Merge pull request #517 from ansible-lockdown/devel

Jan26 release to main

Author: uk-bolly

.pre-commit-config.yaml

@@ -43,13 +43,13 @@ repos:
     name: Detect Secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.29.1
+  rev: v8.30.0
   hooks:
   - id: gitleaks
     name: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.11.0
+  rev: v26.1.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -68,7 +68,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.1  # or higher tag
+  rev: v1.38.0  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

tasks/section_4/cis_4.5.1.x.yml

@@ -92,7 +92,7 @@
 
     - name: "4.5.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | capture users not matching"
       ansible.builtin.shell: >
-        awk -F: '/^[^:\n\r]+:[^!*xX\n\r]/ {print $1}' /etc/shadow
+        awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel8cis_pam_pass_warn_age }} {print $1}' /etc/shadow
       changed_when: false
       failed_when: discovered_users_warn_days.rc not in [ 0, 1 ]
       check_mode: false