ansible-lockdown · frederickw082922 · Nov 19, 2025 · Oct 16, 2025 · Oct 16, 2025 · Oct 17, 2025
diff --git a/.github/workflows/add_repo_issue_to_gh_project.yml b/.github/workflows/add_repo_issue_to_gh_project.yml
@@ -0,0 +1,17 @@
+---
+
+name: Add Repo Issue to ALD GH project
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+jobs:
+  add-to-project:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@main
+        with:
+          project-url: https://github.com/orgs/ansible-lockdown/projects/1
+          github-token: ${{ secrets.ALD_GH_PROJECT }}
diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.28.0
+  rev: v8.29.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.9.2
+  rev: v25.11.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -950,7 +950,7 @@ ubtu24cis_pam_confd_dir: 'usr/share/pam-configs/'
 
 # Controls 5.3.2.1 - pam_unix
 # Name of file
-ubtu24cis_pam_pwunix_file: 'pam_unix'
+ubtu24cis_pam_pwunix_file: 'unix'
 # Should NOT be enabled if allowing custom config that enabled pam_faillock
 ubtu24cis_pam_create_pamunix_file: false
 # Allow pam-auth-update --enable ubtu24cis_pam_pwunix_file to run

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -154,22 +154,6 @@
       - '/etc/pam.d/'
   register: prelim_pam_conf_files
 
-- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x
-  when: ubtu24cis_rule_5_3_3_2_1 or ubtu24cis_rule_5_3_3_2_6
-  tags: always
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: "{{ item.state }}"
-    owner: root
-    group: root
-    mode: 'g-w,o-rwx'
-    modification_time: preserve
-    access_time: preserve
-  register: prelim_pwquality_dummy
-  loop:
-    - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
-    - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }
-
 - name: "PRELIM | AUDIT | Capture pam security related files"
   tags: always
   ansible.builtin.find:

diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml
@@ -46,7 +46,7 @@
     - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed"
       when: discovered_pam_remember.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
         regexp: remember=\d+
         replace: ''
       loop: "{{ discovered_pam_remember.stdout_lines }}"

diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
@@ -121,7 +121,7 @@
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_19 %}
 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules
-{% set syscalls = ["init_module","finit_module","delete_module"] %}
+{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
 {% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules
 {% endif %}

diff --git a/templates/etc/profile.d/50-umask.sh.j2 b/templates/etc/profile.d/50-umask.sh.j2
@@ -4,4 +4,4 @@
 
 # Set umask with highest precedence
 
-umask 027
+umask {{ ubtu24cis_bash_umask }}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,4 +4,4 @@

		# Set umask with highest precedence

		umask 027
		umask {{ ubtu24cis_bash_umask }}