refactor(cis): extract hardcoded values to cis_defaults and add _normalize.yml

2026-02-21 01:26:31 +01:00
parent bef15af69f
commit f74ec325ea
8 changed files with 99 additions and 79 deletions
--- a/roles/cis/tasks/auth.yml
+++ b/roles/cis/tasks/auth.yml
@@ -3,7 +3,7 @@
  ansible.builtin.lineinfile:
    path: "/mnt/etc/profile"
    regexp: "^(\\s*)umask\\s+\\d+"
-    line: "umask 027"
+    line: "umask {{ cis_cfg.umask_profile }}"

 # Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
 - name: Prevent Login to Accounts With Empty Password