Merge pull request #267 from ansible-lockdown/devel

CIS v1.0.0 final release to main
ansible-lockdown · Dec 19, 2024 · ef2b7dc · ef2b7dc
2 parents 81a9299 + f0ae9ea
commit ef2b7dc
Show file tree

Hide file tree

Showing 15 changed files with 23 additions and 16 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -43,7 +43,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.10.0
+  rev: v24.12.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -98,8 +98,15 @@
   when:
       - auditd_immutable_check.stdout == '1'
 
-- name: Restart auditd
-  ansible.builtin.shell: service auditd restart
+- name: Stop auditd process
+  ansible.builtin.shell: systemctl kill auditd
+  listen: Restart auditd
+
+- name: Start auditd process
+  ansible.builtin.systemd_service:
+      name: auditd
+      state: started
+  listen: Restart auditd
 
 - name: Change_requires_reboot
   ansible.builtin.set_fact:

diff --git a/tasks/auditd.yml b/tasks/auditd.yml
@@ -23,7 +23,7 @@
   ansible.builtin.import_tasks:
       file: warning_facts.yml
   vars:
-      warn_control_id: 'Auditd template updated, see diff output for details'
+      warn_control_id: 'Auditd template updated, validate as expected'
   when:
       - rhel9cis_auditd_template_updated.changed
       - rhel9cis_auditd_file.stat.exists

diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml
@@ -18,7 +18,7 @@
 - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled"
   ansible.builtin.lineinfile:
       path: /etc/systemd/coredump.conf
-      regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
+      regexp: '^ProcessSizeMax\s*=\s*.*[1-9].*'
       line: 'ProcessSizeMax=0'
   when:
       - rhel9cis_rule_1_5_2

diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 
 # This file contains users whose actions are not logged by auditd

diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually

diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2
@@ -1,7 +1,7 @@
 # Run AIDE integrity check
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
 

diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount

diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 
 [org/gnome/desktop/media-handling]
 automount=false

diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 
 [org/gnome/desktop/media-handling]
 autorun-never=true
diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 
 # Specify the dconf path
 [org/gnome/desktop/session]

diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay

diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 
 [org/gnome/login-screen]
 banner-message-enable=true