cfd7ec131d
Merge pull request #96 from aaronk1/fix/pam-pwhistory-lineinfile-regex
...
fix(section_5): replace \h with [ \t] in 5.3.2.3.3 lineinfile regexp
2026-04-28 13:41:41 +01:00
72908bdfc2
Merge pull request #94 from aaronk1/fix/handler-systemd-daemon-reload
...
fix: correct handler name for systemd daemon reload
2026-04-28 13:40:57 +01:00
c45edb71b5
Merge pull request #93 from aaronk1/fix/goss-vars-trailing-dot
...
fix: remove trailing dot causing invalid YAML in goss vars template
2026-04-28 13:40:28 +01:00
88c07daf46
Merge pull request #92 from aaronk1/fix/aide-cron-jinja2-syntax
...
fix: remove stray bracket in aide.cron.j2 Jinja2 template
2026-04-28 13:39:57 +01:00
4bb076bcaa
fix(section_5): replace \h with [ \t] in 5.3.2.3.3 lineinfile regexp
...
Python's re module (used by ansible.builtin.lineinfile) does not support
the \h POSIX horizontal whitespace shorthand, causing a 'bad escape'
error at runtime. The grep -P audit tasks are unaffected as Perl regex
handles \h natively. Replace all three \h occurrences in the lineinfile
regexp with the equivalent character class [ \t].
Signed-off-by: Aaron Klepinger <aaronk1@users.noreply.github.com >
2026-04-18 14:07:53 -06:00
19509f78ad
fix: correct handler name for bluetooth systemd daemon reload
...
Rule 3.1.3 notified 'Systemd_daemon_reload' (underscore) but the
handler in handlers/main.yml is named 'Systemd daemon reload' (spaces).
Ansible does exact string matching on handler names, so the handler
silently never fired after masking bluetooth.service.
Same pattern as the postfix handler fix in #47 .
Signed-off-by: Aaron Klepinger <aaronk1@users.noreply.github.com >
2026-04-18 12:12:46 -06:00
1777b66173
fix: remove trailing dot causing invalid YAML in goss vars template
...
'rhel10cis_rule_1_2_1_5: {{ rhel10cis_rule_1_2_1_5 }}. ## New' renders
as 'rhel10cis_rule_1_2_1_5: true.' which is not valid YAML. Goss will
fail to parse the vars file if run_audit is enabled. Also converted
'## New' to a valid YAML inline comment '# New'.
Signed-off-by: Aaron Klepinger <aaronk1@users.noreply.github.com >
2026-04-18 12:12:40 -06:00
754bce12f3
fix: remove stray bracket in aide.cron.j2 Jinja2 template
...
'{{ rhel10cis_aide_cron_job] }}' contains a stray ']' before '}}',
which causes a Jinja2 TemplateSyntaxError at render time. AIDE is
currently disabled by default (rhel10cis_rule_6_1_2: false), but
enabling it would fail the entire playbook at this template.
Signed-off-by: Aaron Klepinger <aaronk1@users.noreply.github.com >
2026-04-18 12:12:32 -06:00
0efb8048ed
Merge pull request #89 from ansible-lockdown/pr_tidyup
...
Pr tidyup
2026-04-16 08:27:12 -04:00
7e0c0b39c6
Merge branch 'pub_main' into pr_tidyup
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-16 10:09:14 +01:00
b39e6f11b8
Merge pull request #84 from ansible-lockdown/bootloader_update
...
Bootloader update
2026-04-08 09:35:16 -04:00
27ff9d287c
improved pkg and masked logic
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-08 13:56:47 +01:00
2d4abf7d72
Logic updates to 2.1.x
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-08 12:50:09 +01:00
188040f1e3
Updated 7.1.12 and 7.1.13 logic
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-08 12:23:41 +01:00
35e861303f
Updated changelog
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-08 10:43:40 +01:00
1b14014377
Enhanced 1.4.1 thanks to @skullbringer community
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-08 10:43:01 +01:00
211420e48c
Merge pull request #82 from ansible-lockdown/pre-commit-ci-update-config
...
[pre-commit.ci] pre-commit autoupdate
2026-04-07 14:58:47 +01:00
05c8e8e62d
[pre-commit.ci] pre-commit autoupdate
...
updates:
- [github.com/gitleaks/gitleaks: v8.30.1 → v8.30.0](https://github.com/gitleaks/gitleaks/compare/v8.30.1...v8.30.0 )
- [github.com/ansible-community/ansible-lint: v26.3.0 → v26.4.0](https://github.com/ansible-community/ansible-lint/compare/v26.3.0...v26.4.0 )
2026-04-06 17:44:01 +00:00
6880081c7f
Merge pull request #81 from ansible-lockdown/april_26
...
April 26
2026-04-06 12:20:44 -04:00
029f5fdf5c
Updated Changelog
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 11:49:05 +01:00
bd7a863af0
Updated content in 6.2.3.8
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 11:47:48 +01:00
5a21ffbf50
Updated Changelog
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 11:37:48 +01:00
e504ad859e
linting and permissions
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 11:37:41 +01:00
15342f7f38
updated changelog
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 11:30:17 +01:00
51eb04e4d9
Tidy up and improve shell and command module usage
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 11:28:00 +01:00
f26262010e
#79 root passowrd check update thanks to @mindrb
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 10:58:17 +01:00
5dfbb422ad
Addressed #77 6.2.3.3 drop in file thanks to @mindrb
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 10:56:07 +01:00
2671268168
6.2.3.7 removed second condition as not part of CIS #76thanks to @mindrb
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-04-06 10:54:05 +01:00
c978f73020
Merge pull request #75 from ansible-lockdown/March26_align
...
March26 align to devel
2026-03-26 12:36:50 -04:00
ce43d6a014
Updated changelog
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:39:56 +00:00
8de4fe0b03
var updates
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:39:47 +00:00
101dfada15
update to tmp options
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:39:32 +00:00
0fe06afb9c
var naming, typo fixes
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:39:22 +00:00
0d0f1bf910
Standards updated
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:36:14 +00:00
0da239cba8
var naming
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:35:49 +00:00
5115db0aa5
fixed typo in path issue 63 thanks to @mindrb
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:35:40 +00:00
e6e4de2d22
Added fixed for 3.2.x deduplicated thanks @mindrb #65
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:35:12 +00:00
653525516f
enhancement #60 tmp_mount options thanks to @mindrb
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:28:50 +00:00
ef6d8cdd65
Titles and meta data
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:16:13 +00:00
07d863e3af
Titles and meta data update
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:14:39 +00:00
2939de3d92
workflow and standard files aligned
...
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
2026-03-25 16:13:33 +00:00
5a698b02e4
Merge pull request #73 from defnotyujine/fix_3.2.3
...
Corrected task 3.2.3 to Level 1-Server and Workstation
2026-03-18 17:53:10 +00:00
02abb98175
Merge pull request #70 from defnotyujine/fix_7.2.8
...
Added missing tags for required prelim task on control 7.2.8 when run…
2026-03-18 17:52:45 +00:00
968bf0a902
Merge pull request #66 from ansible-lockdown/pre-commit-ci-update-config
...
[pre-commit.ci] pre-commit autoupdate
2026-03-18 17:52:10 +00:00
17ebc8b582
[pre-commit.ci] pre-commit autoupdate
...
updates:
- [github.com/gitleaks/gitleaks: v8.30.0 → v8.30.1](https://github.com/gitleaks/gitleaks/compare/v8.30.0...v8.30.1 )
- [github.com/ansible-community/ansible-lint: v26.2.0 → v26.3.0](https://github.com/ansible-community/ansible-lint/compare/v26.2.0...v26.3.0 )
2026-03-16 17:45:11 +00:00
44fe093d49
Corrected task 3.2.3 to Level 1-Server and Workstation
...
Signed-off-by: defnotyujine <batauling1000@gmail.com >
2026-03-13 14:06:38 +08:00
ea4d8d4732
Added missing tags for required prelim task on control 7.2.8 when running the playbook with L1 tags
...
Signed-off-by: defnotyujine <batauling1000@gmail.com >
2026-03-11 14:09:11 +08:00
e1637b3319
Merge pull request #61 from ansible-lockdown/pre-commit-ci-update-config
...
[pre-commit.ci] pre-commit autoupdate
2026-03-03 09:57:01 +00:00
f9e4eccd99
CIS Official main release ( #60 )
...
* updated examples to rhel10
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Updated for benchmark_1.0.0 release
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Updated for ansible2.19
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* v1.0.0 initial
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fix typos
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated for 1.0.0
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated var naming
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fix and update audit rules
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fix idempotency regex match improvement
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* authselect idempotency improvements
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated audit immutable logic
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* rename files
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* improve authselect
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Improved audit warning logic to handler
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* added that to assert thanks to rhel9 #388
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated 1.4.2 with checkmode false
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Added max-concurrent option
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated to latest version
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* latest updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* changed auditd warning location
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated comments
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* lint
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 1.4.2 removed efi options no longer listed
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 2.1.4 updated services naming for kea
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated auditd rules
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fix typo and tidy spacing
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated for 1.0.1
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated benchmark version
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* typo updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 6.3.3.8 title update
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated to latest version
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated to latest version
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fixed typo 3.2.1
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fixed typos
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Added badge creation workflows
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 5.1.2 logic update
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* removed non required loop
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* enhanced options
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* removed old variables
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* linting and stds
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fix typo for variable
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* network manager for wireless enhanced
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated to latest
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated NOWEAKMAC to NO-SSHWEAKMACS
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated layout
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fixed benchmark version
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* revert benchmark version in error
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* fix typo in 1.6.3
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated pre-commit
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Update changelog, lic year, and 3.1.1 improved logic
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* Typo fix for 3.1.1 var
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* Typo fix for 3.1.1 var
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* Update ansible_vars_goss with rhel10cis_ipv6_disable_method
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* update 5.1.x and 6.2.2.x fixes from Public
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* Update changelog and linting
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* Linting
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* Typo fixes
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
* Updated bootloader_password to bootloader_hash variable and context added
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* disruption is high set to false as default
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* adjusted fs.suid_dumpable to correct conditional 1.5.4
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 6.2.2.1.2 logic improvement
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 6.2.2.1.2 logic
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 5.4.1.1 disruption high added and variable comments
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* 2.3.2 time_syncronization_server vars updated and logic - template comment
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Aligned to correct level
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* linting
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Added comments on workstation and some controls
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated latest changes
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* udpated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Adopted bootloader hash option thanks to @thulium-drake
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated tags
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* added passlib dependency documentation
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Updated to latest layout
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Updated bootloader password logic and enabled old methods without change
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* tidy up of variables and warning for bootloader password
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated naming
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Improved notes and variable build
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* tidied up comments to make it simpler
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Company title updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Company name alignment
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* Fixed var naming
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated postfix handler
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* [pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/gitleaks/gitleaks: v8.29.1 → v8.30.0](https://github.com/gitleaks/gitleaks/compare/v8.29.1...v8.30.0 )
- [github.com/ansible-community/ansible-lint: v25.11.0 → v26.1.1](https://github.com/ansible-community/ansible-lint/compare/v25.11.0...v26.1.1 )
- [github.com/adrienverge/yamllint.git: v1.37.1 → v1.38.0](https://github.com/adrienverge/yamllint.git/compare/v1.37.1...v1.38.0 )
* Fix 1.2.1.3 regex typo for repo_gpgcheck replacement
Signed-off-by: Björn Berggren <bjorn.berggren@gmail.com >
* Fix 5.4.1.2: use password_expire_min for minimum password days
Signed-off-by: Björn Berggren <bjorn.berggren@gmail.com >
* Fix 5.4.1.3: use rhel10cis_pass_warn_age in chage command
Signed-off-by: Björn Berggren <bjorn.berggren@gmail.com >
* Fix 5.4.1.5 remediation for empty and zero inactive values
Signed-off-by: Björn Berggren <bjorn.berggren@gmail.com >
* CIS 1.5.1: add missing '*' before hard core 0
Signed-off-by: Christoffer Appé <christoffer@appe.se >
* fix: add missing space in last two kernel module audit rules
Signed-off-by: Christoffer Appé <christoffer@appe.se >
* updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* typo fixes and lint
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* tidy up lint and unused vars
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
* updated var name in 3.1.2
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
---------
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com >
Signed-off-by: Frederick Witty <frederick.witty@gotyto.com >
Signed-off-by: Björn Berggren <bjorn.berggren@gmail.com >
Signed-off-by: Christoffer Appé <christoffer@appe.se >
Co-authored-by: Fred W. <112580756+frederickw082922@users.noreply.github.com >
Co-authored-by: Frederick Witty <frederick.witty@gotyto.com >
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Björn Berggren <bjorn.berggren@gmail.com >
Co-authored-by: Christoffer Appé <christoffer@appe.se >
2026-03-03 09:56:35 +00:00
e5e417e5c5
[pre-commit.ci] pre-commit autoupdate
...
updates:
- [github.com/ansible-community/ansible-lint: v26.1.1 → v26.2.0](https://github.com/ansible-community/ansible-lint/compare/v26.1.1...v26.2.0 )
2026-03-02 17:47:42 +00:00
uk-bolly