Apply container guards and skips for CIS hardening

Signed-off-by: DayneD89 <dayned89@gmail.com>
2026-05-10 07:33:54 +00:00 · 2026-04-30 14:48:38 -05:00 · 2026-04-30 14:48:38 -05:00 · 5ab951145c
commit 5ab951145c
parent c7ed4de9a8
10 changed files with 113 additions and 10 deletions
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@ -67,6 +67,7 @@
  when:
    - rhel9cis_rule_6_1_2
    - not system_is_ec2
+    - not system_is_container
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_6/cis_6.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.1.x.yml
@ -1,7 +1,9 @@
 ---

 - name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active"
-  when: rhel9cis_rule_6_2_1_1
+  when:
+    - rhel9cis_rule_6_2_1_1
+    - not system_is_container
  tags:
    - level1-server
    - level1-workstation
@ -86,7 +88,9 @@
        - '^(\s*MaxFileSec\s*=.*)'

 - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use"
-  when: rhel9cis_rule_6_2_1_4
+  when:
+    - rhel9cis_rule_6_2_1_4
+    - not system_is_container
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -18,7 +18,9 @@
    state: present

 - name: "6.2.3.2 | PATCH | Ensure rsyslog service is enabled and active"
-  when: rhel9cis_rule_6_2_3_2
+  when:
+    - rhel9cis_rule_6_2_3_2
+    - not system_is_container
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_6/cis_6.3.1.x.yml
+++ b/tasks/section_6/cis_6.3.1.x.yml
@ -26,7 +26,9 @@
        state: present

 - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
-  when: rhel9cis_rule_6_3_1_2
+  when:
+    - rhel9cis_rule_6_3_1_2
+    - not system_is_container
  tags:
    - level2-server
    - level2-workstation
@ -51,7 +53,9 @@
      changed_when: true

 - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
-  when: rhel9cis_rule_6_3_1_3
+  when:
+    - rhel9cis_rule_6_3_1_3
+    - not system_is_container
  tags:
    - level2-server
    - level2-workstation
@ -91,7 +95,9 @@
      changed_when: true

 - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
-  when: rhel9cis_rule_6_3_1_4
+  when:
+    - rhel9cis_rule_6_3_1_4
+    - not system_is_container
  tags:
    - level2-server
    - level2-workstation
--- a/tasks/section_6/cis_6.3.4.x.yml
+++ b/tasks/section_6/cis_6.3.4.x.yml
@ -1,7 +1,9 @@
 ---

 - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured"
-  when: rhel9cis_rule_6_3_4_1
+  when:
+    - rhel9cis_rule_6_3_4_1
+    - not system_is_container
  tags:
    - level2-server
    - level2-workstation
@ -22,6 +24,7 @@
    - rhel9cis_rule_6_3_4_2 or
      rhel9cis_rule_6_3_4_3 or
      rhel9cis_rule_6_3_4_4
+    - not system_is_container
  tags:
    - level2-server
    - level2-workstation