Name and alignment

LICENSE

@@ -1,6 +1,6 @@
-# MIT License
+MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

galaxy.yml

@@ -33,14 +33,15 @@ license:
 # requirements as 'namespace' and 'name'
 tags:
 - ansible-lockdown
-- mindpointgroup
 - stig
 - disa
 - devsecops
 - rhel7
 - rhel7-stig
 - rhel8
 - rhel8-stig
+- rhel9
+- rhel9-stig
 - ubuntu18
 - ubuntu18-stig
 - ubuntu20

tasks/Cat2/RHEL-09-21xxxx.yml

@@ -47,7 +47,7 @@
         content: "{{ rhel9stig_logon_banner }}"
         dest: "{{ item }}"
         group: root
-        mode: '0644'
+        mode: 'u-x,go-wx'
         owner: root
       notify: Sshd_restart
       loop:
@@ -158,7 +158,7 @@
         owner: root
         src: "{{ item.file }}.j2"
       loop:
-        - { file: 'boot/grub2/user.cfg', mode: '0644' }
+        - { file: 'boot/grub2/user.cfg', mode: 'u-x,go-wx' }
 
     - name: "MEDIUM | RHEL-09-212010 | AUDIT | RHEL 9 must require a boot loader superuser password.| warning"
       when: not rhel9stig_set_bootloader_password

tasks/Cat2/RHEL-09-23xxxx.yml

@@ -871,7 +871,7 @@
     - name: "MEDIUM | RHEL-09-232010 | PATCH | RHEL 9 system commands must have mode 755 or less permissive."
       when: rhel9stig_system_command_permissions.stdout | length > 0
       ansible.builtin.file:
-        mode: '0755'
+        mode: 'u+x,go-w'
         path: "{{ item }}"
       loop:
         - "{{ rhel9stig_system_command_permissions.stdout_lines }}"
@@ -898,7 +898,7 @@
     - name: "MEDIUM | RHEL-09-232015 | PATCH | RHEL 9 library directories must have mode 755 or less permissive."
       when: rhel9stig_library_directory_perms.stdout | length > 0
       ansible.builtin.file:
-        mode: '0755'
+        mode: 'u+x,go-w'
         path: "{{ item }}"
       loop:
         - "{{ rhel9stig_library_directory_perms.stdout_lines }}"
@@ -925,7 +925,7 @@
     - name: "MEDIUM | RHEL-09-232020 | PATCH | RHEL 9 library files must have mode 755 or less permissive."
       when: rhel9stig_library_directory_perms.stdout | length > 0
       ansible.builtin.file:
-        mode: '0755'
+        mode: 'u+x,go-w'
         path: "{{ item }}"
       loop: "{{ rhel9stig_library_directory_perms.stdout_lines }}"
 
@@ -942,7 +942,7 @@
     - V-257885
     - NIST800-53R4_SI-11
   ansible.builtin.file:
-    mode: u=rwx,g-w,o-w
+    mode: 'u+x,go-w'
     modification_time: preserve
     path: /var/log
     state: directory
@@ -960,7 +960,7 @@
     - V-257886
     - NIST800-53R4_SI-11
   ansible.builtin.file:
-    mode: u=rw,g-wx,o-rwx
+    mode: 'u-x,g-wx,o-rwx'
     modification_time: preserve
     path: /var/log/messages
     state: file
@@ -977,7 +977,7 @@
     - V-257887
     - NIST800-53R4_AU-9
   ansible.builtin.file:
-    mode: u=rwx,g-w,o-w
+    mode: 'u+x,go-w'
     modification_time: preserve
     owner: root
     path: "{{ item }}"
@@ -1002,7 +1002,7 @@
     - V-257888
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: u=rwx,go-rwx
+    mode: 'u+x,go-rwx'
     modification_time: preserve
     owner: root
     path: "/etc/{{ item }}"
@@ -1039,7 +1039,7 @@
     - name: "MEDIUM | RHEL-09-232045 | AUDIT | All RHEL 9 local initialization files must have mode 0740 or less permissive. | update permissions"
       ansible.builtin.file:
         path: "{{ item.path }}"
-        mode: g-wx,o-rwx
+        mode: 'g-wx,o-rwx'
         follow: false
       loop: "{{ user_dot_files.files }}"
       loop_control:
@@ -1067,11 +1067,10 @@
     - name: "MEDIUM | RHEL-09-232050 | PATCH | All RHEL 9 local interactive user home directories must have mode 0750 or less permissive. | amend if needed"
       when:
         - item.stat.path is defined
-        - item.stat.mode > '0750'
       ansible.builtin.file:
         path: "{{ item.stat.path }}"
         state: directory
-        mode: u=rwx,g-w,o-rwx
+        mode: 'u+x,g-w,o-rwx'
       loop: "{{ rhel9stig_home_dir_perms.results }}"
       loop_control:
         label: "{{ item }}"
@@ -1117,7 +1116,7 @@
     - V-257891
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: u=rw,go-wx
+    mode: 'u-x,go-wx'
     path: /etc/group
 
 - name: "MEDIUM | RHEL-09-232060 | PATCH | RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access."
@@ -1132,7 +1131,7 @@
     - V-257892
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: u=rw,go-wx
+    mode: 'u-x,go-wx'
     path: /etc/group-
 
 - name: "MEDIUM | RHEL-09-232065 | PATCH | RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access."
@@ -1147,7 +1146,7 @@
     - V-257893
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: '0000'
+    mode: 'ugo-rwx'
     path: /etc/gshadow
 
 - name: "MEDIUM | RHEL-09-232070 | PATCH | RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access."
@@ -1162,7 +1161,7 @@
     - V-257894
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: '0000'
+    mode: 'ugo-rwx'
     path: /etc/gshadow-
 
 - name: "MEDIUM | RHEL-09-232075 | PATCH | RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access."
@@ -1177,7 +1176,7 @@
     - V-257895
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: u=rw,go-wx
+    mode: 'u-x,go-wx'
     path: /etc/passwd
 
 - name: "MEDIUM | RHEL-09-232080 | PATCH | RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access."
@@ -1192,7 +1191,7 @@
     - V-257896
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: u=rw,go-wx
+    mode: 'u-x,go-wx'
     path: /etc/passwd-
 
 - name: "MEDIUM | RHEL-09-232085 | PATCH | RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access."
@@ -1207,7 +1206,7 @@
     - V-257897
     - NIST800-53R4_CM-6
   ansible.builtin.file:
-    mode: '0000'
+    mode: 'ugo-rwx'
     path: /etc/shadow-
 
 - name: "MEDIUM | RHEL-09-232090 | PATCH | RHEL 9 /etc/group file must be owned by root."
@@ -1996,7 +1995,7 @@
     - NIST800-53R4_CM-6
   ansible.builtin.file:
     path: /etc/crontab
-    mode: '0600'
+    mode: 'u-x,go-rwx'
 
 - name: "MEDIUM | RHEL-09-232270 | PATCH | RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access."
   when:
@@ -2011,4 +2010,4 @@
     - NIST800-53R4_CM-6
   ansible.builtin.file:
     path: /etc/shadow
-    mode: '0000'
+    mode: 'ugo-rwx'

tasks/Cat2/RHEL-09-25xxxx.yml

@@ -297,7 +297,7 @@
   ansible.builtin.template:
     dest: /etc/chrony.conf
     src: etc/chrony.conf.j2
-    mode: '0644'
+    mode: 'u-x,go-wx'
 
 # Required before 252035 to set DNS value in NetworkManager
 - name: "MEDIUM | RHEL-09-252040 | PATCH | RHEL 9 must configure a DNS processing mode set be Network Manager."
@@ -339,7 +339,7 @@
           rhel9stig_network_manager_dns.stdout == 'unmanaged'
       ansible.builtin.template:
         dest: /etc/resolv.conf
-        mode: '0644'
+        mode: 'u-x,go-wx'
         src: etc/resolv.conf.j2
 
     - name: "MEDIUM | RHEL-09-252035 | PATCH | RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured."
@@ -1242,7 +1242,7 @@
     - NIST800-53R4_CM-6
     - ssh
   ansible.builtin.file:
-    mode: go-rwx
+    mode: 'u-x,go-rwx'
     path: "{{ rhel9stig_sshd_config_file }}"
 
 - name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive."
@@ -1264,9 +1264,8 @@
       register: rhel9stig_private_ssh_keys
 
     - name: "MEDIUM | RHEL-09-255120 | PATCH | RHEL 9 SSH private host key files must have mode 0640 or less permissive."
-      when: item.mode > '0640'
       ansible.builtin.file:
-        mode: u-x,g-wx,o-rwx
+        mode: 'u-x,g-wx,o-rwx'
         path: "{{ item.path }}"
       loop: "{{ rhel9stig_private_ssh_keys.files }}"
 
@@ -1289,9 +1288,8 @@
       register: rhel9stig_pub_ssh_keys
 
     - name: "MEDIUM | RHEL-09-255125 | PATCH | RHEL 9 SSH public host key files must have mode 0644 or less permissive."
-      when: item.mode > '0644'
       ansible.builtin.file:
-        mode: u-x,g-wx,o-wx
+        mode: 'u-x,go-wx'
         path: "{{ item.path }}"
       loop: "{{ rhel9stig_pub_ssh_keys.files }}"
 

tasks/Cat2/RHEL-09-27xxxx.yml

@@ -48,7 +48,7 @@
     path: "/etc/dconf/db/{{ item }}.d/locks/session"
     line: /org/gnome/login-screen/banner-message-enable
     create: true
-    mode: '0644'
+    mode: 'u-x,go-wx'
     modification_time: preserve
     state: present
   loop: "{{ rhel9stig_dconf_db.stdout_lines }}"
@@ -72,7 +72,7 @@
   notify: Update_dconf
   community.general.ini_file:
     create: true
-    mode: '0644'
+    mode: 'u-x,go-wx'
     option: automount-open
     path: "/etc/dconf/db/{{ item }}.d/00-security-settings"
     section: 'org/gnome/desktop/media-handling'

tasks/Cat2/RHEL-09-4xxxxx.yml

@@ -583,7 +583,7 @@
     - name: "MEDIUM | RHEL-09-411115 | AUDIT | Local RHEL 9 initialization files must not execute world-writable programs."
       when: rhel9stig_user_exec_ww_files is defined
       ansible.builtin.file:
-        mode: go-w
+        mode: 'go-wx'
         path: "{{ item }}"
       loop: "{{ rhel9stig_user_exec_ww_files.stdout_lines }}"
 
@@ -622,7 +622,7 @@
     dest: /etc/profile.d/tmux.sh
     group: root
     owner: root
-    mode: '0755'
+    mode: 'u+x,go-w'
     src: etc/profile.d/tmux.sh.j2
 
 - name: "MEDIUM | RHEL-09-412020 | PATCH | RHEL 9 must have the tmux package installed."
@@ -641,7 +641,7 @@
     regexp: "{{ item }}"
     line: "{{ item }}"
     create: true
-    mode: '0644'
+    mode: 'u-x,go-wx'
     state: present
   loop:
     - 'set -g lock-command vlock'
@@ -664,7 +664,7 @@
     dest: /etc/tmux.conf
     group: root
     owner: root
-    mode: '0644'
+    mode: 'u-x,go-wx'
     src: etc/tmux.conf.j2
 
 - name: "MEDIUM | RHEL-09-412035 | PATCH | RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity."
@@ -685,7 +685,7 @@
     dest: /etc/profile.d/tmout.sh
     group: root
     owner: root
-    mode: '0755'
+    mode: 'u+x,go-w'
     src: etc/profile.d/tmout.sh.j2
 
 - name: "MEDIUM | RHEL-09-412045 | PATCH | RHEL 9 must log username information when unsuccessful logon attempts occur."

tasks/Cat2/RHEL-09-61xxxx.yml

@@ -890,7 +890,7 @@
         group: root
         option: certificate_verification
         owner: root
-        mode: '0600'
+        mode: 'u-x,go-rwx'
         path: /etc/sssd/conf.d/certificate_verification.conf
         section: 'sssd'
         value: 'ocsp_dgst=sha512'

tasks/Cat2/RHEL-09-65xxxx.yml

@@ -870,7 +870,7 @@
     - auditd
   ansible.builtin.file:
     path: "{{ discovered_auditd_logfile.stdout }}"
-    mode: go-rwx
+    mode: 'go-rwx'
 
 - name: "MEDIUM | RHEL-09-653095 | PATCH | RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records."
   when:
@@ -941,12 +941,12 @@
   block:
     - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."
       ansible.builtin.file:
-        mode: '0640'
+        mode: 'u-x,g-w,o-rwx'
         path: /etc/audit/auditd.conf
 
     - name: "MEDIUM | RHEL-09-653110 | PATCH | RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."
       ansible.builtin.file:
-        mode: '0640'
+        mode: 'u-x,g-w,o-rwx'
         path: "{{ item }}"
       with_fileglob:
         - "etc/audit/rules.d/*.rules"
@@ -965,7 +965,7 @@
     - auditd
   ansible.builtin.file:
     path: /etc/audit/auditd.conf
-    mode: u-x,g-wx,o-rwx
+    mode: 'u-x,g-wx,o-rwx'
 
 - name: "MEDIUM | RHEL-09-653125 | PATCH | RHEL 9 must have mail aliases to notify the information system security officer (ISSO) and system administrator (SA) (at a minimum) in the event of an audit processing failure."
   when:

tasks/prelim.yml

@@ -184,7 +184,7 @@
     path: "{{ rhel9stig_sshd_config_file }}"
     owner: root
     group: root
-    mode: "0600"
+    mode: 'u-x,go-rwx'
     state: touch
   when:
     - rhel9stig_sshd_config_file != '/etc/ssh/sshd_config'

templates/etc/aide.conf.j2

@@ -1,4 +1,4 @@
-## Aide Configuration provide by Ansible-lockdown sponsored by MindPoint Group
+## Aide Configuration provide by Ansible-lockdown sponsored by Mindpoint Group - A Tyto Athene Company
 
 @@define DBDIR /var/lib/aide
 @@define LOGDIR /var/log/aide

templates/etc/audit/rules.d/audit.rules.j2

@@ -1,5 +1,5 @@
 ## Auditd Configured by ansible-lockdown RHEL9-STIG
-# Sponsored by MindPoint Group
+# Sponsored by Mindpoint Group - A Tyto Athene Company
 {% if rhel_09_654010 %}
 # RHEL9-STIG rule 654010
 -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv

templates/etc/chrony.conf.j2

@@ -1,5 +1,5 @@
 # Managed and updated via Ansible
-# Part of https://github.com/ansible-lockdown by MindPointGroup
+# Part of https://github.com/ansible-lockdown by Mindpoint Group - A Tyto Athene Company
 # Use public servers from the pool.ntp.org project.
 # Please consider joining the pool (https://www.pool.ntp.org/join.html).
 {% for server in rhel9stig_time_synchronization_servers -%}

templates/etc/profile.d/tmout.sh.j2

@@ -1,6 +1,6 @@
 # Timeout profile script created by DISA STIG for RHEL9
 ## Supplied by ansible-lockdown
-## Sponsored by MindPointGroup.com
+## Sponsored by Mindpoint Group - A Tyto Athene Company
 #!/bin/bash
 
 {% if rhel_09_412035 %}