ansible-lockdown · uk-bolly · Jan 16, 2026 · Jan 19, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,6 +1,5 @@
 ---
 
-parseable: true
 quiet: true
 skip_list:
   - 'package-latest'

diff --git a/.github/workflows/export_badges_private.yml b/.github/workflows/export_badges_private.yml
@@ -2,18 +2,10 @@
 
 name: Export Private Repo Badges
 
-# Use different minute offsets with the same hourly pattern:
-# Repo Group Suggested Cron Expression Explanation
-# Group A 0 */6 * * * Starts at top of hour
-# Group B 10 */6 * * * Starts at 10 after
-# And So On
-
 on:
   push:
     branches:
       - latest
-  schedule:
-    - cron: '0 */6 * * *'
   workflow_dispatch:
 
 jobs:

diff --git a/.gitignore b/.gitignore
@@ -12,6 +12,11 @@ ignore*
 # VSCode
 .vscode
 vagrant
+qa_report.md
+prompt.md
+plan.md
+history.md
+*.pdf
 
 # Byte-compiled / optimized / DLL files
 __pycache__/

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -48,7 +48,7 @@ repos:
     name: Run Gitleaks test
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.12.2
+  rev: v26.1.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -67,7 +67,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.1  # or higher tag
+  rev: v1.38.0  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -1,28 +1,26 @@
-Contributing to MindPoint Group Projects
+Contributing to Ansible-Lockdown Projects
 ========================================
 
 Rules
 -----
 1) All commits must be GPG signed (details in Signing section)
 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
-3) All work is done in your own branch or fork
-4) Pull requests
-    a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit messages, and functional testing
-    b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit messages, and functional testing when going from staging to devel
-4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit messages, and functional testing)
+3) All work is done in your own branch
+4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
 5) Be open and nice to each other
 
 Workflow
 --------
 - Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
 - All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
 - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
+
 Signing your contribution
 -------------------------
 
 We've chosen to use the Developer's Certificate of Origin (DCO) method
 that is employed by the Linux Kernel Project, which provides a simple
-way to contribute to MindPoint Group projects.
+way to contribute to Ansible-Lockdown projects.
 
 The process is to certify the below DCO 1.1 text
 ::
@@ -32,19 +30,19 @@ The process is to certify the below DCO 1.1 text
     By making a contribution to this project, I certify that:
 
     (a) The contribution was created in whole or in part by me and I
-        have the right to submit it under the open-source license
+        have the right to submit it under the open source license
         indicated in the file; or
 
     (b) The contribution is based upon previous work that, to the best
-        of my knowledge, is covered under an appropriate open-source
+        of my knowledge, is covered under an appropriate open source
         license and I have the right under that license to submit that
         work with modifications, whether created in whole or in part
-        by me, under the same open-source license (unless I am
+        by me, under the same open source license (unless I am
         permitted to submit under a different license), as indicated
         in the file; or
 
     (c) The contribution was provided directly to me by some other
-        person who certified (a), (b), or (c) and I have not modified
+        person who certified (a), (b) or (c) and I have not modified
         it.
 
     (d) I understand and agree that this project and the contribution
@@ -63,7 +61,6 @@ following text in your contribution commit message:
 
 ::
 
-
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
 option to `git commit` to automatically include the signoff message.
diff --git a/Changelog.md b/Changelog.md
@@ -2,7 +2,50 @@
 
 ## Based on CIS v1.0.0
 
-## based on benchmark CIS 1.0.0
+## Based on CIS v1.0.0
+
+# 2026 issue fixes
+.gitignore update
+lint and variable naming
+
+Thanks to @bykdaadm
+- #141 - 2.1.2 damon name
+- #142 - ssh keys typo fix
+- #143 - remove extended permissions
+- #144 - tighten permissions on faillock
+- #145 - 5.3.3.1.3 aligned command with CIS benchmark
+- #146 - 5.3.3.3.x aligned
+- #147 - 5.3.2 and 5.3.3.3.x pwhistory generation tidy up
+- #149 - tidy up journald params
+- #150 - 6.2.4.9 remove group from task
+
+# 2026 Feb QA updates Benchmark 1.0.0
+- Repo Checker QA fixes
+- Grammar fixes: removed multiple consecutive spaces across defaults, tasks, and templates
+- Grammar fixes: corrected repeated words ('is is', 'the the', 'of of', 'can must')
+- Grammar fixes: fixed subject-verb disagreements in comments
+- Added missing variable ubtu24cis_priv_command_excluded_mounts
+- Added missing rule definition ubtu24cis_rule_4_4_1_4
+- Updated audit URL reference from RHEL8 to UBUNTU24
+- workflow updates
+- company name alignments
+- date updates
+- lint improvements
+- thanks to @bykvaadm
+  - #136
+  - #138
+  - #139
+- #137 thanks to @tmeckel
+
+### Jan26 updates
+pre-commit
+#92 readdressed thanks to @bizrad and @jbruno
+#127 addressed thanks to @rronneburger incl #84
+#129 addressed thanks to @stelucz
+#131 thanks to @Jurka007
+
+### Dec26_updates
+
 precommit update Public issues address
 
 4.2.5 ufw port variables and improvements to include ntp and protocol options

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -19,7 +19,7 @@
 
 ## Lint & Pre-Commit Tools 🔧
 
-[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/UBUNTU24-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/UBUNTU24-CIS/devel)
+
 ![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white)
 ![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white)
 
@@ -49,7 +49,6 @@
 ![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-UBUNTU24-CIS/benchmark-version.json)
 
 [![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-UBUNTU24-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-UBUNTU24-CIS/actions/workflows/main_pipeline_validation.yml)
-[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-UBUNTU24-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-UBUNTU24-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
 
 ![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-UBUNTU24-CIS/prs.json)
 ![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-UBUNTU24-CIS/issues-closed.json)
@@ -150,18 +149,21 @@ Note: More tests are run during audit as we check config and running state.
 
 ```txt
 
-ok: [default] => {
+ok: [ubuntu2404] => {
     "msg": [
-        "msg": [
-        "The pre remediation audit results are: Count: 763, Failed: 234, Skipped: 4, Duration: 9.741s",
-        "The post remediation audit results are: Count: 763, Failed: 19, Skipped: 4, Duration: 12.725s",
+        "The pre remediation audit results are: Count: 778, Failed: 330, Skipped: 38, Duration: 9.955s",
+        "The post remediation audit results are: Count: 778, Failed: 26, Skipped: 5, Duration: 4.239s",
         "Full breakdown can be found in /opt",
         ""
     ]
 }
+TASK [UBUNTU24-CIS : If Warnings found Output count and control IDs affected] ***
+ok: [ubuntu2404] => {
+    "msg": "You have 8 Warning(s) that require investigating that are related to the following benchmark ID(s)  [1.1.1.10] [1.2.1.1] [1.2.1.2] [2.1.21] [2.1.22] [4.2.6] [5.4.1.1] [5.4.1.2]"
+}
 
-PLAY RECAP *******************************************************************************************************************************************
-default                    : ok=270  changed=23   unreachable=0    failed=0    skipped=140  rescued=0    ignored=0
+PLAY RECAP ***********************************************************************************
+ubuntu2404                 : ok=447  changed=225  unreachable=0    failed=0    skipped=278  rescued=0    ignored=0
 ```
 
 ## Documentation 📖