Initial import; migrate some roles from irl.wip
This commit is contained in:
commit
2ba6c6691b
44 changed files with 1573 additions and 0 deletions
29
roles/baseline/tasks/lockdown.yml
Normal file
29
roles/baseline/tasks/lockdown.yml
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
- name: Lockdown | AUDIT | Check current authselect configuration
|
||||
command: authselect current
|
||||
register: baseline_lockdown_authselect_status
|
||||
failed_when: false # Exit code is 2 when not configured
|
||||
changed_when: false
|
||||
|
||||
- name: Lockdown | AUDIT | Do not disable root login if no authselect profile configured
|
||||
ansible.builtin.set_fact:
|
||||
rhel9cis_rule_5_1_20: false
|
||||
when: baseline_lockdown_authselect_status.rc == 2
|
||||
|
||||
- name: Lockdown | PATCH | Run Ansible Lockdown (RHEL9-CIS)
|
||||
ansible.builtin.include_role:
|
||||
name: RHEL9-CIS
|
||||
vars:
|
||||
# Ensure message of the day is configured properly - we have our own MOTD to apply
|
||||
rhel9cis_rule_1_7_1: false
|
||||
rhel9cis_rule_1_7_4: false
|
||||
# Don't restrict user SSH access in sshd_config - this is managed by FreeIPA
|
||||
rhel9cis_rule_5_1_7: false
|
||||
# TODO: figure out boot password
|
||||
rhel9cis_set_boot_pass: false
|
||||
# TODO: We intend to later deploy a remote rsyslog sink
|
||||
rhel9cis_syslog: rsyslog
|
||||
rhel9cis_time_synchronization_servers: "{{ baseline_ntp_servers }}"
|
||||
rhel9cis_warning_banner: "{{ baseline_warning_banner }}"
|
||||
rhel9cis_sshd_denyusers: "admin nobody"
|
||||
when: (ansible_distribution == "Rocky") and (ansible_distribution_major_version == "9")
|
||||
Loading…
Add table
Add a link
Reference in a new issue