Merge pull request #390 from polski-g/modular_section_5_r2

Support section modularization (for Sec 5 only right now)
2025-10-01 10:24:44 +01:00 · 2025-10-01 10:24:44 +01:00 · 23b60bc629
commit 23b60bc629
parent 3e848dd6f1 392c3f9016
2 changed files with 44 additions and 27 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -18,11 +18,17 @@ rhel9cis_disruption_high: true
 # These variables govern whether the tasks of a particular section are to be executed when running the role.
 # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
 # If you do not want the tasks from that section to get executed you simply set the variable to "false".
+# Some sections support sub-section modularization. The super-section and sub-section must both be true
+# for the sub-section to execute.
 rhel9cis_section1: true
 rhel9cis_section2: true
 rhel9cis_section3: true
 rhel9cis_section4: true
 rhel9cis_section5: true
+rhel9cis_section5_1: true
+rhel9cis_section5_2: true
+rhel9cis_section5_3: true
+rhel9cis_section5_4: true
 rhel9cis_section6: true
 rhel9cis_section7: true

--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -5,45 +5,56 @@
 - name: "SECTION | 5.1 | Configure SSH Server"
  when:
    - "'openssh-server' in ansible_facts.packages"
+    - rhel9cis_section5_1
  ansible.builtin.import_tasks:
    file: cis_5.1.x.yml

 - name: "SECTION | 5.2 | Configure privilege escalation"
+  when:
+    - - rhel9cis_section5_2
  ansible.builtin.import_tasks:
    file: cis_5.2.x.yml

- name: "SECTION | 5.3.1.x | Configure PAM software packages"
-  ansible.builtin.import_tasks:
-    file: cis_5.3.1.x.yml
+- name: "SECTION | 5.3"
+  when:
+    - rhel9cis_section5_3
+  block:
+    - name: "SECTION | 5.3.1.x | Configure PAM software packages"
+      ansible.builtin.import_tasks:
+        file: cis_5.3.1.x.yml

- name: "SECTION | 5.3.2.x | Configure authselect"
-  ansible.builtin.import_tasks:
-    file: cis_5.3.2.x.yml
+    - name: "SECTION | 5.3.2.x | Configure authselect"
+      ansible.builtin.import_tasks:
+        file: cis_5.3.2.x.yml

- name: "SECTION | 5.3.3.1.x | Configure pam_faillock module"
-  ansible.builtin.import_tasks:
-    file: cis_5.3.3.1.x.yml
+    - name: "SECTION | 5.3.3.1.x | Configure pam_faillock module"
+      ansible.builtin.import_tasks:
+        file: cis_5.3.3.1.x.yml

- name: "SECTION | 5.3.3.2.x | Configure pam_pwquality module"
-  ansible.builtin.import_tasks:
-    file: cis_5.3.3.2.x.yml
+    - name: "SECTION | 5.3.3.2.x | Configure pam_pwquality module"
+      ansible.builtin.import_tasks:
+        file: cis_5.3.3.2.x.yml

- name: "SECTION | 5.3.3.3.x | Configure pam_pwhistory module"
-  ansible.builtin.import_tasks:
-    file: cis_5.3.3.3.x.yml
+    - name: "SECTION | 5.3.3.3.x | Configure pam_pwhistory module"
+      ansible.builtin.import_tasks:
+        file: cis_5.3.3.3.x.yml

- name: "SECTION | 5.3.3.4.x | Configure pam_unix module"
-  ansible.builtin.import_tasks:
-    file: cis_5.3.3.4.x.yml
+    - name: "SECTION | 5.3.3.4.x | Configure pam_unix module"
+      ansible.builtin.import_tasks:
+        file: cis_5.3.3.4.x.yml

- name: "SECTION | 5.4.1.x | Configure shadow password suite parameters"
-  ansible.builtin.import_tasks:
-    file: cis_5.4.1.x.yml
+- name: "SECTION | 5.4"
+  when:
+    - rhel9cis_section5_4
+  block:
+    - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters"
+      ansible.builtin.import_tasks:
+        file: cis_5.4.1.x.yml

- name: "SECTION | 5.4.2.x | Configure root and system accounts and environment"
-  ansible.builtin.import_tasks:
-    file: cis_5.4.2.x.yml
+    - name: "SECTION | 5.4.2.x | Configure root and system accounts and environment"
+      ansible.builtin.import_tasks:
+        file: cis_5.4.2.x.yml

- name: "SECTION | 5.4.3.x | Configure user default environment"
-  ansible.builtin.import_tasks:
-    file: cis_5.4.3.x.yml
+    - name: "SECTION | 5.4.3.x | Configure user default environment"
+      ansible.builtin.import_tasks:
+        file: cis_5.4.3.x.yml