tilt-x · Copilot · Jul 30, 2025 · Jul 30, 2025
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -121,7 +121,7 @@
                 inventory: .github/workflows/github_linux_IaC/hosts.yml
                 galaxy_file: collections/requirements.yml
                 private_key: ${{ secrets.SSH_PRV_KEY }}
-        #          verbose: 3
+                verbose: ${{ env.ENABLE_DEBUG == 'true' && 3 || 0 }}
               env:
                 ANSIBLE_HOST_KEY_CHECKING: "false"
                 ANSIBLE_DEPRECATION_WARNINGS: "false"

diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -110,7 +110,7 @@
                 inventory: .github/workflows/github_linux_IaC/hosts.yml
                 galaxy_file: collections/requirements.yml
                 private_key: ${{ secrets.SSH_PRV_KEY }}
-        #          verbose: 3
+                verbose: ${{ env.ENABLE_DEBUG == 'true' && 3 || 0 }}
               env:
                 ANSIBLE_HOST_KEY_CHECKING: "false"
                 ANSIBLE_DEPRECATION_WARNINGS: "false"

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -374,7 +374,8 @@ rhel9cis_rule_6_2_16: true
 #### 1.1.2
 # These settings go into the /etc/fstab file for the /tmp mount settings
 # The value must contain nosuid,nodev,noexec to conform to CIS standards
-# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"
+# Uncomment and modify as needed for your environment
+rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0"
 # If set true uses the tmp.mount service else using fstab configuration
 rhel9cis_tmp_svc: false
 
@@ -452,6 +453,9 @@ rhel9cis_chrony_server_options: "minpoll 8"
 rhel9cis_chrony_server_rtcsync: false
 rhel9cis_chrony_server_makestep: "1.0 3"
 rhel9cis_chrony_server_minsources: 2
+# Enable rtcfile directive (disabled by default due to potential lockup issues on some motherboards/kernels)
+rhel9cis_chrony_server_rtcfile_enable: false
+rhel9cis_chrony_server_rtcfile_path: "/var/lib/chrony/chrony.rtc"
 
 ### 2.2 Special Purposes
 ##### Service configuration booleans set true to keep service
@@ -596,9 +600,19 @@ rhel9cis_sshd:
     clientalivecountmax: 0
     clientaliveinterval: 900
     logingracetime: 60
-    # WARNING: make sure you understand the precedence when working with these values!!
+    # SSH Access Control Configuration
+    # IMPORTANT: These directives are processed in the order: DenyUsers, AllowUsers, DenyGroups, AllowGroups
+    # First match wins, so be careful with precedence!
+    #
+    # Examples:
+    # allowusers: "user1 user2 [email protected]/8"
+    # allowgroups: "wheel sysadmin"
+    # denyusers: "guest test"
+    # denygroups: "games"
+    #
+    # Uncomment and configure as needed for your environment:
     # allowusers:
-    # allowgroups: systems dba
+    # allowgroups:
     # denyusers:
     # denygroups:
 

diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2
@@ -84,10 +84,14 @@ logchange 0.5
 # This directive tells chrony to regulate the real-time clock and tells it
 # Where to store related data.  It may not work on some newer motherboards
 # that use the HPET real-time clock.  It requires enhanced real-time
-# support in the kernel.  I've commented it out because with certain
-# combinations of motherboard and kernel it is reported to cause lockups.
-
-# rtcfile /var/lib/chrony/chrony.rtc
+# support in the kernel.  Disabled by default due to reported lockups with
+# certain combinations of motherboard and kernel.
+
+{% if rhel9cis_chrony_server_rtcfile_enable %}
+rtcfile {{ rhel9cis_chrony_server_rtcfile_path }}
+{% else %}
+# rtcfile {{ rhel9cis_chrony_server_rtcfile_path }}
+{% endif %}
 
 # If the last line of this file reads 'rtconutc' chrony will assume that
 # the CMOS clock is on UTC (GMT).  If it reads '# rtconutc' or is absent

diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml
@@ -3,5 +3,9 @@
 
 os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29
 os_gpg_key_pubkey_content: "AlmaLinux OS 9 <[email protected]> b86b3716"
-# disable repo_gpgcheck due to OS default repos
+
+# Repository GPG checking is disabled for AlmaLinux
+# This is due to the OS default repositories not having proper GPG signatures configured
+# CIS 1.2.4 requires repo_gpgcheck=1, but this conflicts with AlmaLinux default repos
+# Set to true only if you have properly configured GPG keys for all repositories
 rhel9cis_rule_enable_repogpg: false
diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml
@@ -2,5 +2,9 @@
 # OS Specific Settings
 os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
 os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <[email protected]>"
-# disable repo_gpgcheck due to OS default repos
+
+# Repository GPG checking is disabled for Oracle Linux
+# This is due to the OS default repositories not having proper GPG signatures configured
+# CIS 1.2.4 requires repo_gpgcheck=1, but this conflicts with Oracle Linux default repos
+# Set to true only if you have properly configured GPG keys for all repositories
 rhel9cis_rule_enable_repogpg: false
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
@@ -4,5 +4,8 @@
 os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b
 os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <[email protected]> fd431d51"
 
-# disable repo_gpgcheck due to OS default repos
+# Repository GPG checking is disabled for Red Hat Enterprise Linux
+# This is due to the OS default repositories not having proper GPG signatures configured
+# CIS 1.2.4 requires repo_gpgcheck=1, but this conflicts with RHEL default repos
+# Set to true only if you have properly configured GPG keys for all repositories
 rhel9cis_rule_enable_repogpg: false