sr2/ansible-collection-core
4
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions

feat(baseline): do not expect global become true

Browse source
This commit is contained in:
Iain Learmonth 2025-12-20 13:14:35 +00:00
parent c793b470b0
commit 6933aad1fa
8 changed files with 56 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
roles/baseline/tasks/lockdown.yml
View file

@ -1,13 +1,14 @@
---
- name: Lockdown | AUDIT | Check current authselect configuration
become: true
ansible.builtin.command: authselect current
register: baseline_lockdown_authselect_status
failed_when: false # Exit code is 2 when not configured
changed_when: false
- name: Lockdown | PATCH | Run Ansible Lockdown (RHEL9-CIS)
ansible.builtin.include_role:
name: RHEL9-CIS
ansible.builtin.import_role:
name: RHEL9-CIS # This is the SR2 fork that includes a patch to run all tasks with become: true
vars:
# Ensure message of the day is configured properly - we have our own MOTD to apply
rhel9cis_rule_1_7_1: false
@ -16,6 +17,7 @@
rhel9cis_rule_5_1_7: false
# Only disable root login once authselect is configured
rhel9cis_rule_5_1_20: "{{ baseline_lockdown_authselect_status.rc != 2 }}"
rhel9cis_rule_5_4_2_4: false # TODO: temporarily disable requirement for root password
# TODO: figure out boot password
rhel9cis_set_boot_pass: false
# TODO: We intend to later deploy a remote rsyslog sink