ansible-lockdown · uk-bolly · Jan 26, 2026 · Jan 5, 2026 · Jan 5, 2026 · Jan 16, 2026
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -46,7 +46,7 @@ repos:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.12.2
+  rev: v26.1.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +65,7 @@ repos:
     # - ansible-core>=2.12.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.1  # or higher tag
+  rev: v1.38.0  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1371,9 +1371,17 @@ deb12cis_priv_command_excluded_mounts: []
 
 # Section 7 Vars
 
-# 7.1.12 Ensure no files or directories without an owner and a group exist
+# 7.1.12
+# Ensure no files or directories without an owner and a group exist
+# Extend the list as required adding the the current list e.g. "-a ! -path "/somedir/*"
+# Note Ensure to document all exclusions that do not match the benchmark
 deb12cis_exclude_unowned_search_path: '\( ! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*" \)'
 
+# This can be extended as seen fit
+# NFS added as starter to be extended with "-a -not -fstype CIFS"
+# Note Ensure to document all exclusions that do not match the benchmark
+deb12cis_exclude_unowned_filesystem_types: '\( -not -fstype nfs \)'
+
 # Control 7.1.12
 # The value of this variable specifies the owner that will be set for unowned files and directories.
 deb12cis_unowned_owner: root

diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml
@@ -212,6 +212,7 @@
   ansible.builtin.user:
     name: "{{ item.id }}"
     shell: /usr/sbin/nologin
+    create_home: false
   loop: "{{ prelim_captured_passwd_data }}"
   loop_control:
     label: "{{ item.id }}"

diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml
@@ -214,7 +214,7 @@
     warn_control_id: '7.1.12'
   block:
     - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
-      ansible.builtin.command: find {{ item.mount }} -xdev -type f {{ deb12cis_exclude_unowned_search_path }} \( -nouser -o -nogroup \) -not -fstype nfs
+      ansible.builtin.command: find {{ item.mount }} -xdev -type f {{ deb12cis_exclude_unowned_search_path }} \( -nouser -o -nogroup \) {{ deb12cis_exclude_unowned_filesystem_types }}
       changed_when: false
       failed_when: false
       check_mode: false