelim_wireless_adapters.rc == 0
         - "'NetworkManager' not in ansible_facts.packages"
       ansible.builtin.package:
         name: NetworkManager
@@ -277,8 +286,7 @@
 - name: "PRELIM | PATCH | Create journald config directory"
   when:
     - rhel9cis_syslog == 'journald'
-    - rhel9cis_rule_6_2_1_3 or
-      rhel9cis_rule_6_2_1_4
+    - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
   tags: always
   ansible.builtin.file:
     path: /etc/systemd/journald.conf.d

tasks/section_1/cis_1.1.1.x.yml

@@ -27,8 +27,7 @@
         mode: 'go-rwx'
 
     - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
-      when:
-        - not system_is_container
+      when: not system_is_container
       community.general.modprobe:
         name: cramfs
         state: absent

tasks/section_1/cis_1.1.2.3.x.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
   when:
     - rhel9cis_rule_1_1_2_3_1

tasks/section_1/cis_1.2.2.x.yml

@@ -13,4 +13,4 @@
   ansible.builtin.package:
     name: "*"
     state: latest
-  notify: Change_requires_reboot
+  notify: Set reboot required

tasks/section_1/cis_1.4.x.yml

@@ -13,7 +13,7 @@
     - NIST800-53R5_AC-3
   ansible.builtin.copy:
     dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy
     owner: root
     group: root
     mode: 'go-rwx'

tasks/section_3/cis_3.1.x.yml

@@ -16,19 +16,35 @@
     - rule_3.1.1
     - NIST800-53R5_CM-7
   block:
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh"
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.set_fact:
         rhel9cis_sysctl_update: true
         rhel9cis_flush_ipv6_route: true
 
-    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable"
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info"
+      when: "'sysctl' in rhel9cis_ipv6_disable_method"
       ansible.builtin.debug:
         msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf"
 
+    - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status"
+      when: "'kernel' in rhel9cis_ipv6_disable_method"
+      ansible.builtin.command: grubby --info=ALL
+      changed_when: false
+      failed_when: false
+      register: discovered_rhel9cis_3_1_1_ipv6_status
+
+    - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel"
+      when:
+        - "'kernel' in rhel9cis_ipv6_disable_method"
+        - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout"
+      ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1"
+      changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0
+
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
   when:
     - rhel9cis_rule_3_1_2
-    - discover_wireless_adapters.rc == 0
+    - prelim_wireless_adapters.rc == 0
   tags:
     - level1-server
     - patch

tasks/section_5/cis_5.1.x.yml

@@ -411,6 +411,8 @@
     path: "{{ rhel9cis_sshd_config_file }}"
     regexp: '^(#)?MaxAuthTries \d'
     line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
+    insertbefore: "^Match"
+    firstmatch: true
     validate: sshd -t -f %s
   notify: Restart sshd
 
@@ -431,6 +433,8 @@
     path: "{{ rhel9cis_sshd_config_file }}"
     regexp: (?i)^(#|)\s*MaxStartups
     line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
+    insertbefore: "^Match"
+    firstmatch: true
     validate: sshd -t -f %s
   notify: Restart sshd
 

tasks/section_5/cis_5.3.2.x.yml

@@ -14,7 +14,7 @@
     - rule_5.3.2.1
   block:
     - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
+      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout
       ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
       changed_when: false
       args:
@@ -93,10 +93,10 @@
           loop:
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
               after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
               before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "account\\s+required\\s+pam_faillock.so"
               before: "account\\s+required\\s+pam_unix.so"
               line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons
@@ -112,10 +112,10 @@
           loop:
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth"
               after:  "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons
-              line:   "auth        required      pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail"
               before: "auth\\s+required\\s+pam_deny.so"
-              line:   "auth        required      pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
+              line:   "auth        required      pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons
             - regexp: "account\\s+required\\s+pam_faillock.so"
               before: "account\\s+required\\s+pam_unix.so"
               line:   "account     required      pam_faillock.so" # yamllint disable-line rule:colons

tasks/section_5/cis_5.3.3.2.x.yml

@@ -340,7 +340,7 @@
         - system
       notify: Authselect update
 
-- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
+- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
   when: rhel9cis_rule_5_3_3_2_7
   tags:
     - level1-server
@@ -350,8 +350,8 @@
     - NIST800-53R5_IA-5
     - pam
   ansible.builtin.template:
-    src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2"
-    dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
+    src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2"
+    dest: "/{{ rhel9cis_passwd_quality_enforce_file }}"
     owner: root
     group: root
     mode: 'o-rwx'

tasks/section_5/cis_5.4.2.x.yml

@@ -179,7 +179,7 @@
             - item.stat.exists
             - item.stat.isdir
             - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp
-            - (item != 'root') and (not rhel9cis_uses_root)
+            - (item != 'root') and (not rhel9cis_uses_root )
           ansible.builtin.file:
             path: "{{ item.stat.path }}"
             state: directory

tasks/section_5/main.yml

@@ -10,14 +10,12 @@
     file: cis_5.1.x.yml
 
 - name: "SECTION | 5.2 | Configure privilege escalation"
-  when:
-    - rhel9cis_section5_2
+  when: rhel9cis_section5_2
   ansible.builtin.import_tasks:
     file: cis_5.2.x.yml
 
 - name: "SECTION | 5.3"
-  when:
-    - rhel9cis_section5_3
+  when: rhel9cis_section5_3
   block:
     - name: "SECTION | 5.3.1.x | Configure PAM software packages"
       ansible.builtin.import_tasks:
@@ -44,8 +42,7 @@
         file: cis_5.3.3.4.x.yml
 
 - name: "SECTION | 5.4"
-  when:
-    - rhel9cis_section5_4
+  when: rhel9cis_section5_4
   block:
     - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters"
       ansible.builtin.import_tasks:

tasks/section_6/cis_6.2.2.x.yml

@@ -25,7 +25,7 @@
     - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: ^(\s*ForwardToSyslog)
+        regexp: ^(\s*ForwardToSyslog\s*=.*)
         replace: '#\1'
 
 - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
@@ -50,7 +50,7 @@
     - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*compress=)
+        regexp: ^(\s*Compress\s*=.*)
         replace: '#\1'
 
 - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@@ -76,5 +76,5 @@
     - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
       ansible.builtin.replace:
         path: /etc/systemd/journald.conf
-        regexp: (?i)(\s*storage=)
+        regexp: ^(\s*Storage\s*=.*)
         replace: '#\1'

tasks/section_6/cis_6.2.3.x.yml

@@ -195,7 +195,7 @@
   register: discovered_rsyslog_remote_host
   notify: Restart rsyslog
 
-- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
+- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
   when: rhel9cis_rule_6_2_3_7
   tags:
     - level1-server
@@ -208,7 +208,7 @@
     - NIST800-53R5_AU-12
     - NIST800-53R5_CM-6
   block:
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host"
       when: not rhel9cis_system_is_log_server
       ansible.builtin.replace:
         path: /etc/rsyslog.conf
@@ -221,7 +221,7 @@
         - '^(module\(load="imtcp"\))'
         - '^(input\(type="imtcp")'
 
-    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
+    - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host"
       when: rhel9cis_system_is_log_server
       ansible.builtin.replace:
         path: /etc/rsyslog.conf

tasks/section_7/cis_7.1.x.yml

@@ -58,7 +58,7 @@
     - level1-server
     - level1-workstation
     - patch
-    - permissionss
+    - permissions
     - rule_7.1.4
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
@@ -254,7 +254,7 @@
       ansible.builtin.file:
         path: "{{ item }}"
         owner: "{{ rhel9cis_unowned_owner }}"
-        group: "{{ rhel9cis_unowned_group }}"
+        group: "{{ rhel9cis_ungrouped_group }}"
       with_items:
         - "{{ discovered_unowned_files_flatten }}"
 

templates/ansible_vars_goss.yml.j2

@@ -1,7 +1,7 @@
 ---
 
 
-# Enable logrunning potential resource intensive tests
+# Enable long running potential resource intensive tests
 run_heavy_tests: {{ audit_run_heavy_tests }}
 
 # Extend default command timeout for longer running tests
@@ -206,6 +206,7 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }}
 rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }}
 rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }}
 rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }}
+
 ## Network Kernel Modules
 rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }}
 rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }}
@@ -291,7 +292,6 @@ rhel9cis_rule_5_3_3_2_4: {{ rhel9cis_rule_5_3_3_2_4 }}
 rhel9cis_rule_5_3_3_2_5: {{ rhel9cis_rule_5_3_3_2_5 }}
 rhel9cis_rule_5_3_3_2_6: {{ rhel9cis_rule_5_3_3_2_6 }}
 rhel9cis_rule_5_3_3_2_7: {{ rhel9cis_rule_5_3_3_2_7 }}
-rhel9cis_rule_5_3_3_2_8: {{ rhel9cis_rule_5_3_3_2_8 }}
 # 5.3.3.3 Configure pam_pwhistory module
 # This are added as part of 5.3.2.4 using jinja2 template
 rhel9cis_rule_5_3_3_3_1: {{ rhel9cis_rule_5_3_3_3_1 }}
@@ -530,6 +530,8 @@ rhel9cis_bluetooth_mask: {{ rhel9cis_bluetooth_mask }}
 ## 3.1 IPv6 requirement toggle
 # This variable governs whether ipv6 is enabled or disabled.
 rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }}
+# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel
+rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }}
 
 # 3.3 System network parameters (host only OR host and router)
 # This variable governs whether specific CIS rules

templates/audit/98_auditd_exception.rules.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 ### YOUR CHANGES WILL BE LOST!
 
 # This file contains users whose actions are not logged by auditd

templates/audit/99_auditd.rules.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 ### YOUR CHANGES WILL BE LOST!
 
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually

templates/etc/aide.conf.d/crypt_audit_procs.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # Audit Tools
 /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512

templates/etc/ansible/compliance_facts.j2

@@ -1,6 +1,4 @@
-# CIS Hardening Carried out
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 [lockdown_details]
 # Benchmark release

templates/etc/chrony.conf.j2

@@ -1,4 +1,4 @@
-{{ ansible_managed | comment }}
+{{ file_managed_by_ansible }}
 
 # Use public servers from the pool.ntp.org project.
 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
@@ -11,17 +11,19 @@ driftfile /var/lib/chrony/drift
 
 # Allow the system clock to be stepped in the first three updates
 # if its offset is larger than 1 second.
-makestep 1.0 3
+makestep {{ rhel9cis_chrony_server_makestep }}
 
+{% if rhel9cis_chrony_server_rtcsync %}
 # Enable kernel synchronization of the real-time clock (RTC).
 rtcsync
+{% endif %}
 
 # Enable hardware timestamping on all interfaces that support it.
 #hwtimestamp *
 
 # Increase the minimum number of selectable sources required to adjust
 # the system clock.
-#minsources 2
+minsources {{ rhel9cis_chrony_server_minsources }}
 
 # Allow NTP client access from local network.
 #allow 192.168.0.0/16

templates/etc/cron.d/aide.cron.j2

@@ -1,7 +1,5 @@
+{{ file_managed_by_ansible }}
 # Run AIDE integrity check
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
 

templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy dropping the SHA1 hash and signature support
 # Carried out as part of CIS Benchmark rule 1.6.3
 

templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable all CBC mode ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.5

templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable Encrypt then MAC
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rule 1.6.7

templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak ciphers
 # for the SSH protocol (libssh and OpenSSH)
 # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4

templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark control 5.1.6
 

templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # This is a subpolicy to disable weak macs
 # Carried out as part of CIS Benchmark rule 1.6.4
 

templates/etc/dconf/db/00-automount_lock.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount

templates/etc/dconf/db/00-autorun_lock.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never

templates/etc/dconf/db/00-media-automount.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 [org/gnome/desktop/media-handling]
 automount=false

templates/etc/dconf/db/00-media-autorun.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 [org/gnome/desktop/media-handling]
 autorun-never=true

templates/etc/dconf/db/00-screensaver.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 # Specify the dconf path
 [org/gnome/desktop/session]

templates/etc/dconf/db/00-screensaver_lock.j2

@@ -1,6 +1,4 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay

templates/etc/dconf/db/gdm.d/01-banner-message.j2

@@ -1,7 +1,5 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
+{{ file_managed_by_ansible }}
 
 [org/gnome/login-screen]
 banner-message-enable=true
-banner-message-text="{{ rhel9cis_warning_banner }}"
+banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}"

templates/etc/logrotate.d/rsyslog_log.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 /var/log/rsyslog/*.log {
     {{ rhel9cis_rsyslog_logrotate_rotated_when }}
     rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}

templates/etc/modprobe.d/modprobe.conf.j2

@@ -1,6 +1,4 @@
-# Disable usage of protocol {{ item }}
-# Set by ansible {{ benchmark }} remediation role
-# https://github.com/ansible-lockdown
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 install {{ item }} /bin/true

templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.3 Ensure password complexity is configured
 {% if rhel9cis_passwd_complex_option == 'minclass' %}  # pragma: allowlist secret

templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.6 Ensure password dictionary check is enabled
 dictcheck = {{ rhel9cis_passwd_dictcheck_value }}

templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.1 Ensure password number of changed characters is configured
 difok = {{ rhel9cis_passwd_difok_value }}

templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.2 Ensure minimum password length is configured
 minlen = {{ rhel9cis_passwd_minlen_value }}

templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.5 Ensure password maximum sequential characters is configured
 maxsequence = {{ rhel9cis_passwd_maxsequence_value }}

templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.7 Ensure password quality checking is enforced
 enforcing = {{ rhel9cis_passwd_quality_enforce_value }}

templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
 # 5.3.3.2.4 Ensure password same consecutive characters is configured
 maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}

templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 # CIS Configurations
-# 5.3.3.2.8 Ensure password quality is enforced for the root user
+# 5.3.3.2.7 Ensure password quality is enforced for the root user
 {{ rhel9cis_passwd_quality_enforce_root_value }}

templates/etc/sysctl.d/60-disable_ipv6.conf.j2

@@ -1,7 +1,11 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 # IPv6 disable
 {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
+{% for interface in ansible_interfaces %}
+net.ipv6.conf.{{ interface }}.disable_ipv6 = 1
+{% endfor %}
 {% endif %}

templates/etc/sysctl.d/60-kernel_sysctl.conf.j2

@@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 {% if rhel9cis_rule_1_5_1 %}
 # Adress space randomise

templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2

@@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 # IPv4 Network sysctl
 {% if rhel9cis_rule_3_3_1 %}

templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2

@@ -1,4 +1,5 @@
-## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
+{{ file_managed_by_ansible }}
+## YOUR CHANGES WILL BE LOST!
 
 # IPv6 Network sysctl
 {% if rhel9cis_ipv6_required %}

templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2

@@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_2_2
 [Journal]
 ForwardToSyslog=no

templates/etc/systemd/journald.conf.d/rotation.conf.j2

@@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 # CIS rule 6_2_1_3
 [Journal]
 SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}

templates/etc/systemd/journald.conf.d/storage.conf.j2

@@ -1,4 +1,4 @@
-# File created for CIS benchmark
+{{ file_managed_by_ansible }}
 [Journal]
 {% if rhel9cis_rule_6_2_2_3 %}
 # Set compress CIS rule 6_2_2_3

templates/etc/systemd/system/tmp.mount.j2

@@ -1,3 +1,4 @@
+{{ file_managed_by_ansible }}
 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
@@ -7,7 +8,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+## YOUR CHANGED WILL BE LOST!
 
 [Unit]
 Description=Temporary Directory (/tmp)

vars/OracleLinux.yml

@@ -1,4 +1,5 @@
 ---
+
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"

vars/is_container.yml

@@ -2,7 +2,7 @@
 
 # File to skip controls if container
 # Based on standard image no changes
-# it expected all pkgs required for the container are alreday installed
+# it expected all pkgs required for the container are already installed
 
 ## controls
 
@@ -57,7 +57,6 @@ rhel9cis_rule_1_1_6: false
 rhel9cis_rule_1_1_7: false
 rhel9cis_rule_1_1_8: false
 rhel9cis_rule_1_1_9: false
-rhel9cis_rule_1_1_10: false
 # /var/log
 rhel9cis_rule_1_1_11: false
 # /var/log/audit

vars/main.yml

@@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules:
   - 'NO-SSHWEAKMAC'
   - 'NO-WEAKMAC'
 
+rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy
+
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
@@ -39,7 +41,7 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 ## Controls 6.3.3.x - Audit template
 # This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the
 # audit settings are overwritten with the role's template. In order to exclude
-# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above
+# specific rules, you must set the variable of form `rhel9cis_rule_6_3_3_x` above
 # to `false`.
 update_audit_template: false
 
@@ -50,7 +52,7 @@ update_audit_template: false
 # system_is_container the true. Otherwise, the default value
 # 'false' is left unchanged.
 system_is_container: false
-# The filename of the existing yml file in role's  'vars/' sub-directory
+# The filename of the existing yml file in role's 'vars/' sub-directory
 # to be used for managing the role-behavior when a container was detected:
 # (de)activating rules or for other tasks(e.g. disabling Selinux or a specific
 # firewall-type).
@@ -74,3 +76,10 @@ audit_bins:
   - /sbin/autrace
   - /sbin/auditd
   - /sbin/augenrules
+
+company_title: 'MindPoint Group - A Tyto Athene Company'
+
+file_managed_by_ansible: |-
+  # File managed by ansible as part of {{ benchmark }} benchmark
+  # As part of Ansible-lockdown
+  # Provided by {{ company_title }}