ansible-collection-core/roles/baseline/tasks/lockdown.yml

---
- name: Lockdown | AUDIT | Check current authselect configuration
  become: true
  ansible.builtin.command: authselect current
  register: baseline_lockdown_authselect_status
  failed_when: false  # Exit code is 2 when not configured
  changed_when: false

- name: Lockdown | PATCH | Run Ansible Lockdown (RHEL9-CIS)
  ansible.builtin.import_role:
    name: RHEL9-CIS  # This is the SR2 fork that includes a patch to run all tasks with become: true
  vars:
    # Ensure message of the day is configured properly - we have our own MOTD to apply
    rhel9cis_rule_1_7_1: false
    rhel9cis_rule_1_7_4: false
    # Don't restrict user SSH access in sshd_config - this is managed by FreeIPA
    rhel9cis_rule_5_1_7: false
    # Only disable root login once authselect is configured
    rhel9cis_rule_5_1_20: "{{ baseline_lockdown_authselect_status.rc != 2 }}"
    rhel9cis_rule_5_4_2_4: false  # TODO: temporarily disable requirement for root password
    # TODO: figure out boot password
    rhel9cis_set_boot_pass: false
    # TODO: We intend to later deploy a remote rsyslog sink
    rhel9cis_syslog: rsyslog
    rhel9cis_time_synchronization_servers: "{{ baseline_ntp_servers }}"
    rhel9cis_warning_banner: "{{ baseline_warning_banner }}"
    rhel9cis_autofs_services: true  # TODO: can we mask it? This is required by FreeIPA but we don't use it.
    # 2.2 Configure Client Services
    # These services are required by FreeIPA.
    rhel9cis_openldap_clients_required: true
    # 5.3.2 Configure authselect
    # ipaservers are part of Linux Identity Management. Joining your host to an IdM
    # domain automatically configures SSSD authentication on your host.
    rhel9cis_allow_authselect_updates: false
    rhel9cis_auditd_max_log_file_action: rotate
  when: (ansible_distribution == "Rocky") and (ansible_distribution_major_version == "9")