feat(cis): add selectable profile and per-rule hardening toggles

2026-05-25 04:37:33 +02:00
parent d2a19cfd5c
commit 2c35409519
23 changed files with 753 additions and 192 deletions
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -103,6 +103,9 @@ system_defaults:
  features:
    cis:
      enabled: false
+      profile: default # default|l1|l2 (default = current house behaviour)
+      rules: {} # per-rule overrides, e.g. {usb_lockdown: false}
+      params: {} # parameter overrides, e.g. {pwquality_minlen: 16}
    selinux:
      enabled: true
    firewall:
--- a/roles/global_defaults/tasks/_normalize_system.yml
+++ b/roles/global_defaults/tasks/_normalize_system.yml
@@ -142,6 +142,9 @@
      features:
        cis:
          enabled: "{{ system_raw.features.cis.enabled | bool }}"
+          profile: "{{ system_raw.features.cis.profile | default('default') | string }}"
+          rules: "{{ system_raw.features.cis.rules | default({}) }}"
+          params: "{{ system_raw.features.cis.params | default({}) }}"
        selinux:
          enabled: "{{ system_raw.features.selinux.enabled | bool }}"
        firewall: