Fixing conflicts after rebase --continue

Small additions to first part of documentation. Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>
2025-12-27 15:33:06 +00:00 · 2023-12-05 21:01:06 +02:00 · 2023-12-05 21:01:06 +02:00 · 65aed536fa
commit 65aed536fa
parent b262d0a3e8
1 changed files with 40 additions and 22 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,7 +1,19 @@
 ---
 # defaults file for rhel9-cis
 # WARNING:
 # These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
 # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
 ## Usage on containerized images
 # The role discovers dynamically (in tasks/main.yml) whether it
 # is executed on a container image and sets the variable
 # system_is_container the true. Otherwise, the default value
 # 'false' is left unchanged.
 system_is_container: false
 # The filename of the existing yml file in role's  'vars/' sub-directory
 # to be used for managing the role-behavior when a container was detected:
 # (de)activating rules or for other tasks(e.g. disabling Selinux or a specific
 # firewall-type).
 container_vars_file: is_container.yml
 # rhel9cis is left off the front of this var for consistency in testing pipeline
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
@ -14,7 +26,7 @@ os_check: true
 ## Switching on/off specific baseline sections
 # These variables govern whether the tasks of a particular section are to be executed when running the role.
 # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
-# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false".
+# If you do not want the tasks from that section to get executed you simply set the variable to "false".
 rhel9cis_section1: true
 rhel9cis_section2: true
 rhel9cis_section3: true
@ -30,7 +42,12 @@ rhel9cis_section6: true
 rhel9cis_level_1: true
 rhel9cis_level_2: true
 ## 1.6 SubSection - Mandatory Access Control
 # This variable governs if SELinux is disabled or not. If SELinux is NOT DISABLED by setting
 # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed.
 rhel9cis_selinux_disable: false
 # This variable is used in a preliminary task, handling grub2 paths either in case of
 # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg').
 rhel9cis_legacy_boot: false
 ## Python Binary
@ -63,29 +80,28 @@ change_requires_reboot: false
 # by installing the required binary.
 setup_audit: false
-## Enable audits to run
+## Enable audits to run - this runs the audit and get the latest content
 # This variable governs whether the audit using the
 # separately maintained audit role using Goss
 # is carried out.
 # This runs the audit and get the latest content
 run_audit: false
 # Only run Audit do not remediate
 audit_only: false
-# As part of audit_only
+# This will enable files to be copied back to control node(part of audit_only)
 # This will enable files to be copied back to control node
 fetch_audit_files: false
-# Path to copy the files to will create dir structure
+# Path to copy the files to will create dir structure(part of audit_only)
 audit_capture_files_dir: /some/location to copy to on control node
-# How to retrieve audit binary
+## How to retrieve audit binary(Goss)
-# Options are copy or download - detailed settings at the bottom of this file
+# Options are 'copy' or 'download' - detailed settings at the bottom of this file
-# provided in variable `audit_conf_copy` for copying or
+# - if 'copy':
-# the url given in variable `audit_files_url` for downloading.
+#    - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss
-# you will need to access to either github or the file already dowmloaded
+# - if 'download':
 #    - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars
 get_audit_binary_method: download
-## if get_audit_binary_method - copy the following needs to be updated for your environment
+## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment
 ## it is expected that it will be copied from somewhere accessible to the control node
 ## e.g copy from ansible control node to remote host
 audit_bin_copy_location: /some/accessible/path
@ -95,16 +111,19 @@ audit_bin_copy_location: /some/accessible/path
 # This variable specifies the method of how to get the audit role
 # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 # onto the system. The options are as follows:
-# - git: clone from git repository as specified in variable `audit_file_git` in
+# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and
-#   the version specified by variable `audit_git_version`
+#          VERSION(e.g. branch, tag name), set up via `audit_git_version` var.
-# - copy: copy from path as specified in variable `audit_conf_copy`
+# - 'copy': copy from path as specified in variable `audit_conf_copy`.
-# - get_url: Download from url as specified in variable `audit_files_url`
+# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked.
 # - 'get_url': Download from url as specified in variable `audit_files_url`
 audit_content: git
-# archive or copy:
+# This variable(only used when 'audit_content' is 'copy' or 'archive') should
 # contain the filepath with audit-content to be copied/unarchived on server:
 audit_conf_copy: "some path to copy from"
-# get_url:
+# This variable(only used when 'audit_content' is 'get_url') should
 # contain the URL from where the audit-content must be downloaded on server:
 audit_files_url: "some url maybe s3?"
 # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
@ -114,7 +133,7 @@ audit_run_heavy_tests: true
 # This variable specifies the timeout (in ms) for audit commands that
 # take a very long time: if a command takes too long to complete,
 # it will be forcefully terminated after the specified duration.
-audit_cmd_timeout: 60000
+audit_cmd_timeout: 120000
 ### End Goss enablements ####
@ -122,6 +141,7 @@ audit_cmd_timeout: 60000
 # the CIS benchmark documents.
 # PLEASE NOTE: These work in coordination with the section # group variables and tags.
 # You must enable an entire section in order for the variables below to take effect.
 # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
 # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
 rhel9cis_rule_1_1_1_1: true
@ -223,8 +243,7 @@ rhel9cis_rule_2_3_3: true
 rhel9cis_rule_2_3_4: true
 rhel9cis_rule_2_4: true
-# Section 3 rules
+# Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings)
 # Network Configuration
 rhel9cis_rule_3_1_1: true
 rhel9cis_rule_3_1_2: true
 rhel9cis_rule_3_1_3: true
@ -367,7 +386,6 @@ rhel9cis_rule_5_6_6: true
 # Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings)
 rhel9cis_rule_6_1_1: true
 rhel9cis_rule_6_1_1: true
 rhel9cis_rule_6_1_2: true
 rhel9cis_rule_6_1_3: true
 rhel9cis_rule_6_1_4: true