refactor(vars): add system/hypervisor dict inputs

2026-02-11 05:37:18 +01:00
parent c4c96dbfb5
commit fc05708466
62 changed files with 2422 additions and 871 deletions
--- a/roles/cis/defaults/main.yml
+++ b/roles/cis/defaults/main.yml
@@ -10,12 +10,12 @@ cis_permission_targets: >-
      { "path": "/mnt/etc/cron.d", "mode": "0700" },
      { "path": "/mnt/etc/crontab", "mode": "0600" },
      { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
-      { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
+      { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os != "rhel" else None,
      {
        "path": "/mnt/usr/bin/"
-        + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9", "rhel10", "rocky"] else "fusermount"),
+        + ("fusermount3" if os in ["archlinux", "fedora", "rocky"] or os == "rhel" or (os == "debian" and (os_version | string) == "12") else "fusermount"),
        "mode": "755"
      },
-      { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
+      { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian" and (os_version | string) == "11" else "write"), "mode": "755" }
    ] | reject("none")
  }}
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -1,12 +1,12 @@
 ---
 - name: Configure System Cryptography Policy
-  when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
-  ansible.builtin.command: "{{ chroot_command }} /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
+  when: os == "rhel" or os in ["almalinux", "rocky"]
+  ansible.builtin.command: "{{ chroot_command }} /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1"
  register: cis_crypto_policy_result
  changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"

 - name: Mask Systemd Services
  ansible.builtin.command: >
-    {{ chroot_command }} /mnt systemctl mask nftables bluetooth rpcbind
+    {{ chroot_command }} systemctl mask {{ 'nftables' if firewall_toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
  register: cis_mask_services_result
  changed_when: cis_mask_services_result.rc == 0
--- a/roles/cis/tasks/security_lines.yml
+++ b/roles/cis/tasks/security_lines.yml
@@ -4,21 +4,21 @@
    path: "{{ item.path }}"
    line: "{{ item.content }}"
  loop:
-    - {path: /mnt/etc/security/limits.conf, content: "* hard core 0"}
-    - {path: /mnt/etc/security/pwquality.conf, content: minlen = 14}
-    - {path: /mnt/etc/security/pwquality.conf, content: dcredit = -1}
-    - {path: /mnt/etc/security/pwquality.conf, content: ucredit = -1}
-    - {path: /mnt/etc/security/pwquality.conf, content: ocredit = -1}
-    - {path: /mnt/etc/security/pwquality.conf, content: lcredit = -1}
-    - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077}
-    - {path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000}
-    - {path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent}
-    - {path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log"}
-    - {path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so}
+    - { path: /mnt/etc/security/limits.conf, content: "* hard core 0" }
+    - { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 }
+    - { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 }
+    - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
+    - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
+    - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
+    - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 }
+    - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=3000 }
+    - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
+    - { path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log" }
+    - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
    - path: >-
        /mnt/etc/{{
          "pam.d/common-auth"
-          if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
+          if is_debian | bool
          else "authselect/system-auth"
          if os == "fedora"
          else "pam.d/system-auth"
@@ -28,7 +28,7 @@
    - path: >-
        /mnt/etc/{{
          "pam.d/common-account"
-          if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
+          if is_debian | bool
          else "authselect/system-auth"
          if os == "fedora"
          else "pam.d/system-auth"
@@ -37,10 +37,10 @@
    - path: >-
        /mnt/etc/pam.d/{{
          "common-password"
-          if os in ["debian11", "debian12", "ubuntu", "ubuntu-lts"]
+          if is_debian | bool
          else "passwd"
        }}
      content: >-
        password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
-    - {path: /mnt/etc/hosts.deny, content: "ALL: ALL"}
-    - {path: /mnt/etc/hosts.allow, content: "sshd: ALL"}
+    - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
+    - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
--- a/roles/cis/tasks/sshd.yml
+++ b/roles/cis/tasks/sshd.yml
@@ -5,30 +5,30 @@
    regexp: ^\s*#?{{ item.option }}\s+.*$
    line: "{{ item.option }} {{ item.value }}"
  loop:
-    - {option: LogLevel, value: VERBOSE}
-    - {option: LoginGraceTime, value: "60"}
-    - {option: PermitRootLogin, value: "no"}
-    - {option: StrictModes, value: "yes"}
-    - {option: MaxAuthTries, value: "4"}
-    - {option: MaxSessions, value: "10"}
-    - {option: MaxStartups, value: "10:30:60"}
-    - {option: PubkeyAuthentication, value: "yes"}
-    - {option: HostbasedAuthentication, value: "no"}
-    - {option: IgnoreRhosts, value: "yes"}
-    - {option: PasswordAuthentication, value: "no"}
-    - {option: PermitEmptyPasswords, value: "no"}
-    - {option: KerberosAuthentication, value: "no"}
-    - {option: GSSAPIAuthentication, value: "no"}
-    - {option: AllowAgentForwarding, value: "no"}
-    - {option: AllowTcpForwarding, value: "no"}
-    - {option: ChallengeResponseAuthentication, value: "no"}
-    - {option: GatewayPorts, value: "no"}
-    - {option: X11Forwarding, value: "no"}
-    - {option: PermitUserEnvironment, value: "no"}
-    - {option: ClientAliveInterval, value: "300"}
-    - {option: ClientAliveCountMax, value: "1"}
-    - {option: PermitTunnel, value: "no"}
-    - {option: Banner, value: /etc/issue.net}
+    - { option: LogLevel, value: VERBOSE }
+    - { option: LoginGraceTime, value: "60" }
+    - { option: PermitRootLogin, value: "no" }
+    - { option: StrictModes, value: "yes" }
+    - { option: MaxAuthTries, value: "4" }
+    - { option: MaxSessions, value: "10" }
+    - { option: MaxStartups, value: "10:30:60" }
+    - { option: PubkeyAuthentication, value: "yes" }
+    - { option: HostbasedAuthentication, value: "no" }
+    - { option: IgnoreRhosts, value: "yes" }
+    - { option: PasswordAuthentication, value: "no" }
+    - { option: PermitEmptyPasswords, value: "no" }
+    - { option: KerberosAuthentication, value: "no" }
+    - { option: GSSAPIAuthentication, value: "no" }
+    - { option: AllowAgentForwarding, value: "no" }
+    - { option: AllowTcpForwarding, value: "no" }
+    - { option: ChallengeResponseAuthentication, value: "no" }
+    - { option: GatewayPorts, value: "no" }
+    - { option: X11Forwarding, value: "no" }
+    - { option: PermitUserEnvironment, value: "no" }
+    - { option: ClientAliveInterval, value: "300" }
+    - { option: ClientAliveCountMax, value: "1" }
+    - { option: PermitTunnel, value: "no" }
+    - { option: Banner, value: /etc/issue.net }

 - name: Append CIS specific configurations to sshd_config
  ansible.builtin.blockinfile: