diff --git a/LICENSE b/LICENSE index f6d2b57..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/tasks/post.yml b/tasks/post.yml index b681f02..c08ffd2 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -13,7 +13,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: 0600 + mode: 'u-x,go-rwx' register: sysctl_updated notify: Reload sysctl loop: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ed47db2..018bfc3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -173,7 +173,7 @@ path: "{{ amzn2023cis_sshd_config_file }}" owner: root group: root - mode: '0600' + mode: 'u-x,o-rwx' state: touch when: - amzn2023cis_sshd_config_file != '/etc/ssh/sshd_config' diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 177d846..f46d2f0 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -8,7 +8,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -16,7 +16,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" community.general.modprobe: @@ -41,7 +41,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -49,7 +49,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" community.general.modprobe: @@ -72,7 +72,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -80,7 +80,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disable | Disable cramfs" community.general.modprobe: @@ -104,7 +104,7 @@ regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -112,7 +112,7 @@ regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disable | Disable freevxfs" community.general.modprobe: @@ -136,7 +136,7 @@ regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -144,7 +144,7 @@ regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disable | Disable jffs2" community.general.modprobe: @@ -168,7 +168,7 @@ regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -176,7 +176,7 @@ regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disable | Disable hfs" community.general.modprobe: @@ -200,7 +200,7 @@ regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -208,7 +208,7 @@ regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disable | Disable hfsplus" community.general.modprobe: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 58bc13b..999a231 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -62,7 +62,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Systemd restart tmp.mount when: - amzn2023cis_tmp_svc diff --git a/tasks/section_1/cis_1.1.9.yml b/tasks/section_1/cis_1.1.9.yml index aec3502..b8c7a57 100644 --- a/tasks/section_1/cis_1.1.9.yml +++ b/tasks/section_1/cis_1.1.9.yml @@ -10,7 +10,7 @@ create: true owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" community.general.modprobe: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_1_1_9 tags: diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index eb9f88a..6850ec4 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -6,7 +6,7 @@ dest: /etc/motd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_1 tags: @@ -22,7 +22,7 @@ dest: /etc/issue owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_2 tags: @@ -39,7 +39,7 @@ dest: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_3 tags: @@ -56,7 +56,7 @@ path: /etc/motd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_4 tags: @@ -72,7 +72,7 @@ path: /etc/issue owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_5 tags: @@ -88,7 +88,7 @@ path: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_6 tags: diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 8311441..df312f7 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -22,7 +22,7 @@ dest: /etc/chrony.d/chrony.conf owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" ansible.builtin.lineinfile: @@ -30,7 +30,7 @@ regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" create: true - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_2_1_2 - not system_is_container diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 2fda66c..bbecfb9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -30,7 +30,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -42,7 +42,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: dccp when: @@ -60,7 +60,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -72,7 +72,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: sctp when: @@ -91,7 +91,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -103,7 +103,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: rds when: @@ -121,7 +121,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -133,7 +133,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: tipc when: diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 5592247..27b20c7 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -22,7 +22,7 @@ path: /etc/crontab owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_1_2 tags: @@ -39,7 +39,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_3 tags: @@ -56,7 +56,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_4 tags: @@ -73,7 +73,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_5 tags: @@ -89,7 +89,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_6 tags: @@ -105,7 +105,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_7 tags: @@ -134,7 +134,7 @@ state: '{{ "file" if amzn2023cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_1_8 tags: @@ -163,7 +163,7 @@ state: '{{ "file" if amzn2023cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_1_9 tags: diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 06a542a..656c3bb 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -5,7 +5,7 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_2_1 tags: @@ -32,7 +32,7 @@ path: "{{ item.path }}" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' loop: "{{ amzn2023cis_4_2_2_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -62,7 +62,7 @@ path: "{{ item.path }}" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: "{{ amzn2023cis_4_2_3_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index 67a4046..5195966 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -53,7 +53,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: '0644' + mode: 'u-x,go-wx' block: | TMOUT={{ amzn2023cis_shell_session_timeout.timeout }} export TMOUT diff --git a/tasks/section_5/cis_5.1.3.yml b/tasks/section_5/cis_5.1.3.yml index 6259555..c050a10 100644 --- a/tasks/section_5/cis_5.1.3.yml +++ b/tasks/section_5/cis_5.1.3.yml @@ -12,7 +12,7 @@ - name: "5.1.3 | PATCH | Ensure all logfiles have appropriate permissions and ownership | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: '0640' + mode: 'u-x,g-wx,o-rwx' loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index d6aedf1..f4cf7ac 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: '0750' + mode: 'u+x,g-w,o-rwx' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - amzn2023cis_rule_5_2_4_4 @@ -63,7 +63,7 @@ - name: "5.2.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: g-wx,o-rwx + mode: 'g-wx,o-rwx' loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -125,7 +125,7 @@ - name: "5.2.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: '0750' + mode: 'u+x,g-w,o-rwx' loop: "{{ audit_bins.results }}" loop_control: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 503ea46..55b209f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_1 tags: @@ -21,7 +21,7 @@ path: /etc/passwd- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_2 tags: @@ -37,7 +37,7 @@ path: /etc/group- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_3 tags: @@ -53,7 +53,7 @@ path: /etc/group- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_4 tags: @@ -69,7 +69,7 @@ path: /etc/shadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_5 tags: @@ -85,7 +85,7 @@ path: /etc/shadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_6 tags: @@ -101,7 +101,7 @@ path: /etc/gshadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_7 tags: @@ -117,7 +117,7 @@ path: /etc/gshadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_8 tags: @@ -144,7 +144,7 @@ content: "{{ amzn2023cis_6_1_9_packages_rpm.stdout }}" owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' - name: "6.1.9 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" ansible.builtin.debug: @@ -185,7 +185,7 @@ - name: "6.1.10 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch loop: "{{ amzn2023cis_6_1_10_perms_results.stdout_lines }}" when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ef25e44..f2a3538 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -254,7 +254,7 @@ state: directory owner: root group: root - mode: "0755" + mode: 'u+x,go-w' follow: false loop: "{{ root_path_perms.results }}" loop_control: @@ -357,7 +357,7 @@ - name: "6.2.11 | AUDIT | Ensure local interactive user dot files access is configured | update permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: go-w + mode: 'go-w' follow: "{{ amzn2023cis_6_2_11_home_follow_symlinks }}" loop: "{{ user_dot_files.files }}" loop_control: diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index d5dbc97..e5fe23b 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index a908b6f..8a2dfb4 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled filescope # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 5526357..cdf1900 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,7 +1,7 @@ # Run AIDE integrity check ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index efebeac..0e55b5a 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 4506f4f..cf9ed5d 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 78ad883..640538c 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 81bdfea..382469c 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index bcc0736..9eaf988 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index d6c5d70..5988316 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index d2f45a2..38f4253 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/login-screen] banner-message-enable=true