feat(cis): add selectable profile and per-rule hardening toggles

2026-05-25 04:37:33 +02:00
parent d2a19cfd5c
commit 2c35409519
23 changed files with 753 additions and 192 deletions
--- a/vars_example.yml
+++ b/vars_example.yml
@@ -1,5 +1,4 @@
 ---
-# Example variables for virtual provisioning.
 custom_iso: false

 hypervisor:
@@ -85,6 +84,9 @@ system:
  features:
    cis:
      enabled: false
+      profile: default # default|l1|l2
+      rules: {} # per-rule overrides, e.g. {usb_lockdown: false}
+      params: {} # parameter overrides, e.g. {pwquality_minlen: 16}
    selinux:
      enabled: true
    firewall: