- #72
- Only run check when paybook user not a superuser
- fix for 5.5.3 thanks to @nrg-fv
fixed assert for user password set
thanks to @byjunks #66
rule_1.10 improvements allowing for module checking (useful for AD)
lint and yaml updates improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14 4.1.3.6 updated on process discovery
updated yamllint as galaxy doesn't honour local settings removed empty lines in files
updated yamllint removed empty lines after lint initial molecule added galaxy workflow updated
#40 tmp systemd file variable naming update #41 5.3.7 logic and rewrite - tidy up prelim for sugroup work - audit updated
Update to auditd components improve idempotency and tidy up Added a warning to check diff if any changes to template file (if template file exists) else its new. workflow update to remove the urandom update skip 5.6.6 root password check variable naming OracleLinux support added #38 journald restart amendment thanks to @bdwyertech
thanks to @smatterchew #30 ability to change sshd config file to use dropin file instead.
thanks to @I-am-MoS #34 create user.cfg if not present
Aligned benchmark audit version with remediate release
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
Will not follow ynlink in hoe directoris and amend permissions.
- rhel_09_6_2_16_home_follow_symlink: false
Jan-2023 release
- updated ansible minimum to 2.10
- Lint file updates and improvements
- auditd now shows diff ater initial template added
- many control rewritten
- Many controls moved ID references
- Audit updates aligned
- Command warn arg removed
- Ansible 2.14 now supported
- makefile added (hopefully help some)
- fqcn added to all controls
- some controls rewritten using module rather than shell
- typo fixes from rhel_08 inheritance
- workflow update for 5.6.6 to set random root password to allow for testing
- incorporates issues
- #23
- #24
- New option to add faillock for users without authselect - defaults/main 5.4.2
- audit path updated and output file name
-
#209 5.6.5 rewrite umask settings
-
#220 tidy up and align variables
-
#226 Thanks to Thulium-Drake -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases)
-
#227 thanks to OscarElits
- chrony files now RH expected locations
-
#228 Thanks to benbulll
- audit binary copy var missing
- Added assertion that ansible_user has password set for rule 5.3.4
- RockyLinux now supported - release since initial branches
- gpg check updates
- audit out dir now /opt
- lint updates and improvements
- workflow updates and improvements moved to rocky image
- selinux regexp improvements
- warning summary now at end of play
- advanced auditd options to exclude users in POST section
- Issues fixed thanks to fgierlinger
- update to auditd template
- uses facts and template new variable
- update_audit_template (default false)
- uses facts and template new variable
- sysctl template updates and idempotency improvements
- container discovery usage improvements
- 3.4.1.5 discovery improvement
- 5.6.1.4 discovery improvement
- logrotate process logrotate.timer
- tidy up become:
- logic improvements
- not all controls work with rhel8 releases any longer
- selinux disabled 1.6.1.4
- logrotate - 4.3.x
- updated to rhel8cis v2.0 benchamrk requirements
- removed iptables firewall controls (not valid on rhel9)
- added more to logrotate 4.3.x - sure to logrotate now a seperate package
- grub path now standard to /boot/grub2/grub.cfg
- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
- workflow update
- removed doc update
- change to include statements
- prelim and package facts discovery
- commands module removed and moved to shell
- added
args:
warn: false- update boolean values to true/false
- 3.4.2 improved checks for p[ackage presence
- changed to assert for OS/release and ansible version
- based on RHEL8 currently as RH or CIS not GA
- Changes to systctl, auditd, aide cron changes to utilise templates - see issue #1
- Collection statement added to meta/main.yml using only community-general
- aide crontab moved to template due to module change