feat(cis): add selectable profile and per-rule hardening toggles

2026-05-25 04:37:33 +02:00
parent d2a19cfd5c
commit 2c35409519
23 changed files with 753 additions and 192 deletions
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -1,5 +1,6 @@
 ---
 - name: Disable Kernel Modules
+  when: cis_effective_rules.module_blacklist | default(false)
  vars:
    # Ubuntu uses squashfs for snap packages - blacklisting it breaks snap entirely
    cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
@@ -14,11 +15,13 @@
      {% endfor %}

 - name: Remove old USB rules file
+  when: cis_effective_rules.usb_lockdown | default(false)
  ansible.builtin.file:
    path: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
    state: absent

 - name: Create USB rules
+  when: cis_effective_rules.usb_lockdown | default(false)
  ansible.builtin.copy:
    dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.rules
    mode: "0644"