- #190 - thanks to @ipruteanu-sie
- addressed requirements in PR with alternate method
- #191 - thanks to @numericillustration
- Addressed authselect for pam
- #193 thanks to brakkio86
- added new interactive user discoveries
- updated controls 6.2.10-6.2.14
- audit
- steps moved to prelim
- update to coipy and archive logic and variables
- removed vars not used
- updated quotes used in mode tasks
- pre-commit update
- issues addressed
- #190 thanks to @ipruteanu-sie
- aligned logic for user shadow suite params (aligned with other repos)
- new variables to force changes to existing users added 5.6.1.1 - 5.6.1.2
- #198 thanks to @brakkio86
- #190 thanks to @ipruteanu-sie
- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only
- thanks to @ipruteanu-sie
- #156
- #165
- #180
- #181
- #183
- #184
- updated goss binary to 0.4.4
- moved majority of audit variables to vars/audit.yml
- new function to enable audit_only using remediation
- removed some dupes in audit config
- updated audit binary versions - aligned with rhel9-cis-audit
- lint updates
- .secrets updated
- file mode quoted
- updated 5.6.5 thansk to feedback from S!ghs on discord community
-
new workflow configuration
- Allowing devel and main configs
- IaC code found in alternate repo for easier mgmt
-
Added pre-commit config - Does not have to be used but can improve things
- .pre-commit-config.yaml
- .secrets.baseline
- gitleaks and secrets detection
-
updated to logic in 5.6.5
-
lint updates to 6.1.x
-
readme updates
-
audit control updates and variable name changes
- ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77
-
tidy up README adopted PR #78 thanks to @lucab85
-
moved Makefile requirements to .config/
-
removed .ansible.cfg and local.yml
- #72
- Only run check when paybook user not a superuser
- fix for 5.5.3 thanks to @nrg-fv
fixed assert for user password set
thanks to @byjunks #66
rule_1.10 improvements allowing for module checking (useful for AD)
lint and yaml updates improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14 4.1.3.6 updated on process discovery
updated yamllint as galaxy doesn't honour local settings removed empty lines in files
updated yamllint removed empty lines after lint initial molecule added galaxy workflow updated
#40 tmp systemd file variable naming update #41 5.3.7 logic and rewrite - tidy up prelim for sugroup work - audit updated
Update to auditd components improve idempotency and tidy up Added a warning to check diff if any changes to template file (if template file exists) else its new. workflow update to remove the urandom update skip 5.6.6 root password check variable naming OracleLinux support added #38 journald restart amendment thanks to @bdwyertech
thanks to @smatterchew #30 ability to change sshd config file to use dropin file instead.
thanks to @I-am-MoS #34 create user.cfg if not present
Aligned benchmark audit version with remediate release
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 Will not follow symlink in home directories and amend permissions.
- rhel_09_6_2_16_home_follow_symlink: false
Jan-2023 release
- updated ansible minimum to 2.10
- Lint file updates and improvements
- auditd now shows diff ater initial template added
- many control rewritten
- Many controls moved ID references
- Audit updates aligned
- Command warn arg removed
- Ansible 2.14 now supported
- makefile added (hopefully help some)
- fqcn added to all controls
- some controls rewritten using module rather than shell
- typo fixes from rhel_08 inheritance
- workflow update for 5.6.6 to set random root password to allow for testing
- incorporates issues
- #23
- #24
- New option to add faillock for users without authselect - defaults/main 5.4.2
- audit path updated and output file name
-
#209 5.6.5 rewrite umask settings
-
#220 tidy up and align variables
-
#226 Thanks to Thulium-Drake -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases)
-
#227 thanks to OscarElits
- chrony files now RH expected locations
-
#228 Thanks to benbulll
- audit binary copy var missing
- Added assertion that ansible_user has password set for rule 5.3.4
- RockyLinux now supported - release since initial branches
- gpg check updates
- audit out dir now /opt
- lint updates and improvements
- workflow updates and improvements moved to rocky image
- selinux regexp improvements
- warning summary now at end of play
- advanced auditd options to exclude users in POST section
- Issues fixed thanks to fgierlinger
- update to auditd template
- uses facts and template new variable
- update_audit_template (default false)
- uses facts and template new variable
- sysctl template updates and idempotency improvements
- container discovery usage improvements
- 3.4.1.5 discovery improvement
- 5.6.1.4 discovery improvement
- logrotate process logrotate.timer
- tidy up become:
- logic improvements
- not all controls work with rhel8 releases any longer
- selinux disabled 1.6.1.4
- logrotate - 4.3.x
- updated to rhel8cis v2.0 benchamrk requirements
- removed iptables firewall controls (not valid on rhel9)
- added more to logrotate 4.3.x - sure to logrotate now a seperate package
- grub path now standard to /boot/grub2/grub.cfg
- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer
- workflow update
- removed doc update
- change to include statements
- prelim and package facts discovery
- commands module removed and moved to shell
- added
args:
warn: false- update boolean values to true/false
- 3.4.2 improved checks for p[ackage presence
- changed to assert for OS/release and ansible version
- based on RHEL8 currently as RH or CIS not GA
- Changes to systctl, auditd, aide cron changes to utilise templates - see issue #1
- Collection statement added to meta/main.yml using only community-general
- aide crontab moved to template due to module change