feat(cis): add selectable profile and per-rule hardening toggles

2026-05-25 04:37:33 +02:00
parent d2a19cfd5c
commit 2c35409519
23 changed files with 753 additions and 192 deletions
--- a/roles/cis/tasks/sshd.yml
+++ b/roles/cis/tasks/sshd.yml
@@ -1,5 +1,6 @@
 ---
 - name: Adjust SSHD config
+  when: cis_effective_rules.sshd_hardening | default(false)
  ansible.builtin.lineinfile:
    path: /mnt/etc/ssh/sshd_config
    regexp: ^\s*#?{{ item.option }}\s+.*$
@@ -9,6 +10,7 @@
    label: "{{ item.option }}"

 - name: Detect target OpenSSH version
+  when: cis_effective_rules.sshd_hardening | default(false)
  ansible.builtin.shell: >-
    set -o pipefail && {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
  args:
@@ -18,6 +20,7 @@
  failed_when: false

 - name: Append CIS specific configurations to sshd_config
+  when: cis_effective_rules.sshd_hardening | default(false)
  vars:
    cis_sshd_has_mlkem: "{{ (cis_sshd_openssh_version.stdout | default('0.0') is version('9.9', '>=')) }}"
    cis_sshd_kex: >-