RHEL8-CIS

RHEL8-CIS copied to clipboard

Issue with Task 4.3.7 Ensure access to the su command is restricted

1

**Describe the Issue** Noticed the task `4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid` is updating the entire outout of `discovered_sugroup`...

msachikanta

Spelling Corrections and variable name update

3

**Spelling corection** There are few spelling corrections needed in following files: tasks --> prelimyml file, line number 183 tasks --> section_4 --> cis_4.3.x.yml, linumber 67 The `files\etc\systemd\system\tmp.mount.j2` file needs to...

msachikanta

updates: - [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](https://github.com/Yelp/detect-secrets/compare/v1.4.0...v1.5.0) - [github.com/ansible-community/ansible-lint: v24.2.2 → v24.5.0](https://github.com/ansible-community/ansible-lint/compare/v24.2.2...v24.5.0)

pre-commit-ci[bot]

**Overall Review of Changes:** Issues addressed **Issue Fixes:** thanks to @msachikanta #373 #374 #375 updated audit binary paths for auditd.conf for scap scanner **Enhancements:** typos and task improvements **How has...

uk-bolly

Issue with Task 4.4.3.4.1 Ensure pam_unix does not include nullok

2

**Describe the Issue** Noticed regex is not updating the values properly in `/etc/pam.d/password-auth` and `/etc/pam.d/system-auth`. `ansible.builtin.replace` section of the Task 4.4.3.4.1 seems not to be working as expected. ~~~ -...

msachikanta

updates: - [github.com/gitleaks/gitleaks: v8.18.3 → v8.18.4](https://github.com/gitleaks/gitleaks/compare/v8.18.3...v8.18.4)

pre-commit-ci[bot]

Question: Nesus scan gives only 69% score in oracle linux 8.9 Before upgrade of CIS compliance in nesus, scroe was 77% score for the same host. Nesus Version: 10.7.4 CIS...

bantify

Several cis_2.2.x.yml sections seem to be removing the wrong packages

1

Greetings, It seems like there may be a few copy/paste mistakes in this file: https://github.com/ansible-lockdown/RHEL8-CIS/blob/a4d11fafbdb6e1c7c7292013636d69c4f13d0e0c/tasks/section_2/cis_2.2.x.yml#L1 I've added a patch diff file from my local environment to help show the line...

txdavec

Hi, It seems to me that you are using wrong variable name in the "5.1.4 | PATCH | Ensure permissions on all logfiles are configured | change permissions" check and...

csabapatyi

Ensure SSH X11 forwarding is disabled task only fixes first occurence

3

**Describe the Issue** The hardening guide requires to disable X11 forwarding unless there is an operational requirement. The [task 5.2.12](https://github.com/ansible-lockdown/RHEL8-CIS/blob/bc4cdf885ce563ec9682caf65131bda9cb38277e/tasks/section_5/cis_5.2.x.yml#L229-L242) accomplishes this with the lineinfile module. lineinfile only replaces the...

fgierlinger